[House Report 111-493] [From the U.S. Government Publishing Office] 111th Congress Report HOUSE OF REPRESENTATIVES 2d Session 111-493 ====================================================================== GRID RELIABILITY AND INFRASTRUCTURE DEFENSE ACT _______ May 25, 2010.--Committed to the Committee of the Whole House on the State of the Union and ordered to be printed _______ Mr. Waxman, from the Committee on Energy and Commerce, submitted the following R E P O R T [To accompany H.R. 5026] [Including cost estimate of the Congressional Budget Office] The Committee on Energy and Commerce, to whom was referred the bill (H.R. 5026) to amend the Federal Power Act to protect the bulk-power system and electric infrastructure critical to the defense of the United States from cybersecurity and other threats and vulnerabilities, having considered the same, report favorably thereon with amendments and recommend that the bill as amended do pass. CONTENTS Page Amendment........................................................ 2 Purpose and Summary.............................................. 6 Background and Need for Legislation.............................. 7 Legislative History.............................................. 11 Committee Consideration.......................................... 11 Committee Votes.................................................. 11 Committee Oversight Findings and Recommendations................. 14 New Budget Authority, Entitlement Authority, and Tax Expenditures 14 Statement of General Performance Goals and Objectives............ 14 Constitutional Authority Statement............................... 14 Earmarks and Tax and Tariff Benefits............................. 14 Advisory Committee Statement..................................... 14 Applicability of Law to Legislative Branch....................... 14 Federal Mandates Statement....................................... 14 Committee Cost Estimate.......................................... 14 Congressional Budget Office Estimate............................. 15 Section-by-Section Analysis of the Legislation................... 20 Changes in Existing Law Made by the Bill, as Reported............ 23 Amendment The amendments are as follows: Strike all after the enacting clause and insert the following: SECTION 1. SHORT TITLE. This Act may be cited as the ``Grid Reliability and Infrastructure Defense Act'' or the ``GRID Act''. SEC. 2. AMENDMENT TO THE FEDERAL POWER ACT. (a) Critical Electric Infrastructure Security.--Part II of the Federal Power Act (16 U.S.C. 824 et seq.) is amended by adding after section 215 the following new section: ``SEC. 215A. CRITICAL ELECTRIC INFRASTRUCTURE SECURITY. ``(a) Definitions.--For purposes of this section: ``(1) Bulk-power system; electric reliability organization; regional entity.--The terms `bulk-power system', `Electric Reliability Organization', and `regional entity' have the meanings given such terms in paragraphs (1), (2), and (7) of section 215(a), respectively. ``(2) Defense critical electric infrastructure.--The term `defense critical electric infrastructure' means any infrastructure located in the United States (including the territories) used for the generation, transmission, or distribution of electric energy that-- ``(A) is not part of the bulk-power system; and ``(B) serves a facility designated by the President pursuant to subsection (d)(1), but is not owned or operated by the owner or operator of such facility. ``(3) Defense critical electric infrastructure vulnerability.--The term `defense critical electric infrastructure vulnerability' means a weakness in defense critical electric infrastructure that, in the event of a malicious act using electronic communication or an electromagnetic pulse, would pose a substantial risk of disruption of those electronic devices or communications networks, including hardware, software, and data, that are essential to the reliability of defense critical electric infrastructure. ``(4) Electromagnetic pulse.--The term `electromagnetic pulse' means 1 or more pulses of electromagnetic energy emitted by a device capable of disabling, disrupting, or destroying electronic equipment by means of such a pulse. ``(5) Geomagnetic storm.--The term `geomagnetic storm' means a temporary disturbance of the Earth's magnetic field resulting from solar activity. ``(6) Grid security threat.--The term `grid security threat' means a substantial likelihood of-- ``(A)(i) a malicious act using electronic communication or an electromagnetic pulse, or a geomagnetic storm event, that could disrupt the operation of those electronic devices or communications networks, including hardware, software, and data, that are essential to the reliability of the bulk-power system or of defense critical electric infrastructure; and ``(ii) disruption of the operation of such devices or networks, with significant adverse effects on the reliability of the bulk-power system or of defense critical electric infrastructure, as a result of such act or event; or ``(B)(i) a direct physical attack on the bulk-power system or on defense critical electric infrastructure; and ``(ii) significant adverse effects on the reliability of the bulk-power system or of defense critical electric infrastructure as a result of such physical attack. ``(7) Grid security vulnerability.--The term `grid security vulnerability' means a weakness that, in the event of a malicious act using electronic communication or an electromagnetic pulse, would pose a substantial risk of disruption to the operation of those electronic devices or communications networks, including hardware, software, and data, that are essential to the reliability of the bulk-power system. ``(8) Large transformer.--The term `large transformer' means an electric transformer that is part of the bulk-power system. ``(9) Protected information.--The term `protected information' means information, other than classified national security information, designated as protected information by the Commission under subsection (e)(2)-- ``(A) that was developed or submitted in connection with the implementation of this section; ``(B) that specifically discusses grid security threats, grid security vulnerabilities, defense critical electric infrastructure vulnerabilities, or plans, procedures, or measures to address such threats or vulnerabilities; and ``(C) the unauthorized disclosure of which could be used in a malicious manner to impair the reliability of the bulk-power system or of defense critical electric infrastructure. ``(10) Secretary.--The term `Secretary' means the Secretary of Energy. ``(11) Security.--The definition of `security' in section 3(16) shall not apply to the provisions in this section. ``(b) Emergency Response Measures.-- ``(1) Authority to address grid security threats.--Whenever the President issues and provides to the Commission (either directly or through the Secretary) a written directive or determination identifying an imminent grid security threat, the Commission may, with or without notice, hearing, or report, issue such orders for emergency measures as are necessary in its judgment to protect the reliability of the bulk-power system or of defense critical electric infrastructure against such threat. As soon as practicable but not later than 180 days after the date of enactment of this section, the Commission shall, after notice and opportunity for comment, establish rules of procedure that ensure that such authority can be exercised expeditiously. ``(2) Notification of congress.--Whenever the President issues and provides to the Commission (either directly or through the Secretary) a written directive or determination under paragraph (1), the President (or the Secretary, as the case may be) shall promptly notify congressional committees of relevant jurisdiction, including the Committee on Energy and Commerce of the House of Representatives and the Committee on Energy and Natural Resources of the Senate, of the contents of, and justification for, such directive or determination. ``(3) Consultation.--Before issuing an order for emergency measures under paragraph (1), the Commission shall, to the extent practicable in light of the nature of the grid security threat and the urgency of the need for such emergency measures, consult with appropriate governmental authorities in Canada and Mexico, entities described in paragraph (4), the Secretary, and other appropriate Federal agencies regarding implementation of such emergency measures. ``(4) Application.--An order for emergency measures under this subsection may apply to-- ``(A) the Electric Reliability Organization; ``(B) a regional entity; or ``(C) any owner, user, or operator of the bulk-power system or of defense critical electric infrastructure within the United States. ``(5) Discontinuance.--The Commission shall issue an order discontinuing any emergency measures ordered under this subsection, effective not later than 30 days after the earliest of the following: ``(A) The date upon which the President issues and provides to the Commission (either directly or through the Secretary) a written directive or determination that the grid security threat identified under paragraph (1) no longer exists. ``(B) The date upon which the Commission issues a written determination that the emergency measures are no longer needed to address the grid security threat identified under paragraph (1), including by means of Commission approval of a reliability standard under section 215 that the Commission determines adequately addresses such threat. ``(C) The date that is 1 year after the issuance of an order under paragraph (1). ``(6) Cost recovery.--If the Commission determines that owners, operators, or users of the bulk-power system or of defense critical electric infrastructure have incurred substantial costs to comply with an order under this subsection and that such costs were prudently incurred and cannot reasonably be recovered through regulated rates or market prices for the electric energy or services sold by such owners, operators, or users, the Commission shall, after notice and an opportunity for comment, establish a mechanism that permits such owners, operators, or users to recover such costs. ``(c) Measures to Address Grid Security Vulnerabilities.-- ``(1) Commission authority.--If the Commission, in consultation with appropriate Federal agencies, identifies a grid security vulnerability that the Commission determines has not adequately been addressed through a reliability standard developed and approved under section 215, the Commission shall, after notice and opportunity for comment and after consultation with the Secretary, other appropriate Federal agencies, and appropriate governmental authorities in Canada and Mexico, promulgate a rule or issue an order requiring implementation, by any owner, operator, or user of the bulk-power system in the United States, of measures to protect the bulk-power system against such vulnerability. Before promulgating a rule or issuing an order under this paragraph, the Commission shall, to the extent practicable in light of the urgency of the need for action to address the grid security vulnerability, request and consider recommendations from the Electric Reliability Organization regarding such rule or order. The Commission may establish an appropriate deadline for the submission of such recommendations. ``(2) Certain existing cybersecurity vulnerabilities.--Not later than 180 days after the date of enactment of this section, the Commission shall, after notice and opportunity for comment and after consultation with the Secretary, other appropriate Federal agencies, and appropriate governmental authorities in Canada and Mexico, promulgate a rule or issue an order requiring the implementation, by any owner, user, or operator of the bulk-power system in the United States, of such measures as are necessary to protect the bulk-power system against the vulnerabilities identified in the June 21, 2007, communication to certain `Electricity Sector Owners and Operators' from the North American Electric Reliability Corporation, acting in its capacity as the Electricity Sector Information and Analysis Center. ``(3) Rescission.--The Commission shall approve a reliability standard developed under section 215 that addresses a grid security vulnerability that is the subject of a rule or order under paragraph (1) or (2), unless the Commission determines that such reliability standard does not adequately protect against such vulnerability or otherwise does not satisfy the requirements of section 215. Upon such approval, the Commission shall rescind the rule promulgated or order issued under paragraph (1) or (2) addressing such vulnerability, effective upon the effective date of the newly approved reliability standard. ``(4) Geomagnetic storms.--Not later than 1 year after the date of enactment of this section, the Commission shall, after notice and an opportunity for comment and after consultation with the Secretary and other appropriate Federal agencies, issue an order directing the Electric Reliability Organization to submit to the Commission for approval under section 215, not later than 1 year after the issuance of such order, reliability standards adequate to protect the bulk-power system from any reasonably foreseeable geomagnetic storm event. The Commission's order shall specify the nature and magnitude of the reasonably foreseeable events against which such standards must protect. Such standards shall appropriately balance the risks to the bulk-power system associated with such events, including any regional variation in such risks, and the costs of mitigating such risks. ``(5) Large transformer availability.--Not later than 1 year after the date of enactment of this section, the Commission shall, after notice and an opportunity for comment and after consultation with the Secretary and other appropriate Federal agencies, issue an order directing the Electric Reliability Organization to submit to the Commission for approval under section 215, not later than 1 year after the issuance of such order, reliability standards addressing availability of large transformers. Such standards shall require entities that own or operate large transformers to ensure, individually or jointly, adequate availability of large transformers to promptly restore the reliable operation of the bulk-power system in the event that any such transformer is destroyed or disabled as a result of a reasonably foreseeable physical or other attack or geomagnetic storm event. The Commission's order shall specify the nature and magnitude of the reasonably foreseeable attacks or events that shall provide the basis for such standards. Such standards shall-- ``(A) provide entities subject to the standards with the option of meeting such standards individually or jointly; and ``(B) appropriately balance the risks associated with a reasonably foreseeable attack or event, including any regional variation in such risks, and the costs of ensuring adequate availability of spare transformers. ``(d) Critical Defense Facilities.-- ``(1) Designation.--Not later than 180 days after the date of enactment of this section, the President shall designate, in a written directive or determination provided to the Commission, facilities located in the United States (including the territories) that are-- ``(A) critical to the defense of the United States; and ``(B) vulnerable to a disruption of the supply of electric energy provided to such facility by an external provider. The number of facilities designated by such directive or determination shall not exceed 100. The President may periodically revise the list of designated facilities through a subsequent written directive or determination provided to the Commission, provided that the total number of designated facilities at any time shall not exceed 100. ``(2) Commission authority.--If the Commission identifies a defense critical electric infrastructure vulnerability that the Commission, in consultation with owners and operators of any facility or facilities designated by the President pursuant to paragraph (1), determines has not adequately been addressed through measures undertaken by owners or operators of defense critical electric infrastructure, the Commission shall, after notice and an opportunity for comment and after consultation with the Secretary and other appropriate Federal agencies, promulgate a rule or issue an order requiring implementation, by any owner or operator of defense critical electric infrastructure, of measures to protect the defense critical electric infrastructure against such vulnerability. The Commission shall exempt from any such rule or order any specific defense critical electric infrastructure that the Commission determines already has been adequately protected against the identified vulnerability. The Commission shall make any such determination in consultation with the owner or operator of the facility designated by the President pursuant to paragraph (1) that relies upon such defense critical electric infrastructure. ``(3) Cost recovery.--An owner or operator of defense critical electric infrastructure shall be required to take measures under paragraph (2) only to the extent that the owners or operators of a facility or facilities designated by the President pursuant to paragraph (1) that rely upon such infrastructure agree to bear the full incremental costs of compliance with a rule promulgated or order issued under paragraph (2). ``(e) Protection of Information.-- ``(1) Prohibition of public disclosure of protected information.--Protected information-- ``(A) shall be exempt from disclosure under section 552(b)(3) of title 5, United States Code; and ``(B) shall not be made available pursuant to any State, local, or tribal law requiring disclosure of information or records. ``(2) Information sharing.-- ``(A) In general.--Consistent with the Controlled Unclassified Information framework established by the President, the Commission shall promulgate such regulations and issue such orders as necessary to designate protected information and to prohibit the unauthorized disclosure of such protected information. ``(B) Sharing of protected information.--The regulations promulgated and orders issued pursuant to subparagraph (A) shall provide standards for and facilitate the appropriate sharing of protected information with, between, and by Federal, State, local, and tribal authorities, the Electric Reliability Organization, regional entities, and owners, operators, and users of the bulk-power system in the United States and of defense critical electric infrastructure. In promulgating such regulations and issuing such orders, the Commission shall take account of the role of State commissions in reviewing the prudence and cost of investments within their respective jurisdictions. The Commission shall consult with appropriate Canadian and Mexican authorities to develop protocols for the sharing of protected information with, between, and by appropriate Canadian and Mexican authorities and owners, operators, and users of the bulk-power system outside the United States. ``(3) Submission of information to congress.--Nothing in this section shall permit or authorize the withholding of information from Congress, any committee or subcommittee thereof, or the Comptroller General. ``(4) Disclosure of non-protected information.--In implementing this section, the Commission shall protect from disclosure only the minimum amount of information necessary to protect the reliability of the bulk-power system and of defense critical electric infrastructure. The Commission shall segregate protected information within documents and electronic communications, wherever feasible, to facilitate disclosure of information that is not designated as protected information. ``(5) Duration of designation.--Information may not be designated as protected information for longer than 5 years, unless specifically redesignated by the Commission. ``(6) Removal of designation.--The Commission may remove the designation of protected information, in whole or in part, from a document or electronic communication if the unauthorized disclosure of such information could no longer be used to impair the reliability of the bulk-power system or of defense critical electric infrastructure. ``(7) Judicial review of designations.--Notwithstanding subsection (f) of this section or section 313, a person or entity may seek judicial review of a determination by the Commission concerning the designation of protected information under this subsection exclusively in the district court of the United States in the district in which the complainant resides, or has his principal place of business, or in the District of Columbia. In such a case the court shall determine the matter de novo, and may examine the contents of documents or electronic communications designated as protected information in camera to determine whether such documents or any part thereof were improperly designated as protected information. The burden is on the Commission to sustain its designation. ``(f) Judicial Review.--The Commission shall act expeditiously to resolve all applications for rehearing of orders issued pursuant to this section that are filed under section 313(a). Any party seeking judicial review pursuant to section 313 of an order issued under this section may obtain such review only in the United States Court of Appeals for the District of Columbia Circuit. ``(g) Provision of Assistance to Industry in Meeting Grid Security Protection Needs.-- ``(1) Expertise and resources.--The Secretary shall establish a program, in consultation with other appropriate Federal agencies, to develop technical expertise in the protection of systems for the generation, transmission, and distribution of electric energy against geomagnetic storms or malicious acts using electronic communications or electromagnetic pulse that would pose a substantial risk of disruption to the operation of those electronic devices or communications networks, including hardware, software, and data, that are essential to the reliability of such systems. Such program shall include the identification and development of appropriate technical and electronic resources, including hardware, software, and system equipment. ``(2) Sharing expertise.--As appropriate, the Secretary shall offer to share technical expertise developed under the program under paragraph (1), through consultation and assistance, with owners, operators, or users of systems for the generation, transmission, or distribution of electric energy located in the United States and with State commissions. In offering such support, the Secretary shall assign higher priority to systems serving facilities designated by the President pursuant to subsection (d)(1) and other critical-infrastructure facilities, which the Secretary shall identify in consultation with the Commission and other appropriate Federal agencies. ``(3) Security clearances and communication.--The Secretary shall facilitate and, to the extent practicable, expedite the acquisition of adequate security clearances by key personnel of any entity subject to the requirements of this section to enable optimum communication with Federal agencies regarding grid security threats, grid security vulnerabilities, and defense critical electric infrastructure vulnerabilities. The Secretary, the Commission, and other appropriate Federal agencies shall, to the extent practicable and consistent with their obligations to protect classified and protected information, share timely actionable information regarding grid security threats, grid security vulnerabilities, and defense critical electric infrastructure vulnerabilities with appropriate key personnel of owners, operators, and users of the bulk-power system and of defense critical electric infrastructure.''. (b) Conforming Amendments.-- (1) Jurisdiction.--Section 201(b)(2) of the Federal Power Act (16 U.S.C. 824(b)(2)) is amended by inserting ``215A,'' after ``215,'' each place it appears. (2) Public utility.--Section 201(e) of the Federal Power Act (16 U.S.C. 824(e)) is amended by inserting ``215A,'' after ``215,''. Amend the title so as to read: A bill to amend the Federal Power Act to protect the bulk- power system and electric infrastructure critical to the defense of the United States against cybersecurity and other threats and vulnerabilities. Purpose and Summary H.R. 5026, the Grid Reliability and Infrastructure Defense Act, or ``GRID Act'', was introduced by Reps. Edward J. Markey (D-MA) and Fred Upton (R-MI) on April 14, 2010. The purpose of H.R. 5026 is to provide the Federal Energy Regulatory Commission with new authorities under the Federal Power Act to protect the electric grid against cybersecurity and other threats and vulnerabilities. Background and Need for Legislation The U.S. electric grid consists of interconnected transmission lines, local distribution systems to deliver electricity to end-users, generation facilities, and related communications systems. The bulk-power system in the United States and Canada has more than 200,000 miles of transmission lines, has more than 800,000 megawatts of generating capacity, is valued at over $1 trillion, and serves more than 300 million people.\1\ The components of the grid are highly interdependent, such that a line outage or system condition problems in one area can lead to reliability concerns in other areas. In addition, the operations controls over the transmission grid and generators are increasingly managed by computer systems (notably Supervisory Control and Data Acquisition, or SCADA, systems) linked to the Internet or other communications systems and to each other. The grid's increasing reliance on automation and two-way communications increases its vulnerability to remote cyber attacks. --------------------------------------------------------------------------- \1\U.S. Government Accountability Office, Critical Infrastructure Protection: Multiple Efforts to Secure Control Systems Are Under Way, but Challenges Remain, at 22 (Oct. 2007) (GAO-07-1036). --------------------------------------------------------------------------- Public reports relating to cyber vulnerabilities of and threats to the electric grid have increased in recent years and have been the subject of several hearings in the 110th and 111th Congresses. Especially noteworthy are reports on what is known as the ``Aurora'' vulnerability. In 2006, the Department of Homeland Security's Control Systems Security Program conducted an analysis--performed by the Department of Energy's Idaho National Laboratory--that came to be known as Aurora. This analysis demonstrated that an attacker could hack into the control system of an electric generator or other rotating equipment connected to the grid and throw the equipment out of phase, causing severe physical damage to the equipment. In addition, it has been reported that actors based in China, Russia, and other nations have conducted cyber ``probes'' of U.S. grid systems, and that cyber attacks have been conducted against critical infrastructure in other countries. Cyber attacks may create instant effects at very low cost, and are very difficult to positively attribute back to the attacker. These features could make such attacks attractive not only for criminal purposes, but also as a possible element of future national hostilities.\2\ Utilization of cyber attacks on civilian critical infrastructure has reportedly become an important element of Chinese military strategy.\3\ --------------------------------------------------------------------------- \2\U.S. Government Accountability Office, Cybersecurity: Continued Efforts Are Needed to Protect Information Systems from Evolving Threats, at 4, Table 1 (Nov. 17, 2009) (GAO-10-230T). \3\Bryan Krekel et al., Capability of the People's Republic of China to Conduct Cyber Warfare and Computer Network Exploitation, prepared by Northrop Grumman Corporation for The US-China Economic and Security Review Commission, at 22-26 (Oct. 9, 2009). --------------------------------------------------------------------------- There also has been growing attention to physical vulnerabilities of the grid. For example, large transformers essential to the reliable operation of the grid are manufactured outside of the United States and replacement may require two years or longer. A limited number of spare, large transformers are available within the United States, and industry has developed a voluntary program (the spare transformer equipment program, or ``STEP'') providing for sharing of such assets in the event of a terrorist attack. A special subset of physical vulnerabilities and threats is associated with electromagnetic pulse (EMP), of which there are three general categories: (1) geomagnetic storms resulting from solar activity; (2) intentional electromagnetic interference from portable equipment that uses high-power radio frequency or microwave or other electromagnetic pulses to destroy or temporarily disable electronic equipment; and (3) EMP caused by a high-altitude detonation of a nuclear weapon. Solar coronal mass ejections emit electromagnetic particles that can disrupt the Earth's magnetic field. Such geomagnetic storms in turn can induce voltages in transmission lines, particularly in the northern-latitudes, which can damage electric transformers and other infrastructure. There are several historical examples of electric transformers being damaged or destroyed by geomagnetic storms, including the storms of 1859, 1921, and 1989. A recent National Academy of Sciences report estimated the effects of a geomagnetic storm of the magnitude of the 1921 storm on the current electrical grid, concluding that such a storm could cause permanent damage to more than 350 transformers, leaving as many as 130 million people without power. Impacts from a large geomagnetic storm could last for several years and cost in the range of several trillion dollars per year.\4\ --------------------------------------------------------------------------- \4\National Research Council, Severe Space Weather Events-- Understanding Societal and Economic Impacts, Workshop Report, Committee on the Societal and Economic Impacts of Severe Space Weather Events: A Workshop, at 77-79 (2008). --------------------------------------------------------------------------- Portable electromagnetic weapons can be used to disrupt or disable the control systems that operate the electric grid. Such weapons can vary in size from a hand-held device to a large vehicle-borne device, can be used at a distance from a target, and can penetrate walls or other obstacles--making detection and attribution of an attack to a specific source difficult. More than a dozen countries have conducted research on such weapons, and the Department of Defense (DOD) has demonstrated that such weapons can be developed with modest financial resources and technical capability. Such weapons have been used to defeat security systems, commit robberies, disable police communications, induce fires, and disrupt banking computers.\5\ --------------------------------------------------------------------------- \5\Technical Support Working Group and Directed Energy Technology Office, The Threat of Radio Frequency Weapons to Critical Infrastructure Facilities, at p. 1, 6-7 (Aug. 2005). --------------------------------------------------------------------------- In 2001, Congress established a commission to assess the threat of electromagnetic pulse from a high-altitude nuclear detonation, vulnerabilities of military and civilian infrastructure to such an attack, and the feasibility and cost of protecting such infrastructure. The commission issued a first report in 2004 and a second report in 2008. The 2004 report concluded that the risks from high-altitude EMP to the U.S. electric grid are substantial and recommended that measures be taken to protect high-value transmission assets that would require a long lead time to replace, key electric generation capability, and critical communication channels.\6\ --------------------------------------------------------------------------- \6\Commission to Assess the Threat to the United States from Electromagnetic Pulse (EMP) Attack, Report of the Commission to Assess the Threat to the United States from Electromagnetic Pulse (EMP) Attack: Volume 1: Executive Report, at pp. 17-23 (2004). --------------------------------------------------------------------------- The vulnerabilities of the electric grid present substantial risks to U.S. defense assets. A 2008 report by the Defense Science Board's Task Force on DOD Energy Strategy concluded that: critical missions . . . are almost entirely dependent on the national transmission grid. About 85% of the energy infrastructure upon which DoD depends is commercially owned, and 99% of the electric energy DoD installations consume originates outside the fence. . . . In most cases, neither the grid nor on-base backup power provides sufficient reliability to ensure continuity of critical national priority functions and oversight of strategic missions in the face of a long term (several months) outage.\7\ --------------------------------------------------------------------------- \7\Department of Defense, Report of the Defense Science Board Task Force on DoD Energy Strategy, More Fight--Less Fuel, at 18 (Feb. 2008). An October 2009 report by the Government Accountability Office concluded that of the Department of Defense's 34 most critical global assets, 31 of which rely on commercially operated electricity grids for their primary source of electricity.\8\ --------------------------------------------------------------------------- \8\U.S. Government Accountability Office, Defense Critical Infrastructure: Actions Needed to Improve the Identification and Management of Electrical Power Risks and Vulnerabilities to DOD Critical Assets (Oct. 2009) (GAO-10-147). --------------------------------------------------------------------------- All of the threats to and vulnerabilities of the U.S. electric grid described above have been addressed in multiple hearings in the 110th and 111th Congresses, both in the Subcommittee on Energy and Environment of the Committee on Energy and Commerce, as well as in other committees. In addition, these threats and vulnerabilities were the subject of classified briefings on grid security, provided jointly by multiple federal agencies to the members of the Committee on Energy and Commerce, during both the 110th Congress and the 111th Congress. Section 215 of the Federal Power Act, enacted as part of the Energy Policy Act of 2005, provides for the establishment of mandatory reliability standards for the bulk-power system, including standards addressing cybersecurity threats. Under section 215, the Federal Energy Regulatory Commission (FERC) has designated the North American Electric Reliability Corporation (NERC) as the electric reliability organization. NERC is responsible for proposing, for FERC review and approval, reliability standards to protect and enhance the reliability of the bulk-power system, including cybersecurity standards. NERC is a not-for-profit corporation, the principal members of which are owners, operators, and users of the bulk- power system. More than 1,800 different entities own or operate components of the bulk-power system that is subject to the NERC standard-setting process. NERC develops standards on an open basis through its standards committee, which is composed of member representatives. Approval of a reliability standard requires a quorum of 75% of the stakeholder ballot pool and support from a supermajority of at least two-thirds of the votes. The process of developing reliability standards is lengthy; for example, the critical infrastructure protection (CIP) standards approved by FERC in January 2008 took three years for NERC to develop. NERC procedures approved in February 2010 allow for an accelerated process for developing standards in case of a ``national security emergency situation,'' but these procedures have not yet been used.\9\ --------------------------------------------------------------------------- \9\North American Electric Reliability Corporation, Reliability Standards Development Procedure, Version 7 (Feb. 5, 2010). --------------------------------------------------------------------------- The Canadian and Mexican electric grids are directly linked to the U.S. bulk-power system, and Canadian (and to a lesser extent Mexican) utilities participate in NERC and have agreed to be subject to NERC-adopted standards. They are not, however, subject to FERC jurisdiction. Reliability standards developed by NERC and approved by FERC under section 215 apply to the users, owners, and operators of the bulk-power system and are mandatory and subject to enforcement by FERC with respect to U.S. entities. FERC cannot prescribe standards under section 215, but it has authority to direct NERC to develop standards or to modify existing standards. Importantly, the scope of these standards is limited by section 215's definition of the ``bulk-power system,'' which specifically excludes ``facilities used in the local distribution of electric energy.'' Accordingly, these standards do not apply to lower-voltage distribution facilities that normally serve critical defense facilities and other end- users of electricity. In addition, the provisions of section 215 do not apply to Alaska or Hawaii, where a number of important defense facilities are located. To date, FERC has approved nine CIP reliability standards developed by NERC. With regard to cybersecurity, the CIP standards address critical cyber asset identification, security management controls, personnel and training, electronic security perimeters, physical security of critical cyber assets, systems security management, incident reporting and response planning, and recovery plans for critical cyber assets. In approving these standards, FERC directed that NERC develop revised standards--including a first phase of high- priority modifications and a second phase. On September 30, 2009, FERC approved phase I of the modifications to the standards. The second phase is currently under development. With regard to malicious physical attacks on the bulk-power system, the sole NERC standard is one that requires reporting within industry and to government of disturbances or unusual occurrences, suspected or determined to be caused by sabotage. NERC's record with regard to grid security vulnerabilities and threats has raised concerns. For example, three years after the identification of the Aurora vulnerability discussed above, NERC still has not proposed any reliability standard directly addressing that vulnerability. In addition, NERC's current CIP standards apply only to ``critical assets and associated critical cyber assets,'' as self-identified by owners and operators of such assets. In a December 2008 NERC survey of self-certification of critical assets and critical cyber assets, only 31% of respondents to the survey, and only 29% of owners and operators of electric generation, identified even a single critical asset. Only 63% of transmission owners identified even a single critical asset. Consequently, a substantial proportion of bulk-power system assets are not actually covered by any CIP standard. NERC expressed its concern with these results in a letter to industry stakeholders dated April 7, 2009, but an April 2010 survey does not indicate any improvement in coverage. Finally, in testimony before the Committee, FERC raised concerns about whether NERC's open stakeholder process is capable of addressing rapidly emerging grid security vulnerabilities with sufficient speed and protection of sensitive information. Legislative History H.R. 2165, the Bulk Power System Protection Act of 2009, was introduced by Rep. John Barrow (with Reps. Henry A. Waxman and Edward J. Markey as co-sponsors) on April 29, 2009. On October 27, 2009, the Subcommittee on Energy and Environment held a legislative hearing on this bill and related legislation. In preparation for that hearing, the Subcommittee convened a classified briefing on grid security vulnerabilities and threats for members of the full Committee on Energy and Commerce and staff with appropriate clearances. After the hearing, the majority and minority staffs of the Subcommittee and full Committee joined in a bipartisan effort to develop grid security legislation. The results of this effort were embodied in a Committee print, considered in markup by the Subcommittee on Energy and Environment on March 24, 2010. The Subcommittee approved by voice vote the Committee print for consideration by the full Committee with the recommendation that the legislation pass. The text of H.R. 5026, which was introduced by Reps. Edward J. Markey and Fred Upton on April 14, 2010, is identical in substance to the text of the Committee print forwarded by the Subcommittee. On April 15, 2010, the Committee on Energy and Commerce held a markup to consider H.R. 5026 and, after approving a manager's amendment in the nature of a substitute by voice vote, unanimously agreed to a motion for final passage of the bill. Committee Consideration The Subcommittee on Energy and Environment met in open markup session on March 24, 2010, to consider a Committee Print dated March 22, 2010, on H.R. ___, to amend the Federal Power Act to protect the bulk-power system and electric infrastructure critical to the defense of the United States from cybersecurity and other threats and vulnerabilities. Subsequently, the Subcommittee approved the text of the Committee Print to be forwarded to the full Committee without amendments by a voice vote. H.R. 5026 was introduced on April 14, 2010, with the identical language of the Committee Print as approved by the Subcommittee, and was referred to the Committee on Energy and Commerce. The full Committee met in open markup session on April 15, 2010, to consider H.R. 5026. A manager's amendment by Mr. Waxman was adopted by a voice vote. Subsequently, the Committee ordered H.R. 5026 favorably reported to the House, amended, by a roll call vote of 47 yeas and 0 nays. Committee Votes Clause 3(b) of rule XIII of the Rules of the House of Representatives requires the Committee to list the record votes on the motion to report legislation and amendments thereto. The Committee agreed to a motion by Mr. Waxman to order H.R. 5026 favorably reported to the House, amended, by a record vote of 47 yeas and 0 nays. The following is the recorded vote taken during Committee consideration, including the names of those Members voting for and against:Committee Oversight Findings and Recommendations In compliance with clause 3(c)(1) of rule XIII of the Rules of the House of Representatives, the findings and recommendations of the Committee are reflected in the descriptive portions of this report. New Budget Authority, Entitlement Authority, and Tax Expenditures Regarding compliance with clause 3(c)(2) of rule XIII of the Rules of the House of Representatives, the Committee adopts as its own the estimate of budget authority and revenues regarding H.R. 5026 prepared by the Director of the Congressional Budget Office pursuant to section 402 of the Congressional Budget Act of 1974. The Committee finds that H.R. 5026 would result in no new or increased entitlement authority or tax expenditures. Statement of General Performance Goals and Objectives In accordance with clause 3(c)(4) of rule XIII of the Rules of the House of Representatives, the Committee's performance goals and objectives are reflected in the descriptive portions of this report. Constitutional Authority Statement Pursuant to clause 3(d)(1) of rule XIII of the Rules of the House of Representatives, the Committee finds that the constitutional authority for H.R. 5026 is provided in Article I, section 8, clauses 3 and 18. Earmarks and Tax and Tariff Benefits H.R. 5026 does not contain any congressional earmarks, limited tax benefits, or limited tariff benefits as defined in clause 9 of rule XXI of the Rules of the House of Representatives. Advisory Committee Statement No advisory committees were created by H.R. 5026 within the meaning of section 5 U.S.C. App., 5(b) of the Federal Advisory Committee Act. Applicability of Law to the Legislative Branch The Committee finds that H.R. 5026 does not relate to the terms and conditions of employment or access to public services or accommodations within the meaning of section 102(b)(3) of the Congressional Accountability Act of 1985. Federal Mandates Statement The Committee adopts as its own the estimates of federal mandates prepared by the Director of the Congressional Budget Office pursuant to section 423 of the Unfunded Mandate Reform Act. Committee Cost Estimate Pursuant to clause 3(d) of rule XIII of the Rules of the House of Representatives, the Committee adopts as its own the cost estimate on H.R. 5026 prepared by the Director of the Congressional Budget Office pursuant to section 402 of the Congressional Budget Act. Congressional Budget Office Estimate Pursuant to clause 3(c)(3) of rule XIII of the Rules of the House of Representatives, the following is the cost estimate on H.R. 5026 provided by the Congressional Budget Office pursuant to section 402 of the Congressional Budget Act of 1974: May 19, 2010. Hon. Henry A. Waxman, Chairman, Committee on Energy and Commerce, House of Representatives, Washington, DC. Dear Mr. Chairman: The Congressional Budget Office has prepared the enclosed cost estimate for H.R. 5026, the Grid Reliability and Infrastructure Defense Act. If you wish further details on this estimate, we will be pleased to provide them. The CBO staff contact is Kathleen Gramp, Sincerely, Douglas W. Elmendorf. Enclosure. H.R. 5026--Grid Reliability and Infrastructure Defense Act Summary: H.R. 5026 would amend existing law regarding the regulation of electric power transmission facilities. Under current law, most of the standards governing the reliability of the bulk-power system are issued by the Electric Reliability Organization (ERO), subject to approval and enforcement by the Federal Energy Regulatory Commission (FERC). This bill would set deadlines for FERC to issue standards regarding the security of computer networks used in electric power transmission (known as cybersecurity) and other risks to the electric power transmission grid, subject to certain conditions. In addition, both FERC and ERO would be directed to ensure that utilities maintain adequate supplies of large electrical transformers and implement measures to protect their systems against geomagnetic storms (incidents involving solar radiation). Other provisions would authorize a new technical assistance program related to grid security and establish terms and procedures for responding to emergencies, protecting information, and identifying strategically important electric facilities. CBO estimates that implementing this bill would increase net direct spending by about $5 million over the 2011-2015 period and $40 million over the 2011-2020 period.\1\ Implementing the bill would increase discretionary spending by $219 million over the 2011-2015 period. CBO estimates that enacting this bill would not affect revenues. --------------------------------------------------------------------------- \1\Enacting H.R. 5026 would not increase direct spending over the 2010-2014 period and would increase direct spending by $33 million over the 2010-2019 period. --------------------------------------------------------------------------- Pay-as-you-go procedures apply because enacting the legislation would affect direct spending. H.R. 5026 would impose intergovernmental and private-sector mandates, as defined in the Unfunded Mandates Reform Act (UMRA), on owners and operators of electric infrastructure and a private-sector mandate on ERO. Because of uncertainty about the number of entities affected, the scope of future regulations, and the implementation timeline, CBO cannot determine whether the aggregate cost of the mandates in the bill would exceed the annual thresholds established in UMRA for intergovernmental or private-sector mandates ($70 million and $141 million in 2010, respectively, adjusted annually for inflation). CBO has not reviewed a provision that would provide FERC with emergency authority to protect the electric transmission grid from security threats for intergovernmental or private- sector mandates. Section 4 of UMRA excludes from the application of that act any legislative provisions that are necessary for national security. CBO has determined that the provision falls within that exclusion. Estimated cost to the Federal Government: The estimated budgetary impact of H.R. 5026 is shown in the following table. The costs of this legislation fall within budget function 270 (energy). ---------------------------------------------------------------------------------------------------------------- By fiscal year, in millions of dollars-- ----------------------------------------------------------- 2011- 2011 2012 2013 2014 2015 2015 ---------------------------------------------------------------------------------------------------------------- CHANGES IN DIRECT SPENDING\1\ Estimated Budget Authority.......................... 0 0 0 0 5 5 Estimated Outlays................................... 0 0 0 0 5 5 CHANGES IN SPENDING SUBJECT TO APPROPRIATION Federal Power Agencies: Estimated Authorization Level................... 0 0 0 4 10 14 Estimated Outlays............................... 0 0 0 4 10 14 Department of Energy: Estimated Authorization Level................... 50 51 51 52 52 256 Estimated Outlays............................... 19 39 45 50 52 205 Total Changes: Estimated Authorization Level............... 50 51 51 56 62 270 Estimated Outlays........................... 19 39 45 54 62 219 ---------------------------------------------------------------------------------------------------------------- \1\CBO estimates that enacting the bill would increase direct spending by $40 million over the 2011-2020 period. Basis of estimate: For this estimate, CBO assumes that the legislation will be enacted near the end of fiscal year 2010, that the necessary funds will be appropriated each year, and that spending patterns will be consistent with historical trends for similar activities. Background Taken together, four federal agencies own and operate about 15 percent of the nation's electric power grid, providing much of the transmission service in certain regions of the country. Capital expenditures for the federally owned transmission grid totaled about $645 million in 2009. Most of those costs were incurred by the Tennessee Valley Authority (TVA) and Bonneville Power Administration (BPA). Spending by TVA and BPA affects direct spending because those agencies are authorized to collect and spend proceeds from the sale of electricity and to borrow funds to finance capital projects. In contrast, the Western Area Power Administration (WAPA) and Southwestern Power Administration (SWPA) rely on annual appropriations for capital investments in transmission reliability measures. Regardless of the method of financing, the federal power agencies are required by law to set electricity prices high enough to recoup capital investments over the useful life of the assets. CBO estimates that H.R. 5026 would increase both direct spending and spending subject to appropriation for additional capital investments by federal power agencies. CBO estimates that other provisions of the bill would further increase spending subject to appropriation. Additional capital spending by federal power agencies (Direct spending and spending subject to appropriation) The budgetary impacts of this legislation on the federal power agencies would depend on the scope and substance of future regulations that are developed to implement it. FERC and ERO would be directed to require utilities to address various threats, taking into consideration the likelihood of those events and the cost-effectiveness of any mitigation measures. Given the lead times involved in changing standards for electric utilities, CBO expects that most of the budgetary impacts resulting from those rules would occur after 2014 and would involve only modest changes in performance standards through 2020. Assuming appropriation of the necessary amounts, CBO estimates that implementing H.R. 5026 would increase discretionary spending by WAPA and SWPA by $14 million over the 2011-2015 period, and additional amounts thereafter. In addition, we estimate that additional capital spending by TVA and BPA would increase direct spending by about $40 million, net of recoveries from ratepayers, over the 2011-2020 period. Acquiring Additional Transformer Capacity. CBO expects that the regulations developed under this bill for large transformers would initially mirror the requirements of the industry's existing voluntary program for sharing spare transformers in the event of a terrorist attack. CBO estimates that complying with those benchmarks would have a negligible effect on spending by TVA, BPA, and SWPA because those agencies have sufficient spare transformers to meet the voluntary guidelines. In contrast, we estimate that WAPA would spend about $12 million over the 2011-2015 period to acquire additional transformers, assuming appropriation of the necessary amounts. Additional costs would occur after 2015 for WAPA. Costs for all of the agencies could be higher if the new rules require utilities to increase the number of spare transformers, which cost between $1 million and $15 million each. Mitigating Other Risks to Transmission Systems. Currently, there are no standards that address risks posed by natural or malicious disruptions to the grid, such as geomagnetic storms and electromagnetic pulses from weapons. As a result, CBO expects that directives addressing those threats would increase capital spending by the federal power agencies. Government reports have identified various actions that could be taken to mitigate those risks, with costs for the entire industry estimated to range from a few hundred million dollars (for example, for equipment that protects generators or transformers) to over a billion dollars (for example, for comprehensive strategies for the utility industry). For this estimate, CBO assumes that near-term measures would primarily involve small upgrades to equipment and facilities and would increase capital spending on bulk power facilities by less than 1 percent annually. On that basis, CBO estimates that those investments would increase net direct spending by TVA and BPA by about $40 million over the 2011-2020 period, and discretionary spending for WAPA and SWPA by about $2 million over the 2011-2015 period. Finally, CBO estimates that other provisions in the bill concerning the security of computer networks used by the federal power agencies would have a negligible budgetary impact because the new standards would be similar to those followed by federal agencies as a result of other statutory directives. Other impacts on spending subject to appropriation H.R. 5026 would direct the Secretary of Energy to establish a new technical assistance program related to grid security. According to the Department of Energy (DOE), the proposed program would build on existing efforts related to cybersecurity (currently funded at around $40 million annually) and would focus in particular on developing technologies to mitigate risks associated with geomagnetic storms or certain malicious acts. The bill would direct DOE to establish an outreach program to share expertise developed through those activities. Finally, H.R. 5026 would establish new requirements related to security clearances and sharing sensitive information on grid security among federal agencies. Based on information from DOE, CBO estimates that those activities would cost about $200 million over the 2011-2015 period, with additional spending occurring in later years. That estimate is based on the cost of similar programs and reflects historical spending patterns for activities related to research, development, and technical assistance. In addition, CBO expects that implementing H.R. 5026 would expand FERC's workload and increase the agency's administrative costs, which are controlled through annual appropriation acts. Because FERC recovers 100 percent of its costs through user fees, any such increases in its costs would be offset by an equal change in fees that the commission charges, resulting in no net budgetary impact. Pay-As-You-Go considerations: The Statutory Pay-As-You-Go Act of 2010 establishes budget reporting and enforcement procedures for legislation affecting direct spending or revenues. The net changes in outlays that are subject to those pay-as-you-go procedures are shown in the following table. CBO ESTIMATE OF PAY-AS-YOU-GO EFFECTS FOR H.R. 5026 AS ORDERED REPORTED BY THE HOUSE COMMITTEE ON ENERGY AND COMMERCE ON APRIL 15, 2010 -------------------------------------------------------------------------------------------------------------------------------------------------------- By fiscal year, in millions of dollars-- ------------------------------------------------------------------------------------------------------------- 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019 2020 2010-2015 2010-2020 -------------------------------------------------------------------------------------------------------------------------------------------------------- NET INCREASE OR DECREASE (-) IN THE DEFICIT Statutory Pay-As-You-Go Impact............ 0 0 0 0 0 5 7 7 7 7 7 5 40 -------------------------------------------------------------------------------------------------------------------------------------------------------- Intergovernmental and private-sector impact: H.R. 5026 would impose intergovernmental and private-sector mandates, as defined in UMRA, on owners and operators of electric infrastructure and a private-sector mandate on the Electric Reliability Organization. Because of uncertainty about the number of entities affected, the scope of future regulations, and the implementation timeline, CBO cannot determine whether the aggregate cost of the mandates in the bill would exceed the annual thresholds established in UMRA for intergovernmental and private-sector mandates ($70 million and $141 million in 2010, respectively, adjusted annually for inflation). CBO has not reviewed a provision that would provide FERC with emergency authority to protect the electric transmission grid from security threats for intergovernmental or private- sector mandates. Section 4 of UMRA excludes from the application of that act any legislative provisions that are necessary for national security. CBO has interpreted that exclusion to encompass provisions dealing with activities that are immediately necessary to protect vital national security interests. CBO has determined that the provision dealing with emergency authority falls within the exclusion for national security. Mandates that apply to both public and private entities By requiring ERO and FERC to issue new standards to address vulnerabilities in the nation's energy grid, the bill would impose mandates on public and private owners and operators of electric infrastructure. The standards would address vulnerabilities related to cybersecurity, disruptions related to geomagnetic or electromagnetic events and unexpected losses of large transformers. Based on information from FERC and industry sources, the cost of complying with each of the mandates could equal tens of millions of dollars annually, depending on the scope and implementation timeline of future regulations. Because of those uncertainties, however, CBO cannot estimate the total costs of the mandates. Cybersecurity. The bill would require owners and operators of electric infrastructure to implement measures to mitigate the risk to the power grid from cybersecurity vulnerabilities. FERC would establish the standards for cybersecurity and implementation timelines after an assessment of current standards. Geomagnetic Storms and Electromagnetic Pulse Events. The bill would require owners and operators of electric infrastructure to protect against risks posed by natural or malicious disruptions to the grid resulting from geomagnetic storms or electromagnetic pulse events. Based on information from government reports, potential mitigation measures could involve significant capital investments in equipment and facilities. Large Transformers. The bill would require owners and operators of large transformers to maintain an adequate supply of spare transformers in order to restore the reliability of the power grid if any transformer is disabled. The number of spare transformers required by the bill would depend on future regulations. Mandate that applies to public entities only The bill would preempt state, local, and tribal laws relating to the disclosure of information or records. Those preemptions would be intergovernmental mandates as defined in UMRA, but CBO estimates that they would impose no duty on states that would result in additional spending. Mandate that applies to private entities only Under current law, FERC has the authority to require the ERO to develop reliability standards. The bill would impose a private-sector mandate by requiring ERO to develop standards earlier than it would have under current law. Based on information from ERO, CBO estimates that the cost to develop the standards would be small in relation to the annual threshold for private-sector mandates. Estimate prepared by: Federal Costs: Kathleen Gramp (federal power agencies), Megan Carroll (FERC, DOE); Impact on state, local, and tribal governments: Ryan Miller; Impact on the private sector: Amy Petz. Estimate approved by: Theresa Gullo, Deputy Assistant Director for Budget Analysis. Section-by-Section Analysis of the Legislation Section 1. Short title This section provides that the short title of the bill is the ``Grid Reliability and Infrastructure Defense Act'' or the ``GRID Act''. Section 2. Amendment to the Federal Power Act Subsection (a) of this section would amend the Federal Power Act to add a new section 215A, providing FERC new authorities to protect the electric grid against cyber and other threats and vulnerabilities, as well as from geomagnetic storms created by coronal mass ejections and other solar activity. Subsection (a) of the new section 215A provides a number of definitions. The definition of ``bulk-power system'' is the same as in the existing section 215 of the Federal Power Act. As a result, except with regard to electric infrastructure serving critical defense facilities, the new authorities established by the bill would extend to matters affecting the reliability of the ``bulk-power system''--providing the same coverage as the existing section 215 of the Federal Power Act, enacted as part of the Energy Policy Act of 2005, which provides authority to establish mandatory reliability standards for the bulk-power system. As the agency charged with administering section 215A, FERC has the authority to interpret this and the other definitions included in subsection (a). Subsection (b) of the new section 215A gives FERC authority to issue emergency orders to protect against a ``grid security threat,'' with or without notice, if the President notifies the Commission (either directly or through the Secretary of Energy) that an imminent ``grid security threat'' exists. The term ``imminent'' in this context means that the grid security threat is urgent, impending, or near at hand, but does not necessarily require that it be immediate in time. A grid security threat is defined under subsection (a) as a substantial likelihood of one of the following acts or events, provided there is a substantial likelihood the act or event would have a significant adverse effect on the reliability of the bulk-power system or of defense critical electric infrastructure:
a malicious act using electronic communication (i.e., a cyber attack) or an electromagnetic pulse (i.e., one or more pulses of electromagnetic energy, such as radio frequency or microwave, emitted by a device capable of disabling, disrupting, or destroying electronic equipment by means of such a pulse); a geomagnetic storm (i.e., a solar storm); or a direct physical attack on the bulk power infrastructure or on defense critical electric infrastructure. A malicious act ``using electronic communication'' is intended to refer to an act using the electronic communication as an actual vector for the attack (i.e., a cyber attack), as opposed to an act in which electronic communications are used only incidentally, such as the use of electronic communication to plan or execute a physical attack. Subsection (b) requires the President or Secretary of Energy to promptly notify the relevant congressional committees whenever the President provides a written directive or determination of a grid security threat to FERC under the subsection. Subsection (b) provides for the discontinuance of an order issued under this subsection whenever any of the following first occurs: the President determines the grid security threat no longer exists, FERC determines the emergency measures are no longer needed to protect against the threat, or one year elapses from the date the order was issued. Subsection (b) also provides FERC with authority to establish a mechanism for owners, operators, or users of the bulk-power system to recover prudently incurred costs of complying with an order under subsection (b) if FERC determines that such entities cannot otherwise recover such costs through market prices or rates. Nothing in this provision is intended to prevent or affect use of other existing mechanisms for the recovery of costs incurred in compliance with this subsection or the remainder of the new section 215A under existing procedures or mechanisms, whether under the Federal Power Act or state law. Subsection (c)(1) of the new section 215A provides FERC authority to promulgate a rule or issue an order, after notice and comment, requiring implementation of measures to protect against any ``grid security vulnerability'' that FERC determines has not been adequately addressed by a NERC reliability standard developed and approved under section 215. Subsection (a) defines a grid security vulnerability as a weakness that, in the event of a malicious act using electronic communication (i.e., a cyber attack) or an electromagnetic pulse, would pose a substantial risk of disruption to the operation of those electronic devices or communication networks that are essential to the reliability of the bulk-power system. Before promulgating a rule or issuing an order to address a grid security vulnerability under subsection (c)(1), FERC, to the extent practicable in light of the urgency of the need for action, is required to request and consider recommendations from NERC regarding such a rule or order. FERC may establish an appropriate deadline for NERC's submission of such recommendations. Subsection (c)(2) specifically requires FERC, within 180 days of enactment, to promulgate a rule or issue an order requiring measures to address the ``Aurora vulnerability'' to cyber attack that was identified three years ago. Subsection (c)(3) directs FERC to approve a proposed NERC reliability standard (under section 215) that addresses a grid security vulnerability identified under subsection (c)(1) or (c)(2) unless FERC determines that the NERC standard does not adequately protect against the vulnerability. If FERC approves a proposed NERC standard, the corresponding FERC rule or order must be rescinded. Subsection (c)(4) requires FERC to direct NERC to submit for approval a reliability standard under section 215 to protect the bulk-power system against geomagnetic storms. FERC is directed to identify the nature and magnitude of the reasonably foreseeable geomagnetic storm events against which the standards should protect, similar to the identification of a ``design basis threat.'' The standards must balance risks against the cost of protecting against those risks. Subsection (c)(5) requires FERC to direct NERC to submit for approval a reliability standard under section 215 to require adequate availability of large transformers to ensure the reliability of the bulk-power system in the event of a reasonably foreseeable physical or other attack or a geomagnetic storm. FERC is directed to identify the nature and magnitude of the attack or event against which the standard must protect, similar to the identification of a ``design basis threat.'' The standard must allow entities required to comply with the standard the option of complying either individually or jointly (e.g., through a spare transformer sharing program), and must balance risks against the cost of protecting against those risks. Subsection (d) of the new section 215A directs the President to designate not more than 100 facilities located in the United States that are critical to the defense of the United States and vulnerable to interruption of an external supply of electricity to the facility. The bill classifies electric infrastructure that is not part of the bulk-power system, that serves such a facility, and that is not owned or operated by the owner or operator of the designated facility, as ``defense critical electric infrastructure.'' If FERC, in consultation with the owner or operator of a designated critical facility, identifies a vulnerability in such infrastructure to a cyber attack or attack using an electromagnetic pulse that has not adequately been addressed, FERC has authority to promulgate a rule or issue an order, after notice and opportunity for comment, to require measures to protect such infrastructure. Infrastructure can be exempted from such rules or orders, on a case-by-case basis, if FERC, in consultation with the owner or operator of the designated critical facility, determines that such infrastructure is adequately protected. An owner or operator of defense critical electric infrastructure shall be required to take such required measures only to the extent that the owners or operators of a facility designated by the President that rely on such infrastructure agree to bear the full incremental costs of compliance with such a rule or order. Subsection (e) of the new section 215A addresses the treatment of ``protected information,'' defined as information designated as such by FERC that is not classified national security information; that was developed or submitted in connection with the implementation of this section; that specifically discusses grid security threats, grid security vulnerabilities, or defense critical electric infrastructure vulnerabilities, or plans, procedures or measures to address such threats or vulnerabilities; and the unauthorized disclosure of which could be used in a malicious manner to impair the reliability of the bulk power system. The bill exempts such information from disclosure under the Freedom of Information Act or under state, local, or tribal disclosure laws. The bill also requires FERC to promulgate regulations and issue orders necessary to designate protected information, prohibit unauthorized disclosure of such information, and facilitate appropriate sharing of such information with, between, and by governmental authorities, NERC, the regional reliability councils, and owners, operators, and users of the bulk-power system. Subsection (f) of the new section 215A provides that any party seeking judicial review of an order issued under this section pursuant to section 313 of the Federal Power Act may obtain such review exclusively in the U.S. Court of Appeals for the District of Columbia Circuit. Subsection (g) of the new section 215A directs the Secretary of Energy to develop technical expertise in the protection of the grid against attacks using electronic communication or electromagnetic pulse, and against geomagnetic storms, and to provide technical assistance in this area to owners, operators, and users of systems for the generation, transmission and distribution of electric energy--with priority given to systems serving critical defense and other critical- infrastructure facilities. The Secretary is directed to facilitate and, to the extent practicable, expedite acquisition of security clearances by key industry personnel to facilitate communication regarding grid security threats and vulnerabilities. In addition, the Secretary, FERC, and other federal authorities are directed, to the extent practicable, to share timely and actionable information regarding grid security threats and vulnerabilities and defense critical electric infrastructure vulnerabilities with appropriate key personnel of owners, operators, and users of the bulk-power system and defense critical electric infrastructure. Section 2(b) of the GRID Act makes conforming amendments to section 201 of the Federal Power Act. Changes in Existing Law Made by the Bill, as Reported In compliance with clause 3(e) of rule XIII of the Rules of the House of Representatives, changes in existing law made by the bill, as reported, are shown as follows (existing law proposed to be omitted is enclosed in black brackets, new matter is printed in italic, existing law in which no change is proposed is shown in roman): FEDERAL POWER ACT * * * * * * * PART II--REGULATION OF ELECTRIC UTILITY COMPANIES ENGAGED IN INTERSTATE COMMERCE DECLARATION OF POLICY; APPLICATION OF PART; DEFINITIONS Section 201. (a) * * * (b)(1) * * * (2) Notwithstanding section 201(f), the provisions of sections 203(a)(2), 206(e), 210, 211, 211A, 212, 215, 215A, 216, 217, 218, 219, 220, 221, and 222 shall apply to the entities described in such provisions, and such entities shall be subject to the jurisdiction of the Commission for purposes of carrying out such provisions and for purposes of applying the enforcement authorities of this Act with respect to such provisions. Compliance with any order of the Commission under the provisions of section 203(a)(2), 206(e), 210, 211, 211A, 212, 215, 215A, 216, 217, 218, 219, 220, 221, or 222, shall not make an electric utility or other entity subject to the jurisdiction of the Commission for any purposes other than the purposes specified in the preceding sentence. * * * * * * * (e) The term ``public utility'' when used in this Part or in the Part next following means any person who owns or operates facilities subject to the jurisdiction of the Commission under this Part (other than facilities subject to such jurisdiction solely by reason of section 206(e), 206(f), 210, 211, 211A, 212, 215, 215A, 216, 217, 218, 219, 220, 221, or 222). * * * * * * * SEC. 215A. CRITICAL ELECTRIC INFRASTRUCTURE SECURITY. (a) Definitions.--For purposes of this section: (1) Bulk-power system; electric reliability organization; regional entity.--The terms ``bulk-power system'', ``Electric Reliability Organization'', and ``regional entity'' have the meanings given such terms in paragraphs (1), (2), and (7) of section 215(a), respectively. (2) Defense critical electric infrastructure.--The term ``defense critical electric infrastructure'' means any infrastructure located in the United States (including the territories) used for the generation, transmission, or distribution of electric energy that-- (A) is not part of the bulk-power system; and (B) serves a facility designated by the President pursuant to subsection (d)(1), but is not owned or operated by the owner or operator of such facility. (3) Defense critical electric infrastructure vulnerability.--The term ``defense critical electric infrastructure vulnerability'' means a weakness in defense critical electric infrastructure that, in the event of a malicious act using electronic communication or an electromagnetic pulse, would pose a substantial risk of disruption of those electronic devices or communications networks, including hardware, software, and data, that are essential to the reliability of defense critical electric infrastructure. (4) Electromagnetic pulse.--The term ``electromagnetic pulse'' means 1 or more pulses of electromagnetic energy emitted by a device capable of disabling, disrupting, or destroying electronic equipment by means of such a pulse. (5) Geomagnetic storm.--The term ``geomagnetic storm'' means a temporary disturbance of the Earth's magnetic field resulting from solar activity. (6) Grid security threat.--The term ``grid security threat'' means a substantial likelihood of-- (A)(i) a malicious act using electronic communication or an electromagnetic pulse, or a geomagnetic storm event, that could disrupt the operation of those electronic devices or communications networks, including hardware, software, and data, that are essential to the reliability of the bulk-power system or of defense critical electric infrastructure; and (ii) disruption of the operation of such devices or networks, with significant adverse effects on the reliability of the bulk-power system or of defense critical electric infrastructure, as a result of such act or event; or (B)(i) a direct physical attack on the bulk- power system or on defense critical electric infrastructure; and (ii) significant adverse effects on the reliability of the bulk-power system or of defense critical electric infrastructure as a result of such physical attack. (7) Grid security vulnerability.--The term ``grid security vulnerability'' means a weakness that, in the event of a malicious act using electronic communication or an electromagnetic pulse, would pose a substantial risk of disruption to the operation of those electronic devices or communications networks, including hardware, software, and data, that are essential to the reliability of the bulk-power system. (8) Large transformer.--The term ``large transformer'' means an electric transformer that is part of the bulk-power system. (9) Protected information.--The term ``protected information'' means information, other than classified national security information, designated as protected information by the Commission under subsection (e)(2)-- (A) that was developed or submitted in connection with the implementation of this section; (B) that specifically discusses grid security threats, grid security vulnerabilities, defense critical electric infrastructure vulnerabilities, or plans, procedures, or measures to address such threats or vulnerabilities; and (C) the unauthorized disclosure of which could be used in a malicious manner to impair the reliability of the bulk-power system or of defense critical electric infrastructure. (10) Secretary.--The term ``Secretary'' means the Secretary of Energy. (11) Security.--The definition of ``security'' in section 3(16) shall not apply to the provisions in this section. (b) Emergency Response Measures.-- (1) Authority to address grid security threats.-- Whenever the President issues and provides to the Commission (either directly or through the Secretary) a written directive or determination identifying an imminent grid security threat, the Commission may, with or without notice, hearing, or report, issue such orders for emergency measures as are necessary in its judgment to protect the reliability of the bulk-power system or of defense critical electric infrastructure against such threat. As soon as practicable but not later than 180 days after the date of enactment of this section, the Commission shall, after notice and opportunity for comment, establish rules of procedure that ensure that such authority can be exercised expeditiously. (2) Notification of congress.--Whenever the President issues and provides to the Commission (either directly or through the Secretary) a written directive or determination under paragraph (1), the President (or the Secretary, as the case may be) shall promptly notify congressional committees of relevant jurisdiction, including the Committee on Energy and Commerce of the House of Representatives and the Committee on Energy and Natural Resources of the Senate, of the contents of, and justification for, such directive or determination. (3) Consultation.--Before issuing an order for emergency measures under paragraph (1), the Commission shall, to the extent practicable in light of the nature of the grid security threat and the urgency of the need for such emergency measures, consult with appropriate governmental authorities in Canada and Mexico, entities described in paragraph (4), the Secretary, and other appropriate Federal agencies regarding implementation of such emergency measures. (4) Application.--An order for emergency measures under this subsection may apply to-- (A) the Electric Reliability Organization; (B) a regional entity; or (C) any owner, user, or operator of the bulk- power system or of defense critical electric infrastructure within the United States. (5) Discontinuance.--The Commission shall issue an order discontinuing any emergency measures ordered under this subsection, effective not later than 30 days after the earliest of the following: (A) The date upon which the President issues and provides to the Commission (either directly or through the Secretary) a written directive or determination that the grid security threat identified under paragraph (1) no longer exists. (B) The date upon which the Commission issues a written determination that the emergency measures are no longer needed to address the grid security threat identified under paragraph (1), including by means of Commission approval of a reliability standard under section 215 that the Commission determines adequately addresses such threat. (C) The date that is 1 year after the issuance of an order under paragraph (1). (6) Cost recovery.--If the Commission determines that owners, operators, or users of the bulk-power system or of defense critical electric infrastructure have incurred substantial costs to comply with an order under this subsection and that such costs were prudently incurred and cannot reasonably be recovered through regulated rates or market prices for the electric energy or services sold by such owners, operators, or users, the Commission shall, after notice and an opportunity for comment, establish a mechanism that permits such owners, operators, or users to recover such costs. (c) Measures to Address Grid Security Vulnerabilities.-- (1) Commission authority.--If the Commission, in consultation with appropriate Federal agencies, identifies a grid security vulnerability that the Commission determines has not adequately been addressed through a reliability standard developed and approved under section 215, the Commission shall, after notice and opportunity for comment and after consultation with the Secretary, other appropriate Federal agencies, and appropriate governmental authorities in Canada and Mexico, promulgate a rule or issue an order requiring implementation, by any owner, operator, or user of the bulk-power system in the United States, of measures to protect the bulk-power system against such vulnerability. Before promulgating a rule or issuing an order under this paragraph, the Commission shall, to the extent practicable in light of the urgency of the need for action to address the grid security vulnerability, request and consider recommendations from the Electric Reliability Organization regarding such rule or order. The Commission may establish an appropriate deadline for the submission of such recommendations. (2) Certain existing cybersecurity vulnerabilities.-- Not later than 180 days after the date of enactment of this section, the Commission shall, after notice and opportunity for comment and after consultation with the Secretary, other appropriate Federal agencies, and appropriate governmental authorities in Canada and Mexico, promulgate a rule or issue an order requiring the implementation, by any owner, user, or operator of the bulk-power system in the United States, of such measures as are necessary to protect the bulk-power system against the vulnerabilities identified in the June 21, 2007, communication to certain 'Electricity Sector Owners and Operators' from the North American Electric Reliability Corporation, acting in its capacity as the Electricity Sector Information and Analysis Center. (3) Rescission.--The Commission shall approve a reliability standard developed under section 215 that addresses a grid security vulnerability that is the subject of a rule or order under paragraph (1) or (2), unless the Commission determines that such reliability standard does not adequately protect against such vulnerability or otherwise does not satisfy the requirements of section 215. Upon such approval, the Commission shall rescind the rule promulgated or order issued under paragraph (1) or (2) addressing such vulnerability, effective upon the effective date of the newly approved reliability standard. (4) Geomagnetic storms.--Not later than 1 year after the date of enactment of this section, the Commission shall, after notice and an opportunity for comment and after consultation with the Secretary and other appropriate Federal agencies, issue an order directing the Electric Reliability Organization to submit to the Commission for approval under section 215, not later than 1 year after the issuance of such order, reliability standards adequate to protect the bulk- power system from any reasonably foreseeable geomagnetic storm event. The Commission's order shall specify the nature and magnitude of the reasonably foreseeable events against which such standards must protect. Such standards shall appropriately balance the risks to the bulk-power system associated with such events, including any regional variation in such risks, and the costs of mitigating such risks. (5) Large transformer availability.--Not later than 1 year after the date of enactment of this section, the Commission shall, after notice and an opportunity for comment and after consultation with the Secretary and other appropriate Federal agencies, issue an order directing the Electric Reliability Organization to submit to the Commission for approval under section 215, not later than 1 year after the issuance of such order, reliability standards addressing availability of large transformers. Such standards shall require entities that own or operate large transformers to ensure, individually or jointly, adequate availability of large transformers to promptly restore the reliable operation of the bulk-power system in the event that any such transformer is destroyed or disabled as a result of a reasonably foreseeable physical or other attack or geomagnetic storm event. The Commission's order shall specify the nature and magnitude of the reasonably foreseeable attacks or events that shall provide the basis for such standards. Such standards shall-- (A) provide entities subject to the standards with the option of meeting such standards individually or jointly; and (B) appropriately balance the risks associated with a reasonably foreseeable attack or event, including any regional variation in such risks, and the costs of ensuring adequate availability of spare transformers. (d) Critical Defense Facilities.-- (1) Designation.--Not later than 180 days after the date of enactment of this section, the President shall designate, in a written directive or determination provided to the Commission, facilities located in the United States (including the territories) that are-- (A) critical to the defense of the United States; and (B) vulnerable to a disruption of the supply of electric energy provided to such facility by an external provider. The number of facilities designated by such directive or determination shall not exceed 100. The President may periodically revise the list of designated facilities through a subsequent written directive or determination provided to the Commission, provided that the total number of designated facilities at any time shall not exceed 100. (2) Commission authority.--If the Commission identifies a defense critical electric infrastructure vulnerability that the Commission, in consultation with owners and operators of any facility or facilities designated by the President pursuant to paragraph (1), determines has not adequately been addressed through measures undertaken by owners or operators of defense critical electric infrastructure, the Commission shall, after notice and an opportunity for comment and after consultation with the Secretary and other appropriate Federal agencies, promulgate a rule or issue an order requiring implementation, by any owner or operator of defense critical electric infrastructure, of measures to protect the defense critical electric infrastructure against such vulnerability. The Commission shall exempt from any such rule or order any specific defense critical electric infrastructure that the Commission determines already has been adequately protected against the identified vulnerability. The Commission shall make any such determination in consultation with the owner or operator of the facility designated by the President pursuant to paragraph (1) that relies upon such defense critical electric infrastructure. (3) Cost recovery.--An owner or operator of defense critical electric infrastructure shall be required to take measures under paragraph (2) only to the extent that the owners or operators of a facility or facilities designated by the President pursuant to paragraph (1) that rely upon such infrastructure agree to bear the full incremental costs of compliance with a rule promulgated or order issued under paragraph (2). (e) Protection of Information.-- (1) Prohibition of public disclosure of protected information.--Protected information-- (A) shall be exempt from disclosure under section 552(b)(3) of title 5, United States Code; and (B) shall not be made available pursuant to any State, local, or tribal law requiring disclosure of information or records. (2) Information sharing.-- (A) In general.--Consistent with the Controlled Unclassified Information framework established by the President, the Commission shall promulgate such regulations and issue such orders as necessary to designate protected information and to prohibit the unauthorized disclosure of such protected information. (B) Sharing of protected information.--The regulations promulgated and orders issued pursuant to subparagraph (A) shall provide standards for and facilitate the appropriate sharing of protected information with, between, and by Federal, State, local, and tribal authorities, the Electric Reliability Organization, regional entities, and owners, operators, and users of the bulk-power system in the United States and of defense critical electric infrastructure. In promulgating such regulations and issuing such orders, the Commission shall take account of the role of State commissions in reviewing the prudence and cost of investments within their respective jurisdictions. The Commission shall consult with appropriate Canadian and Mexican authorities to develop protocols for the sharing of protected information with, between, and by appropriate Canadian and Mexican authorities and owners, operators, and users of the bulk-power system outside the United States. (3) Submission of information to congress.--Nothing in this section shall permit or authorize the withholding of information from Congress, any committee or subcommittee thereof, or the Comptroller General. (4) Disclosure of non-protected information.--In implementing this section, the Commission shall protect from disclosure only the minimum amount of information necessary to protect the reliability of the bulk-power system and of defense critical electric infrastructure. The Commission shall segregate protected information within documents and electronic communications, wherever feasible, to facilitate disclosure of information that is not designated as protected information. (5) Duration of designation.--Information may not be designated as protected information for longer than 5 years, unless specifically redesignated by the Commission. (6) Removal of designation.--The Commission may remove the designation of protected information, in whole or in part, from a document or electronic communication if the unauthorized disclosure of such information could no longer be used to impair the reliability of the bulk-power system or of defense critical electric infrastructure. (7) Judicial review of designations.--Notwithstanding subsection (f) of this section or section 313, a person or entity may seek judicial review of a determination by the Commission concerning the designation of protected information under this subsection exclusively in the district court of the United States in the district in which the complainant resides, or has his principal place of business, or in the District of Columbia. In such a case the court shall determine the matter de novo, and may examine the contents of documents or electronic communications designated as protected information in camera to determine whether such documents or any part thereof were improperly designated as protected information. The burden is on the Commission to sustain its designation. (f) Judicial Review.--The Commission shall act expeditiously to resolve all applications for rehearing of orders issued pursuant to this section that are filed under section 313(a). Any party seeking judicial review pursuant to section 313 of an order issued under this section may obtain such review only in the United States Court of Appeals for the District of Columbia Circuit. (g) Provision of Assistance to Industry in Meeting Grid Security Protection Needs.-- (1) Expertise and resources.--The Secretary shall establish a program, in consultation with other appropriate Federal agencies, to develop technical expertise in the protection of systems for the generation, transmission, and distribution of electric energy against geomagnetic storms or malicious acts using electronic communications or electromagnetic pulse that would pose a substantial risk of disruption to the operation of those electronic devices or communications networks, including hardware, software, and data, that are essential to the reliability of such systems. Such program shall include the identification and development of appropriate technical and electronic resources, including hardware, software, and system equipment. (2) Sharing expertise.--As appropriate, the Secretary shall offer to share technical expertise developed under the program under paragraph (1), through consultation and assistance, with owners, operators, or users of systems for the generation, transmission, or distribution of electric energy located in the United States and with State commissions. In offering such support, the Secretary shall assign higher priority to systems serving facilities designated by the President pursuant to subsection (d)(1) and other critical- infrastructure facilities, which the Secretary shall identify in consultation with the Commission and other appropriate Federal agencies. (3) Security clearances and communication.--The Secretary shall facilitate and, to the extent practicable, expedite the acquisition of adequate security clearances by key personnel of any entity subject to the requirements of this section to enable optimum communication with Federal agencies regarding grid security threats, grid security vulnerabilities, and defense critical electric infrastructure vulnerabilities. The Secretary, the Commission, and other appropriate Federal agencies shall, to the extent practicable and consistent with their obligations to protect classified and protected information, share timely actionable information regarding grid security threats, grid security vulnerabilities, and defense critical electric infrastructure vulnerabilities with appropriate key personnel of owners, operators, and users of the bulk-power system and of defense critical electric infrastructure. * * * * * * *