On February 14, 2019, FERC Chairman Neil Chatterjee testified alongside officials from the North American Electric Reliability Corporation, the Department of Energy (“DOE”), the National Guard, and an engineering firm at a hearing before the U.S. Senate Committee on Energy and Natural Resources (“Committee”) to consider cybersecurity efforts in the energy industry. In response to Senators’ questions about whether the natural gas industry should be subject to mandatory cyber security standards, a position the Chairman laid out in a June 2018 op-ed written with fellow FERC Commissioner Richard Glick, Chairman Chatterjee acknowledged that natural gas pipelines remain vulnerable to cyber-attacks and that it is imperative to continue work to address these threats. He made clear, however, that industry and government have made significant strides toward addressing the issue even without mandatory cybersecurity standards. Chairman Chatterjee assured the Committee that FERC is dedicated to protecting the energy sector from cyber threats and is ready to work with Congress and other agencies to bolster the nation’s cybersecurity posture.
In the June 2018 op-ed, Chatterjee and Glick pointed out that while FERC has authority to issue certificates for new interstate gas pipelines and to set their rates, the Transportation Security Administration (“TSA”) is charged with protecting these pipelines’ security. Unlike FERC, which enforces mandatory cybersecurity standards for the electric grid (known as Critical Infrastructure Protection Standards), TSA relies on voluntary cybersecurity standards to protect natural gas pipelines. As of May 2017, TSA had six full-time employees tasked with securing more than 2.7 million miles of natural gas, oil, and hazardous liquid pipelines across the country. “Given the high stakes, Congress should vest responsibility for pipeline security with an agency that fully comprehends the energy sector” and that has “the statutory authority, resources, and commitment to implement mandatory standards,” the op-ed concludes.
But when asked by members of the Committee on whether the natural gas industry should be subject to mandatory cybersecurity standards, Chairman Chatterjee stated that he was impressed by the voluntary steps of both industry and TSA to address the issue. In his prepared testimony, the Chairman stated, “I recently met with TSA Administrator David Pekoske to discuss pipeline cybersecurity and was impressed by his focus on this vital issue, as well as his pledge to take further action to improve TSA’s oversight of pipeline security.” In response to Senators’ questions, the Chairman indicated that voluntary best practices may be better suited than regulation to keep up with dynamic and fast-evolving cybersecurity threats. Chairman Chatterjee stated that FERC’s Office of Energy Infrastructure Security, which is responsible for engaging with industry, states, and other federal agencies to develop and promote voluntary best practices for critical infrastructure security, will continue to support and provide regulatory expertise to TSA.
Chairman Chatterjee’s testimony also addressed the evolution of mandatory reliability standards, the voluntary partnerships FERC has established with industry and other agencies, and highlighted an upcoming joint technical conference that FERC will co-host with the DOE on March 28, 2019, to discuss investments for cyber and physical security (see February 13, 2019 edition of the WER). When asked what pending legislation would be most helpful in addressing cybersecurity threats to the energy sector, Chairman Chatterjee pointed to S.406, which proposes to address the shortage in cybersecurity professionals by creating a rotational workforce program to allow government cyber experts to rotate to different federal agencies on detail assignments. The Chairman also encouraged the efforts of S.174, which proposes to establish a pilot program to identify security vulnerabilities in the energy sector.