Due to our increased reliance on digital networks and cyberspace, vulnerabilities that threaten the cyber security of the electric grid and the data privacy of its customers have been exposed. Through the Energy Policy Act of 2005, the electric industry was the first to be subject to mandatory and enforceable cyber security standards. These Critical Infrastructure Protection (CIP) Reliability Standards, as developed by the stakeholder-led development process of the North American Electric Reliability Corporation (NERC) and approved by the Federal Energy Regulatory Commission (FERC), are potentially applicable to all users, owners and operators of the nation’s bulk power system. With each subsequent version of the CIP Reliability Standards, the scope of cyber assets subject to the protection of these mandatory and technically-demanding standards has increased, as well as the level of protection. Duncan, Weinberg, Genzer & Pembroke regularly advises clients with respect to the NERC CIP Reliability Standards. (See DWGP’s
Recently, there has been extensive media coverage providing detailed accounts of breaches of cyber security with varying consequences. Despite the currently enforceable CIP Reliability Standards, cyber security in the electric industry has become subject to a heightened level of scrutiny given the grave consequences at stake and the vulnerabilities exposed by a variety of cyber attacks from Aurora and Stuxnet to Shellshock and Heartbleed. Further, with the increased national focus on cyber attacks generally, there have been a multitude of executive actions and legislative initiatives intended to maintain national security, economic prosperity, and civil liberties by reducing threats to the nation’s critical assets, including the bulk electric system, via cyber attacks. These initiatives are intended to supplement or supersede the NERC CIP Reliability Standards. In addition, DWGP actively monitors proposed legislation and executive action with respect to cyber security. For example, in February 2013, the President issued the Improving Critical Infrastructure Cybersecurity Executive Order. One year later, in February 2014, the National Institute of Standards and Technology (NIST) issued the much anticipated Cybersecurity Framework, a framework designed to reduce cyber risks to critical infrastructure. The Framework consists of standards, guidelines, and practices (not specific to the electric sector) designed to protect critical infrastructure by minimizing any cybersecurity-related risk. Another recent Executive Order – Promoting Private Sector Cybersecurity Information Sharing – is an attempt to promote information sharing in order to allow entities to respond to cybersecurity risks and incidents in as close to real time as possible. The Firm closely follows these activities, advocates our clients’ positions, and advises our clients regarding best practices, trends, and potential regulation arising from these legislative and executive initiatives.
Duncan, Weinberg, Genzer & Pembroke helps implement solutions to protect electric utility and customer data assisting clients in developing solutions that allow them to be security-minded, not just security compliant. In particular, DWGP offers strategic counsel to interpret and implement privacy regulations and standards, such as those administered by NIST, the North American Energy Standards Board (NAESB), the U.S. Department of Energy (DOE) and the Federal Communications Commission (FCC). (See DWGP’s Communications
practice page.) The Firm offers assistance creating customer data management and privacy systems, including policies for electric utilities accountable for protecting customer data generated by advanced metering infrastructure.
Duncan, Weinberg, Genzer & Pembroke is experienced in navigating cyber security and privacy requirements to ensure compliance and customer protection for smart grid technology deployment. In the case where a data system is breached, we offer assistance in notifying customers and mitigating the harm, should data loss occur. Moreover, DWGP is fully equipped to provide client advocacy for state and federal policy on data protection and privacy.
Duncan, Weinberg, Genzer & Pembroke's services in the area of Cyber Security and Customer Privacy include:
- Compliance with NERC Critical Infrastructure Protection Reliability Standards
- Compliance with the DOE’s Data Privacy and the Smart Grid: A Voluntary Code of Conduct
- Advocacy before NERC, FERC, NIST, NAESB, DOE, and FCC, among other agencies and entities, regarding the development of cyber security standards, policies, guidelines, and practices
- Compliance with state and local consumer protection laws.
- Compliance with the federal Electronic Communications Privacy Act
- Creation and maintenance of internal cyber security and privacy policies and programs
- Mitigation of data systems breach