SHARE

November 16, 2021

Infrastructure Investment and Jobs Act: Cybersecurity Impacts on the Energy Sector

You've Reached Your
Free Article Limit This Month
Register for free to get unlimited access to all Law.com OnPractice content.
Register Now

Key Takeaways

  • The November 15 signing of the Biden administration’s bipartisan $1 trillion Infrastructure Investment and Jobs Act offers a prime opportunity to review the legislation, which brings a significant reinvestment in America’s energy infrastructure and an opportunity for many in the energy sector.
  • Service providers hoping to benefit from the act’s substantial funding must be keenly aware of the cybersecurity requirements it implements, as they offer both potential opportunities for the prepared and potential pitfalls for the unwary.

The November 15 signing of the Biden administration's bipartisan $1 trillion Infrastructure Investment and Jobs Act offers a prime opportunity to review the legislation, which brings a significant reinvestment in America's energy infrastructure and an opportunity for many in the energy sector. Unsurprisingly, following the Solarwinds Orion compromise and the ransomware attack on the Colonial Pipeline, cybersecurity features centrally in the act's provisions.

Service providers hoping to benefit from the act's substantial funding must be keenly aware of the cybersecurity requirements it implements, as they offer both potential opportunities for the prepared and potential pitfalls for the unwary. Although it would be impossible to analyze the full impact of the cybersecurity provisions here, we hope to highlight key aspects that warrant your further attention.

Cybersecurity Plans

One of the key cybersecurity provisions of the Infrastructure Investment and Jobs Act is its imposition of cybersecurity requirements as a potential precondition to receive federal funds. These requirements include submission of a cybersecurity plan demonstrating that the applicant has a mature cybersecurity program and a plan for maintaining cybersecurity throughout the life of the project. The plan will require detailed descriptions of how cybersecurity will be maintained, how ongoing risk evaluations will be conducted, how vulnerabilities or compromises will be reported and how Department of Energy cybersecurity programs will be leveraged.

These requirements create an urgent need for utilities, contractors and suppliers to ensure that they have robust cybersecurity mechanisms in place. The best way to do this is through regular risk assessments identifying gaps in technical, administrative and physical security. These assessments should be overseen by outside counsel so that potential security gaps and liabilities can be identified and rectified in a privileged manner before it becomes necessary to demonstrate that cybersecurity maturity to potential clients or funders.

Application of Cybersecurity Standards

The act further cements the centrality of two key cybersecurity models, the DOE's Cybersecurity Capability Maturity Model and the National Institute of Standards and Technology's Framework for Improving Critical Infrastructure Cybersecurity. Both models provide a procedural framework for evaluating an organization's cybersecurity, conducting risk assessments and targeting future improvements. The act, however, makes these previously voluntary standards the default and requires documentation of any deviations, establishing their central role in discussions of cybersecurity going forward.

Continued Reporting

Perhaps the most significant change that we anticipate is the focus on continued evaluation and patching of cybersecurity risks. The cybersecurity plans potentially required under the act require ongoing evaluation and threat reporting, and the act provides a route to compliance by establishing a "voluntary" reporting program, encompassing:

  1. Product testing,
  2. A vulnerability reporting process,
  3. Technical assistance to close vulnerabilities,
  4. Biennial reviews of tested products and analysis of how they respond to and mitigate threats, and
  5. Development of procurement guidance.

These ongoing requirements create an extended service obligation for vendors and contractors, which we anticipate may be filled by the original manufacturers and suppliers of equipment, by operations and maintenance contractors or by other third-party vendors. We also anticipate that, with increased and extended cybersecurity scrutiny, suppliers and contractors will face increased litigation risks as more vulnerabilities are identified and required to be corrected. Such reporting processes will also expose suppliers to potential compromise of intellectual property or the potential harm of inaccurate threat assessments.

Funding Opportunity

Although the Infrastructure Investment and Jobs Act imposes significant additional obligations on the energy industry, it also provides significant opportunities for growth through rate-based cybersecurity incentives, $250 million in grants and technical assistance for rural and municipal utilities and $250 million in grants for enhanced power grid security.

This funding creates massive opportunities for those with the cybersecurity infrastructure in place to satisfy the act's requirements. We also note, however, concern that the added requirements connected to this funding may disadvantage smaller businesses, including women- and minority-owned business enterprises, that have not yet developed cybersecurity maturity, potentially forcing partnerships with more mature actors or reliance on external cybersecurity resources.

Key Takeaways

Cybersecurity requirements are not new to the energy sector, but the act significantly expands their application, creating both risks and opportunities for the energy industry. We encourage industry participants to begin thinking proactively about the act's impacts, how best to position themselves to take part in government-funded projects subject to those requirements and what risks might lurk within these provisions.

Disclaimer: This Alert has been prepared and published for informational purposes only and is not offered, nor should be construed, as legal advice. For more information, please see the firm's full disclaimer.

ALM expressly disclaims any express or implied warranty regarding the OnPractice Content, including any implied warranty that the OnPractice Content is accurate, has been corrected or is otherwise free from errors.

More From Duane Morris

Debt Collection in Myanmar

By LEON YEE Duane Morris March 04 , 2022

The COVID-19 pandemic triggered severe economic shock, particularly in countries like Myanmar that rely heavily on labour-intensive industries. The recent change in the government has added further concerns to the political state of Myanmar.

#MeToo Movement Inspires the Ending Forced Arbitration of Sexual Assault and Sexual Harassment Claims Act

By EVE I. KLEIN Duane Morris March 03 , 2022

In a rare act of bipartisanship and by unanimous voice vote on February 10, 2022, the U.S. Senate passed legislation to eliminate the use of binding arbitration provisions for disputes involving sexual assault and sexual harassment. President Joe Biden signed the Ending Forced Arbitration of Sexual Assault and Sexual Harassment Act of 2021 (HR 4445) into law on March 3, 2022.

Significant U.S. Sanctions Against Russia Create Challenges for Many Companies

By GEOFFREY M. GOODALE Duane Morris March 03 , 2022

Since Russia’s recent recognition of the self-proclaimed independence of two separatist regions of Ukraine and subsequent invasion of the country, the United States and a number of its key allies have sequentially imposed significant sanctions against Russia.

More From Energy

Deadline: 'Old' Standard Contractual Clauses (SCCs) Expire Dec. 27, 2022

By Dr. Viola Bensinger Greenberg Traurig December 02 , 2022

After an extended sunset period, time to replace the “old” SCCs runs out on Dec. 27, 2022. After that date, the old SCCs will no longer legalize data transfers to countries outside the European Economic Area (EEA).

Treasury Announces Initial Guidance on the Inflation Reduction Act's Labor Requirements for Renewable Energy Tax Credits and Incentives

By John Eliason Greenberg Traurig November 30 , 2022

The U.S. Department of the Treasury announced initial wage and apprenticeship guidance under the Inflation Reduction Act of 2022 (IRA) that applies to taxpayers in order to increase available credit amounts for federal tax incentives, including the Investment Tax Credit (ITC) and Production Tax Credit (PTC).

IRS Issues Critical Wage and Apprenticeship Guidance under Inflation Reduction Act of 2022

By Carl J. Fleming McDermott Will & Emery November 30 , 2022

The US Department of the Treasury just released its guidance on the labor requirements that must be fulfilled in order to maintain the credit for the full amount for clean energy and infrastructure projects under the Inflation Reduction Act of 2022 (Act).

Featured Stories
Closeclose
Search
Menu

Working...