Critical Infrastructure Must Soon Report Cyber Incidents to CISA Immediately
In March, President Biden signed the “Cyber Incident Reporting for Critical Infrastructure Act” (CIRCIA) into law. CIRCIA applies to the Critical Infrastructure Sector, which includes entities that are “vital to the United States” and whose incapacitation or destruction would have an adverse effect on national security, the economy, or public health and safety. Entities subject to these requirements (Covered Entities) are those which operate in certain sectors of the economy such as, chemical manufacturing, communications, critical manufacturing, dams, defense industrial base, emergency services, energy, financial, food, government facilities, healthcare, information technology, nuclear energy, transportation, and water systems.
Many of CIRCIA’s requirements fall to the Cybersecurity and Infrastructure Agency (CISA), which is an agency of the Department of Homeland Security (DHS). Under CIRCIA, CISA acts as a central hub for information gathering and dissemination in efforts to combat cybersecurity threats to critical infrastructure. CIRCA requires, among other things, the following:
- That Covered Entities alert CISA of a cyber incident within 72 hours from the time the entity reasonably believes an incident has occurred;
- Any federal entity that receives notice of a security incident must share it with CISA within 24 hours;
- DHS must establish an intergovernmental Cyber Incident Reporting Council to harmonize federal incident reporting requirements;
Ransomware is also addressed under CIRCIA. CISA is required to develop regulations that will require any critical infrastructure entity to report ransomware payment within 24 hours; establish a ransomware vulnerability warning program to notify system owners when a vulnerability, which could adversely affect the system owners is detected; and develop a joint ransomware task force.
CISA is presently working to implement such regulations. Since September 21, CISA has engaged in “public listening sessions” across the U.S. Written comments may also be submitted through the Federal eRulemaking Portal with a deadline of November 14. CIRCIA requires CISA to publish a Notice of Proposed Rulemaking within 24 months, but no later than March 2024, and implement final rules no later than September 2025. More information about the rulemaking process is available on the CISA website here.
CISA and FBI Working to Protect Water Infrastructure with EPA
The Biden administration is focused on fortifying critical infrastructure against the threat of cybersecurity attacks, including the nation’s public water system. CISA is working with the Environmental Protection Agency (EPA) to improve the public water sector’s readiness in light of increasing threats to the water supply, which could pose a risk to national security and health.
The Infrastructure Investment and Jobs Act (the Act, effective November 15, 2021) requires the EPA to coordinate with CISA and the FBI to develop a support plan for public water systems. EPA is directed to identify public water systems that, if adversely impacted by a cyber event, could impact the health and safety of the public. According to the EPA, there are approximately 148,000 public water systems in the U.S. at present. In August, the EPA signaled that it would issue a mandate requiring states to inspect approximately 1,600 water systems for cybersecurity threats under the agency’s authority granted by the Safe Drinking Water Act of 2018 (SDWA). CISA and the EPA intend to provide guidance, technology, and support for local water suppliers to improve cyber-resiliency.
In August, the EPA provided a report to Congress (here) describing its plan and prioritization framework for addressing the cybersecurity needs of the public water system. The EPA is still in the rulemaking stage with respect to its mandate to the states, which has been complicated by staffing shortages at the EPA and challenges to the agency’s statutory authority in light of the Supreme Court’s decision in West Virginia v. EPA last June. At the bare minimum, the EPA is expected to issue an “implementation memo” as early as this fall, which is expected to lay the groundwork for the EPA’s plan to combat cybersecurity risk.
FERC Implementing Incentives for Cybersecurity Investment
Under the Act, Congress directed the Federal Energy Regulatory Commission (FERC) to implement regulations, which incentivize shareholders to invest in advanced cybersecurity technology and participate in sharing of cyber-threat information. The Act requires FERC to implement a framework for utilities to obtain incentives for investments that increase utility cyber-resiliency. On September 22, FERC took the first step in establishing those rules by issuing a Notice of Proposed Rulemaking.
The notice seeks comment regarding expenditures that would be eligible for the cybersecurity incentive, including capital investments and participation in the threat-sharing program; expenditures that would appear on an established pre-qualified list of eligible expenditures that qualify for the incentives; and the types of incentives that would be offered to participants. Incentives are expected to cover expenditures related to training costs for new cyber-practices; costs associated with audits and assessments; software licensing costs; and expenditures related to sharing of cyber threat information with others. Any utility that receives such an incentive is expected to make an informational filing each year on June 1, which details the investments made and the amount of the expenditure.
FERC commissioners are questioning the wisdom of a voluntary-participation program in lieu of mandatory cybersecurity requirements, but acknowledge that mandatory requirements would take much longer to implement.
The comment period expires on November 7, and reply comments are due no later than November 21.
The regulatory cybersecurity landscape for critical infrastructure and utility operators is changing rapidly to meet the increased threats that cybersecurity attacks present to the national security, health, and safety. The federal government appears to be taking an approach that utilizes both a carrot and a stick. Stakeholders in critical infrastructure and public utilities must be prepared to respond to new regulations and should consider taking advantage of public incentives to modernize operations and improve cyber defenses. Policies and procedures must be updated to comport with new federal requirements.
Troutman Pepper closely monitors this space and stands ready to counsel clients in connection with the rapidly evolving environment.