Written By: Ronald L. Raether, Jr., Ashley L. Taylor, Jr., and Daniel Waltz
In March, President Biden signed the “Cyber Incident Reporting for Critical Infrastructure Act” (CIRCIA) into law. CIRCIA applies to the Critical Infrastructure Sector, which includes entities that are “vital to the United States” and whose incapacitation or destruction would have an adverse effect on national security, the economy, or public health and safety.
Entities subject to these requirements (Covered Entities) are those which operate in certain sectors of the economy such as chemical manufacturing, communications, critical manufacturing, dams, defense industrial base, emergency services, energy, financial, food, government facilities, healthcare, information technology, nuclear energy, transportation, and water systems.
Many of CIRCIA’s requirements fall to the Cybersecurity and Infrastructure Agency (CISA), which is an agency of the Department of Homeland Security (DHS). Under CIRCIA, CISA acts as a central hub for information gathering and dissemination in efforts to combat cybersecurity threats to critical infrastructure. CIRCA requires, among other things, the following:
- That Covered Entities alert CISA of a cyber incident within 72 hours from the time the entity reasonably believes an incident has occurred;
- Any federal entity that receives notice of a security incident must share it with CISA within 24 hours;
- DHS must establish an intergovernmental Cyber Incident Reporting Council to harmonize federal incident reporting requirements.
Ransomware is also addressed under CIRCIA. CISA is required to develop regulations that will require any critical infrastructure entity to report ransomware payment within 24 hours; establish a ransomware vulnerability warning program to notify system owners when a vulnerability, which could adversely affect the system owners is detected; and develop a joint ransomware task force.
CISA is presently working to implement such regulations. Since September 21, CISA has engaged in “public listening sessions” across the U.S. Comments were due to be submitted on November 14. CIRCIA requires CISA to publish a Notice of Proposed Rulemaking within 24 months, but no later than March 2024, and implement final rules no later than September 2025. More information about the rulemaking process is available on the CISA website here.
CISA and FBI Working to Protect Water Infrastructure with EPA
The Biden administration is focused on fortifying critical infrastructure against the threat of cybersecurity attacks, including the nation’s public water system. CISA is working with the Environmental Protection Agency (EPA) to improve the public water sector’s readiness in light of increasing threats to the water supply, which could pose a risk to national security and health.
The Infrastructure Investment and Jobs Act (the Act, effective November 15, 2021) requires the EPA to coordinate with CISA and the FBI to develop a support plan for public water systems. EPA is directed to identify public water systems that, if adversely impacted by a cyber event, could impact the health and safety of the public.
According to the EPA, there are approximately 148,000 public water systems in the U.S. at present. In August, the EPA signaled that it would issue a mandate requiring states to inspect approximately 1,600 water systems for cybersecurity threats under the agency’s authority granted by the Safe Drinking Water Act of 2018 (SDWA). CISA and the EPA intend to provide guidance, technology, and support for local water suppliers to improve cyber-resiliency.
In August, the EPA provided a report to Congress (here) describing its plan and prioritization framework for addressing the cybersecurity needs of the public water system. The EPA is still in the rulemaking stage with respect to its mandate to the states, which has been complicated by staffing shortages at the EPA and challenges to the agency’s statutory authority in light of the Supreme Court’s decision in West Virginia v. EPA last June.
At the bare minimum, the EPA is expected to issue an “implementation memo” as early as this Fall, which is expected to lay the groundwork for the EPA’s plan to combat cybersecurity risk.
FERC Implementing Incentives for Cybersecurity Investment
Under the Act, Congress directed the Federal Energy Regulatory Commission (FERC) to implement regulations, which incentivize shareholders to invest in advanced cybersecurity technology and participate in sharing of cyber-threat information. The Act requires FERC to implement a framework for utilities to obtain incentives for investments that increase utility cyber-resiliency. On September 22, FERC took the first step in establishing those rules by issuing a Notice of Proposed Rulemaking.
The notice seeks comment regarding expenditures that would be eligible for the cybersecurity incentive, including capital investments and participation in the threat-sharing program; expenditures that would appear on an established pre-qualified list of eligible expenditures that qualify for the incentives; and the types of incentives that would be offered to participants.
Incentives are expected to cover expenditures related to training costs for new cyber practices; costs associated with audits and assessments; software licensing costs; and expenditures related to sharing of cyber threat information with others. Any utility that receives such an incentive is expected to make an informational filing each year on June 1, which details the investments made and the amount of the expenditure.
FERC commissioners are questioning the wisdom of a voluntary-participation program in lieu of mandatory cybersecurity requirements, but acknowledge that mandatory requirements would take much longer to implement.
Takeaways for Critical Infrastructure
The regulatory cybersecurity landscape for critical infrastructure and utility operators is changing rapidly to meet the increased threats that cybersecurity attacks present to national security, health, and safety. The federal government appears to be taking an approach that utilizes both a carrot and a stick.
Stakeholders in critical infrastructure and public utilities must be prepared to respond to new regulations and should consider taking advantage of public incentives to modernize operations and improve cyber defenses. Policies and procedures must be updated to comport with new federal requirements.
Troutman Pepper closely monitors this space and stands ready to counsel clients in connection with the rapidly evolving environment.
Troutman Pepper supports the mission of the Cyber Guild to continually advance cybersecurity, by attracting diversity to all levels of the industry, unifying allies across the private and public sectors, and ensuring opportunities are as universal as talent. Check out other articles written by Troutman Pepper here.
Ronald L. Raether, Jr. leads Troutman Pepper’s Privacy + Cyber team and is a partner in the firm’s Consumer Financial Services Practice Group. He has assisted companies in navigating federal and state privacy laws for more than twenty years. Ron’s understanding of technology led him to be involved in legal issues that cross normal law firm boundaries, including experience with data security, data privacy, patent, antitrust, and licensing & contracts. Ron is also a Certified Information Privacy Professional.
Ashley L. Taylor, Jr. is a partner in Troutman Pepper’s Regulatory Investigations, Strategy + Enforcement Practice Group with a primary focus on federal and state government regulatory and enforcement matters involving state Attorneys General, the Consumer Financial Protection Bureau (CFPB), and the Federal Trade Commission (FTC).
He focuses his practice on consumer protection issues and defends companies against a variety of enforcement actions brought by the state and federal regulators and on claims including marketing and advertising representations, statutory disclosures, unfair or deceptive acts or practices, and data security breach response.
Daniel Waltz is an attorney in Troutman Pepper’s Regulatory Investigations, Strategy + Enforcement (RISE) Practice Group. He represents his clients in federal and state courts, before administrative agencies, and in arbitration and mediation proceedings. He also provides guidance to clients navigating regulatory and compliance issues.
Daniel focuses his practice on the areas of cybersecurity, information privacy, and privacy breach response. He provides representation in connection with complex litigation involving BIPA, GLBA, HIPAA/HITECH, PIPA, and other related state and federal laws and regulations. Daniel also advises clients in connection with applicable laws and regulations to identify legal risks and implement best practices throughout all phases of the data-management lifecycle.