Critical infrastructure has been the focus of several recent US cyber readiness initiatives, although the results have left a patchwork of regulations that may be enforced differently across sectors and federal agencies. As an example, in March 2022, President Biden signed into law the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“CIRCIA“), which will require critical infrastructure organizations to report cyber incidents and ransom payments to the US Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours and 24 hours, respectively. However, the electric grid is already required to report cyber incidents to the Department of Energy (DoE) via the North American Electric Reliability Corporation’s (NERC) Critical Infrastructure Protection Plan. CIRCIA potentially creates ambiguity for electric grid reporting and the role of the DoE. As a result, on February 24, 2023, the House Committee on Energy, Climate, and Grid Security began considering the revived Critical Electric Infrastructure Cybersecurity Incident Reporting Act (HR 1160). If passed, this bill would direct the US Secretary of Energy to put forth regulations that require electric and related electricity infrastructure companies to report cybersecurity incidents to the DoE; however, it’s not clear if they will also continue to be required to report under NERC or CIRCIA.
HR 1160 follows a relatively recent but growing focus on cybersecurity risks to critical infrastructure systems, both in the US and globally, including in the EU and China. CISA designates 16 critical infrastructure sectors, defined as those whose assets, systems and networks, whether physical or virtual, are considered so vital to the US that their incapacitation or destruction would have a debilitating effect on security, economic security, public health or safety.
CIRCIA was signed into law in March 2022, but is not yet in effect, as it must first go through the rulemaking process. Once effective, critical infrastructure entities will be required to report certain cyber incidents within 72 hours and ransomware payments within 24 hours to CISA.
Last week, the White House announced its National Cybersecurity Strategy that, among other things, prioritizes the defense and safety of critical infrastructure and essential services. One day later, the Environmental Protection Agency (EPA) issued a memorandum ordering states to conduct cybersecurity audits and reviews of their drinking water systems (which are considered critical infrastructure) and to report cybersecurity threats to such systems.
If HR 1160 passes as currently written, the DoE will have the power to promulgate regulations defining cybersecurity incidents and requirements for reporting such incidents to the DoE, likely no later than 24 hours after discovery. However, it is not clear if entities subject to the proposed law would also still be subject to NERC regulations or how they will be treated under CIRCIA.
The chart below provides a brief overview of the current landscape of enacted and proposed legislation at the intersection of critical infrastructure and cybersecurity.
|Cyber incident reporting timeline
|HR 1160 (proposed)
|Owners, operators, and users of critical electric infrastructure
|Within 24 hours of discovery: notification regarding such cybersecurity incident (detailed requirements regarding the contents of notification unspecified and likely to be determined by rulemaking)
|Balancing authorities, distribution providers, generator owners and operators, reliability coordinators, transmission owners and operators
|DoE (through NERC)
|Within one hour of discovery: provide notification
By the end of the calendar day, following the determination of an attempt to compromise a Bulk Electric System Cyber System, Electronic Security Perimeter or Electronic Access Control or Monitoring System: provide notification
Within seven days: provide any updates to attribute information
|Entities in any of the 16 critical infrastructure sectors listed in Presidential Policy Directive 21, although rulemaking process will further define covered entities
|Within 72 hours: Covered entity must report any covered cyber incident.
Within 24 hours: Covered entity must report any ransomware payment.
Implications and next steps
Companies in critical infrastructure sectors should begin preparing for these requirements by:
- Evaluating cybersecurity programs and assessing any gaps and vulnerabilities in cyber incident preparedness
- Developing and implementing cyber incident reporting mechanisms. Companies should understand the reporting requirements at the state and federal levels in the US, and other requirements outside of the US, and implement protocols accordingly.