Should the Dept. of Energy Ensure Natural Gas Pipelines’ Physical & Cybersecurity? (H.R. 370)

What is H.R. 370?

(Updated December 1, 2019)

This bill would require the Energy Secretary to carry out a program to ensure the physical and cybersecurity of natural gas pipelines, hazardous liquid pipelines, and liquified natural gas (LNG) facilities. The Energy Secretary would also be required to coordinate response and recovery between federal agencies, states, and the energy sector in response to physical and cyber incidents impacting the energy secretary. Additionally, Dept. of Energy (DOE) would coordinate efforts to develop advanced cybersecurity applications and technologies to protect these facilities and to perform pilot demonstration projects relating to these facilities’ physical and cybersecurity.

Argument in favor

The physical security and cybersecurity of America’s pipelines, liquefied natural gas facilities, and other critical energy infrastructure is a vital component of U.S. national security. This bipartisan bill would improve security in those areas.

Argument opposed

The Dept. of Homeland Security’s Transportation Security Administration (TSA) already has responsibility for pipeline security. There’s no need to give the Dept. of Energy responsibilities in that area.

Impact

Energy security; pipelines; Dept. of Energy; and the Energy Secretary.

Cost of H.R. 370

When this bill was introduced in the 115th Congress, the CBO estimated that implementing it would cost $86 million over the 2019-2023 period.

Additional Info

In-Depth: Rep. Fred Upton (R-MI) reintroduced this bill from the 115th Congress to require the DOE to undertake a variety of activities to improve the physical and cyber security of pipelines and LNG facilities:

“Since its inception, the Department of Energy (DOE) has performed a vital energy security mission to ensure the supply and delivery of fuels and power in emergencies. Over time, DOE has developed the information tools and technical capacity to respond to emergencies and develop advanced technologies to protect the nation’s energy infrastructure, especially against cyber threats. In recent years, Congress reemphasized DOE’s responsibility to respond to both physical and digital threats against our energy systems through the passage of the FAST Act of 2015. Of course, for DOE to effectively carry out its responsibilities, it must account for each interrelated segment of the nation’s energy infrastructure, including pipelines, which are subject to an array of other federal authorities. This is why I introduced the Pipeline and LNG Facility Cybersecurity Preparedness Act to address this issue. This legislation requires the Secretary of Energy to establish a program to improve cooperation between federal agencies, states, and industry in order to ensure the safe and dependable flow of energy across the United States. This will help boost both the physical resiliency and cybersecurity of energy pipelines and liquefied natural gas facilities. The threat of damage from a disaster or an attack on our energy infrastructure  is no longer a matter of ‘if,’ but ‘when.’ Congress must act swiftly to provide DOE with the tools it needs to enhance preparedness and protections of our energy systems. It is time to enact legislation that confronts these threats and improves the resiliency and reliability of our nation’s energy infrastructure.”

The Troutman Sanders Pipeline Practice group argues that current rules and regulations on pipeline security are insufficient:

“Both the electric utility industry and the oil and gas industry face increasing cyber threats from nation-states, criminals and terrorists.  While oil and gas pipelines and LNG facilities are subject to limited PHMSA regulations regarding physical security, there are no mandatory requirements regarding cybersecurity.  TSA Guidelines are designed to assist the industries in developing a reasonable security and cybersecurity plan that is sufficiently protective of its assets. While those requirements are only voluntary, they are nevertheless likely to be perceived as minimum best industry practices by insurance companies and in litigation.  For that reason, it is advisable for operators to review and consider any changes to their own plans and procedures. The promulgation of at least minimal security regulatory requirements may be worthy of consideration at this point, given the increase in both cybersecurity threats as well as pipeline sabotage, as well as which agency is best positioned to promulgate them.”

In the current Congress, this bill has one bipartisan cosponsor, Rep. David Loebsack (D-IA). In the 115th Congress, it passed the House Transportation Committee and placed on the House calendar, but never received a vote. In the previous Congress, it had one cosponsor, Rep. David Loebsack (D-IA).

Of Note: Currently, the Transportation Security Administration (TSA) within the Dept. of Homeland Security (DHS) is in charge of pipeline security. However, the Federal Energy Regulatory Commission (FERC) has argued that the DOE is better-positioned to impose mandatory cybersecurity requirements on pipelines and ensure their enforcement. Republican FERC commissioner Neil Chatterjee says, “A pipeline outage, which may be connected to eight or nine generators, poses far more significant consequences today than it did in the past.” Democratic FERC Commissioner Richard Glick also supports a bigger role for the DOE.

FERC Chairman Kevin McIntyre supports FERC moving toward cybersecurity actions related to pipelines “at some appropriate point in time,” but contends that “we’re just not there now.”

Media:

• Sponsoring Rep. Fred Upton (R-MI) OurEnergyPolicy.org Post

• CBO Cost Estimate

• Bloomberg BNA

• Countable (115th Congress)