Committee Leaders Call on Secretary Granholm to Fulfill DOE’s Duty to Lead Energy Cybersecurity

April 8, 2022

WASHINGTON, D.C. — Today, U.S. Senators John Barrasso (R-WY) and Joe Manchin (D-WV), along with U.S. Representatives Cathy McMorris Rodgers (R-WA) and Frank Pallone (D-NJ) sent a letter to the Secretary of Energy, Jennifer Granholm, calling on her to ensure the Department of Energy (DOE) remains the lead cybersecurity agency for the energy sector, as well as to ensure the Federal government does not impose duplicative cyber incident reporting requirements on the energy sector.

Barrasso and Manchin serve as ranking member and chairman of the Senate Committee on Energy and Natural Resources. McMorris Rodgers and Pallone serve as ranking member and chairman of the House Committee on Energy and Commerce. 

In the letter, the committee leaders stress the importance of energy sector and Federal government coordination in responding to increased cyber threats to energy infrastructure. It is more important than ever to protect critical infrastructure from cyber threats and to avoid inconsistent and duplicative requirements for private industry. 

Read the full letter here and below. 

Dear Secretary Granholm, 

We are writing to ask you to ensure that the Department of Energy (DOE) maintains its existing authority as the Sector Risk Management Agency (SRMA) for energy sector cybersecurity. Without your engagement and immediate attention, we are concerned that DOE’s role in helping to ensure energy sector cyber security will be diminished. 

In March, Congress passed the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“the Act”) as part of the Consolidated Appropriations Act of 2022. The Act establishes mandatory cyber intrusion reporting requirements for critical infrastructure companies, including companies in the energy sector. It also assigns responsibility for implementation to the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA). 

Given the increase of cyberattacks on energy infrastructure the ability to consolidate and share that information within the federal government to rapidly respond is vital. However, while the Act spells out CISA’s new obligations, DOE remains the lead agency for energy sector cybersecurity as established by law. As cyber threats increase, it is urgent that DOE fulfill its duty as the lead agency. DOE’s energy sector expertise and well-established partnerships with industry are critical in managing risk in today’s threat environment. We fully expect that DOE will discharge its lead cybersecurity and emergency response efforts for the energy sector in close coordination with DHS as it has done for years. 

Prior to the passage of the Act, electric utilities and other energy companies were required to report certain cyber incidents to DOE, the Federal Energy Regulatory Commission (FERC), state and local agencies, and the North American Electric Reliability Corporation (NERC). As CISA develops a rulemaking for reporting requirements under the Act, we ask you to work to maintain DOE’s role as the SRMA for the energy sector, as required by law. Further, we ask that you urge the Secretary of Homeland Security and other federal agencies to harmonize existing cyber incident reporting requirements for the energy sector with CISA’s forthcoming reporting requirements in order to provide clarity and consistency. 

Companies in the energy sector must focus their attention on maintaining cybersecurity and responding to cyber events. The federal government should act as a valuable partner in tracking and responding to cyber threats to critical infrastructure and avoid inconsistent and duplicative requirements. Establishing consistent reporting requirements is especially important now. As President Biden recently announced, the Russian government is “exploring options for potential cyberattacks” against critical infrastructure. 

Thank you in advance for your consideration and we look forward to your response.