Bulk Power System Protection Act of 2009 - Amends the Federal Power Act to require the Federal Energy Regulatory Commission (FERC) to establish measures to protect the bulk power system against cybersecurity threats resulting from: (1) vulnerabilities identified in the June 2007 communication to certain "Electricity Sector Owners and Operators" from the North American Electric Reliability Corporation; and (2) related remote access issues.
Authorizes FERC to issue orders for emergency protective measures if the President provides FERC with a determination that an imminent cybersecurity threat to the system exists.
Directs FERC to promulgate rules and procedures to prohibit the unauthorized disclosure of certain unclassified sensitive cybersecurity information.
Directs the Secretary of Energy to establish a program to develop expertise and identify technical and electronic resources helpful to cybersecurity protection of the electric grid and all electric systems, including distribution-level electric systems.
Requires Alaska, Hawaii, and Guam to prepare a comprehensive plan identifying emergency measures to be taken to protect the electric power supply of the national defense facilities located in such jurisdictions in the event of an imminent cybersecurity threat.
[Congressional Bills 111th Congress]
[From the U.S. Government Publishing Office]
[H.R. 2165 Introduced in House (IH)]
111th CONGRESS
1st Session
H. R. 2165
To amend Part II of the Federal Power Act to address known
cybersecurity threats to the reliability of the bulk power system, and
to provide emergency authority to address future cybersecurity threats
to the reliability of the bulk power system, and for other purposes.
_______________________________________________________________________
IN THE HOUSE OF REPRESENTATIVES
April 29, 2009
Mr. Barrow (for himself, Mr. Markey of Massachusetts, and Mr. Waxman)
introduced the following bill; which was referred to the Committee on
Energy and Commerce
_______________________________________________________________________
A BILL
To amend Part II of the Federal Power Act to address known
cybersecurity threats to the reliability of the bulk power system, and
to provide emergency authority to address future cybersecurity threats
to the reliability of the bulk power system, and for other purposes.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Bulk Power System Protection Act of
2009''.
SEC. 2. FINDINGS.
The Congress finds that--
(1) it is in the public interest to require the Federal
Energy Regulatory Commission to promptly order measures to
address known cybersecurity threats to the reliability of the
electric bulk power system; and
(2) the Commission must have the necessary emergency
authority to respond promptly to future cybersecurity threats
that could compromise reliability of the bulk power system.
SEC. 3. PROTECTION OF BULK POWER SYSTEM FROM CYBERSECURITY THREATS.
(a) In General.--Part II of the Federal Power Act is amended by
adding the following new section after section 215:
``SEC. 215A. EMERGENCY AUTHORITY TO ADDRESS CYBERSECURITY THREATS TO
THE BULK POWER SYSTEM.
``(a) Definitions.--For purposes of this section:
``(1) The terms `reliability standard', `bulk power
system', `reliable operation', `cybersecurity incident',
`Electric Reliability Organization', `regional entity', and
`owners, users or operators' shall have the same meaning as
when used in section 215.
``(2) The term `cybersecurity threat' means that there is
credible information or evidence of--
``(A) a likelihood of a malicious act that could
disrupt the operation of those programmable electronic
devices and communications networks including hardware,
software and data that are essential to the reliable
operation of the bulk power system; and
``(B) a substantial possibility of disruption to
the operation of such devices and networks in the event
of such a malicious act.
``(3) Classified information.--The term `classified
information' means any information that has been determined
pursuant to Executive Order 12958, as amended, or successor
orders, or the Atomic Energy Act of 1954, to require protection
against unauthorized disclosure and that is so designated.
``(4) Sensitive cybersecurity information.--The term
`sensitive cybersecurity information' means unclassified
information that, if an unauthorized disclosure is made, could
be used in a malicious manner to impair the reliability or
operations of the bulk power system or the supply of
electricity to the bulk power system.
``(5) The term `Secretary' means the Secretary of Energy.
``(b) Interim Authority To Address Existing Cybersecurity
Threats.--
``(1) In general.--After notice and opportunity for
comment, and after consultation with appropriate governmental
authorities in Canada and Mexico (subject to adequate
protections against inappropriate disclosure of security-
sensitive information), the Commission shall establish, by rule
or order, within 120 days after enactment of this section, such
measures or actions as are necessary to protect the reliability
of the bulk power system against the cybersecurity threats
resulting from--
``(A) the vulnerabilities identified in the June
21, 2007, communication to certain `Electricity Sector
Owners and Operators' from the North American Electric
Reliability Corporation, acting in its capacity as the
Electricity Sector Information Sharing and Analysis
Center; and
``(B) related remote access issues.
Such measures or actions may be required of any owner, user, or
operator of the bulk power system within the United States.
``(2) Additional orders.--Until such time as the interim
reliability measures or actions ordered under this subsection
are replaced by cybersecurity reliability standards developed,
approved, and implemented pursuant to section 215, the
Commission may issue additional orders to supplement the
initial rule or order issued under this subsection only if,
based on subsequent information or petition from an affected
entity, the Commission determines that clarification or
refinements to the originally ordered measures or actions are
necessary to ensure that the threats are adequately and
appropriately addressed. Any such additional orders shall be
preceded by notice and opportunity for comment.
``(c) Future Emergencies Involving Imminent Cybersecurity
Threats.--
``(1) Authority to address imminent cybersecurity
threats.--Whenever the President issues and provides to the
Commission (either directly or through the Secretary) a written
directive or determination that an imminent cybersecurity
threat to the reliability of the bulk power system exists, the
Commission may on its own motion, with or without notice,
hearing, or report issue such orders for emergency measures or
actions as are necessary in its judgment to protect the
reliability of the bulk power system against such threat.
``(2) Consultation.--Before acting under this subsection,
to the extent feasible, taking into account the nature of the
threat and urgency of need for action, the Commission shall
consult with appropriate governmental authorities in Canada and
Mexico (subject to adequate protections against inappropriate
disclosure of security-sensitive information), entities
described in paragraph (3), and officials at other Federal
agencies, including the Secretary, as appropriate, regarding
implementation of measures or actions that will effectively
address the identified threat.
``(3) Application of emergency measures.--An order for
emergency actions or measures under this subsection may apply
to--
``(A) the Electric Reliability Organization
referred to in section 215,
``(B) a regional entity with respect to the United
States operations of the Electric Reliability
Organization,
``(C) the regional entity, or
``(D) any owner, user, or operator of the bulk
power system within the United States.
``(d) Discontinuance of Interim Measures.--The Commission shall
issue an order discontinuing any measures or actions ordered under
subsection (b) upon the earliest of the following:
``(1) When the President (either directly or through the
Secretary of Energy) issues a written order or directive
provided to the Commission to the effect that the threat to the
bulk power system that requires such measures, or actions no
longer exists.
``(2) When the Commission determines in writing that the
ordered measures or actions are no longer needed to address the
identified threat.
``(3) When a reliability standard developed and approved
pursuant to section 215 is implemented to address the
identified threat.
``(4) One year after the issuance of an order under
subsections (b) unless the President (either directly or
through the Secretary) issues a determination affirming the
continuing nature of the threat. A determination issued under
this paragraph shall expire upon the implementation of a
standard under section 215 to address the identified threat.
The Commission shall issue such order to be effective within 30 days of
the relevant triggering event set out in paragraphs (1) through (4).
``(e) Discontinuance of Emergency Measures.--The Commission shall
issue an order discontinuing any measures or actions ordered under
subsection (c) upon the earliest of the following:
``(1) When the President (either directly or through the
Secretary of Energy) issues a written order or directive
provided to the Commission to the effect that the threat to the
bulk power system that requires such measures, or actions no
longer exists.
``(2) When the Commission determines in writing that the
ordered measures or actions are no longer needed to address the
identified threat.
``(3) When a reliability standard developed and approved
pursuant to section 215 is implemented to address the
identified threat.
``(4) With respect to orders under subsection (c), one year
after the issuance of an order unless the President (either
directly or through the Secretary) issues a determination
reaffirming the continuing nature of the threat. A
determination issued under this paragraph shall expire upon the
implementation of a standard under section 215 to address the
identified threat.
The Commission shall issue such order to be effective within 30 days of
the relevant triggering event set out in paragraphs (1) through (4).
``(f) Protection of Unclassified Sensitive Cybersecurity
Information.--
``(1) Confidentiality procedures.--After notice and
opportunity for comment, the Commission shall promulgate rules
and procedures to prohibit the unauthorized disclosure of
unclassified sensitive cybersecurity information--
``(A) which was developed or used in connection
with the implementation of this section,
``(B) which specifically discusses cybersecurity
threats, vulnerabilities, mitigation plans or security
procedures, and
``(C) the unauthorized disclosure of which could be
used in a malicious manner to impair the reliability or
operations of the bulk power system or the supply of
electricity to the bulk power system.
Such rules and procedures shall require the inventory and
safeguarding of such information during its creation, storage
and transmittal by the Commission or by any other entity,
including any vendor, contractor or consultant.
``(2) Limited disclosure to entities subject to commission
action.--In the rules and procedures promulgated under
paragraph (1), the Commission shall authorize the release of
sensitive cybersecurity information to entities subject to
Commission action under this section and to their employees,
contractors and third-party representatives, to the extent
necessary to enable such entities to implement Commission
rules, orders or measures. Entities originating, receiving or
possessing such information shall comply with Commission rules
and procedures to limit disclosure of such information to any
other entities that have been determined to have a need to
know, have executed non disclosure agreements, and have been
deemed by the entity to be trustworthy and reliable. Any entity
which signed such non disclosure agreement and was found by the
Commission or by another entity subject to this section to have
improperly disclosed sensitive cybersecurity information shall
thereafter be denied access to such information, and the
Commission shall suspend ability of the entity disclosing such
information to appear before the Commission. The sanctions
under this paragraph against any individual or other entity
shall be in addition to, and not in lieu of, any other actions
Commission is authorized to take pursuant to section 316A for
failure to comply with the rules or procedures established by
the Commission under this section. Information designated
sensitive cybersecurity information pursuant to this section
shall not be subject to disclosure under the Freedom of
Information Act (5 U.S.C. 552).
``(3) Limitations.--
``(A) The Commission shall consult with national
security or national intelligence agencies, as
appropriate, for purposes of designating certain
information as sensitive cybersecurity information, but
shall not designate as sensitive cybersecurity
information any information that has been classified by
another Federal agency.
``(B) Nothing in this section shall be construed to
authorize the withholding of information from the
committees of the Congress with jurisdiction over the
Commission or the Comptroller General.
``(C) In promulgating and implementing rules and
procedures under this section, the Commission shall
protect from disclosure only the minimum amount of
sensitive cybersecurity information necessary to
protect the reliability or operations of the bulk power
system or the supply of electricity to the bulk power
system. The Commission shall segregate sensitive
cybersecurity information within documents, electronic
communications, and rules, orders or records associated
with such rules and orders, wherever feasible, to
facilitate disclosure of information which is not
designated as sensitive cybersecurity information.
``(D) Information may not be designated as
sensitive cybersecurity information for longer than 10
years, unless specifically redesignated by the
Commission.
``(E) The Commission is authorized to remove the
designation of sensitive cybersecurity information, in
whole or in part, from a document or electronic
communication if the unauthorized disclosure could not
be used to impair the reliability or operations of the
bulk power system or the supply of electricity to the
bulk power system.
``(4) Consistency of markings.--The Commission is
authorized to place markings on documents, in whole or in part,
which designate the degree of sensitivity and limitations on
dissemination. Regulations and related procedures may be
modified, as appropriate, to ensure consistency with applicable
Executive Orders or laws pertaining to controlled unclassified
information.
``(5) Nondisclosure of sensitive cybersecurity information
in rules or orders.--If a rule or order issued pursuant to this
section contains sensitive cybersecurity information or if
information in the record associated with such rule or order
constitutes sensitive cybersecurity information, the Commission
may make the rule, order or information non-public in whole or
in part. The Commission may disclose such non-public rule,
order or information to entities other than the recipient of
the rule or order, as the Commission deems necessary, to carry
out the rule or order and protect the reliability of the bulk
power system.
``(6) Judicial review of designations.--Any determination
by the Commission concerning the designation of sensitive
cybersecurity information shall be subject to judicial review
pursuant to subsection (a)(4)(B) of section 552 of title 5 of
the United States Code.
``(g) Review.--The Commission shall act expeditiously to resolve
all applications for rehearing of orders issued pursuant to this
section which are filed under section 313(a). Any person or other
entity seeking judicial review pursuant to section 313 may obtain such
review only in the United States Court of Appeals for the District of
Columbia Circuit. In the case of any petition for review involving
rules or orders containing or relating to security-sensitive
information, the Commission and parties shall develop with the court
appropriate measures to ensure the confidentiality of such information,
including, but not limited to, court filings under seal or otherwise in
non-public form, or judicial review in camera.
``(h) Enforcement Discretion.--The Commission is authorized to
impose penalties pursuant to section 316A for any violation of a rule
or order of the Commission under this section. The Commission shall
exercise its discretion in engaging in enforcement actions under this
section to recognize good faith efforts to comply with directives of
the Commission.
``(i) Paperwork Reduction.--Chapter 35 of title 44, United States
Code (44 U.S.C. 3501 et seq.) (commonly referred to as the `Paperwork
Reduction Act') shall not apply to collections of information that
relate to measures or actions described in this section.
``(j) Provision of Assistance to Industry in Meeting Cybersecurity
Protection Needs.--
``(1) Expertise and resources.--The Secretary shall
establish a program to develop expertise and identify technical
and electronic resources, including hardware, software and
system equipment, helpful to cybersecurity protection of the
electric grid and all electric systems, including distribution-
level electric systems.
``(2) Sharing expertise.--The Secretary shall offer to
share such expertise through consultation and assistance with
any owner, operator, or user of the bulk power system, to any
owner or operator of an electricity distribution system located
in the United States whether or not connected to the bulk power
system, and specifically to any owner or operator of an
electricity distribution system that may provide electricity to
national defense and other critical-infrastructure facilities
of the United States.
``(3) Priority.--The Secretary shall consult with the
Commission, the Secretary of Defense, the Secretary of Homeland
Security, and other Federal agencies to confirm the identity of
States and electric systems serving such national defense and
critical-infrastructure facilities, and shall assign higher
priority to such States and systems in offering such support.
``(4) Clearances.--The Secretary shall facilitate the
acquisition by key security personnel of any electric entity
affected by this subsection of sufficient security clearances
to allow such personnel access to information that would enable
optimum understanding of cybersecurity threats and ability to
respond.
``(5) Defense facilities.--Within one year of the date of
enactment of this section, the States of Alaska and Hawaii and
the Territory of Guam shall prepare, in consultation with the
Secretary of Energy, the Secretary of Defense, and the electric
utilities that serve national defense facilities in those
jurisdictions, a comprehensive plan, to be implemented by the
relevant State and territorial governmental authorities,
identifying the emergency measures or actions that will be
taken to protect the reliability of the electric power supply
of the national defense facilities located in those
jurisdictions in the event of an imminent cybersecurity threat.
A copy of each such plan shall be provided to the Secretary of
Energy and the Secretary of Defense.''.
(b) Conforming Amendment.--Section 201(b)(2) of the Federal Power
Act is amended by inserting ``215A'' after ``215''.
<all>
Introduced in House
Introduced in House
Referred to the House Committee on Energy and Commerce.
Referred to the Subcommittee on Energy and Environment.
Llama 3.2 · runs locally in your browser
Ask anything about this bill. The AI reads the full text to answer.
Enter to send · Shift+Enter for new line