Earlier today, the Senate Energy and Natural Resources unanimously approved the "Grid Cyber Security Act", a somewhat amended version of the bill it approved last session but was never brought to the Senate floor for a vote. The bill now goes to Senate Majority Leader Harry Reid, who may opt to fold it into a more comprehensive cybersecurity bill he hopes to bring to the Floor later this summer.
Meanwhile, the House Subcommittee on Energy and Power of the Energy and Commerce Committee plans a hearing next Tuesday, May 31, on its own version of the bill whose language is based on the GRID Act passed unanimously last year by the House.
Under the provisions of the Senate bill, FERC jurisdiction would be expanded to include distribution in addition to generation and transmission systems and assets deemed "critical electric infrastructure [CEI]," defned as "so vital to the United States that the incapacity or destruction of the systems and assets would have a debilitating impact on national security, national economic security, or national public health or safety."
Within 120 days of enactment, FERC is directed to review current standards to determine their adequacy to mitigate cyber vulnerabilities. Due in part to criticisms that the NERC CIP standards setting process is too slow, the bill would impose a 180 day deadline for NERC to propose revisions to those standards that FERC finds wanting, or develop a new standard to address new vulnerabilities identified by FERC. Reasonable time extensions will be granted, but the bill is silent on penalities if the deadline is not met.
