Legal insights on navigating privacy, data protection, cybersecurity, information governance, and e-discovery
This has not been a joyful winter for energy industry executives. They have repeatedly awoken to alerts that substations in the Northwest and Southeast have been physically attacked and that a major engineering firm was the subject of a ransomware cyberattack that may have compromised utility data.
Federal regulators are taking notice. On December 7, the Federal Energy Regulatory Commission (FERC) and the Department of Energy’s Office of Cybersecurity, Energy Security, and Emergency Response (CESER) held a joint technical conference to discuss supply chain risk management in light of increasing threats to the Bulk Power System. Multiple government participants identified the possible need to normalize the use of software bill of materials and hardware bill of materials in the electric industry. Several days later, FERC directed the North American Electric Reliability Corporation (NERC) to re-examine its Physical Security Reliability Standard, CIP-014-1. Congress, for its part, responded to growing cybersecurity threats to energy infrastructure by increasing CESER’s budget by almost 7.5% in the recent omnibus appropriations bill and appropriating $20 million for the Cyber Testing for Resilient Industrial Control Systems program.
Cybersecurity attacks on distributed energy resources (DERs) including electric vehicles are also proliferating. In its recent report, Cybersecurity Considerations for Distributed Energy Resources on the U.S. Electric Grid, CESER identified the cybersecurity threat to DER operators, vendors, developers, owners and aggregators as posing a significant and growing risk. The Department of Energy will also soon release a report, mandated by Congress in the Infrastructure Investment and Jobs Act, identifying policies and procedures for enhancing the physical and cybersecurity of distributed resources and the electric distribution system.
The recent physical and cybersecurity incidents targeting critical infrastructure have exposed significant vulnerabilities of some companies, and both customers and the federal government are pushing the private sector to mitigate those threats as a condition for doing business. The federal government, in particular, expects their private sector partners to adopt better security hygiene, assess supply chain risks, and prepare for quick responses to incidents, including rapid notifications to customers, regulators and the public. Here are some best practices for energy sector companies to have on their radar for 2023:
For more information, please contact the professional(s) listed below, or your regular Crowell & Moring contact.
Tyler O’Connor is an energy litigator and public policy leader in Crowell & Moring’s Washington, D.C. office, where he represents clients in the courts, in arbitration forums, and before federal agencies.
Prior to joining Crowell, Tyler served as the Energy Counsel to the…
Tyler O’Connor is an energy litigator and public policy leader in Crowell & Moring’s Washington, D.C. office, where he represents clients in the courts, in arbitration forums, and before federal agencies.
Prior to joining Crowell, Tyler served as the Energy Counsel to the House Energy and Commerce Committee, where he played a leading role in drafting the Inflation Reduction Act (IRA) and Infrastructure Investment and Jobs Act (IIJA). He was the lead House lawyer responsible for the Federal Power Act and Natural Gas Act and worked extensively on transmission, energy cybersecurity, and energy supply chain issues. His work brought him into frequent contact with senior administration officials, including at the Department of Energy (DOE) and the Federal Energy Regulatory Commission (FERC), as well as congressional leadership. As the staffer responsible for emerging technologies, including hydrogen and offshore wind, as well as the Loan Programs Office, Tyler has been at the center of energy policy discussions.
Evan D. Wolff is a partner in Crowell & Moring’s Washington, D.C. office, where he is co-chair of the firm’s Chambers USA-ranked Privacy & Cybersecurity Group and a member of the Government Contracts Group. Evan has a national reputation for his deep technical…
Evan D. Wolff is a partner in Crowell & Moring’s Washington, D.C. office, where he is co-chair of the firm’s Chambers USA-ranked Privacy & Cybersecurity Group and a member of the Government Contracts Group. Evan has a national reputation for his deep technical background and understanding of complex cybersecurity legal and policy issues. Calling upon his experiences as a scientist, program manager, and lawyer, Evan takes an innovative approach to developing blended legal, technical, and governance mechanisms to prepare companies with rapid and comprehensive responses to rapidly evolving cybersecurity risks and threats. Evan has conducted training and incident simulations, developed response plans, led privileged investigations, and advised on hundreds of data breaches where he works closely with forensic investigators. Evan also counsels businesses on both domestic and international privacy compliance matters, including the EU General Data Protection Regulation (GDPR), and the California Consumer Privacy Act (CCPA). He is also a Registered Practitioner under the Cybersecurity Maturity Model Certification (CMMC) framework.
Matthew B. Welling is a partner in Crowell & Moring’s Washington, D.C. office, where he practices in the firm’s Privacy & Cybersecurity and Energy groups. Matthew has a deep technical background that he leverages to represent clients in a wide range of counseling…
Matthew B. Welling is a partner in Crowell & Moring’s Washington, D.C. office, where he practices in the firm’s Privacy & Cybersecurity and Energy groups. Matthew has a deep technical background that he leverages to represent clients in a wide range of counseling and regulatory matters. His experience includes cybersecurity and privacy incident response, compliance reviews, risk assessments, and the development of corporate policies and procedures, such as incident response plans. Matthew has a diverse background in M&A and other corporate transactional issues, with specific recent experience with technology transactions, cybersecurity issues, and critical infrastructure project development.
Maida Lerner is senior counsel in Crowell & Moring’s Washington, D.C. office and a part of the firm’s Privacy & Cybersecurity, Government Contracts, and Environment & Natural Resources groups. Maida counsels a broad group of clients in a variety of sectors on cyber…
Maida Lerner is senior counsel in Crowell & Moring’s Washington, D.C. office and a part of the firm’s Privacy & Cybersecurity, Government Contracts, and Environment & Natural Resources groups. Maida counsels a broad group of clients in a variety of sectors on cyber and physical security compliance and risk management, homeland security, and administrative matters, including trade associations and companies in the pipeline, transportation, government contracts, education, health care, and manufacturing sectors.
Michael G. Gruden is an associate in Crowell & Moring’s Washington, D.C. office where he is a member of the firm’s Government Contracts and Privacy & Cybersecurity groups. He possesses real-world experience in the areas of federal procurement and data security, having worked…
Michael G. Gruden is an associate in Crowell & Moring’s Washington, D.C. office where he is a member of the firm’s Government Contracts and Privacy & Cybersecurity groups. He possesses real-world experience in the areas of federal procurement and data security, having worked as a Contracting Officer at both the U.S. Department of Defense (DoD) and the U.S. Department of Homeland Security (DHS) in the Information Technology, Research & Development, and Security sectors for nearly 15 years. Michael is a Certified Information Privacy Professional with a U.S. government concentration (CIPP/G). He is also a Registered Practitioner under the Cybersecurity Maturity Model Certification (CMMC) framework. Michael serves as vice-chair for the ABA Science & Technology Section’s Homeland Security Committee.
Welcome to our Data Law Insights blog, CrowellDataLaw.com. We focus on a broad spectrum of privacy, e-discovery, cybersecurity, data protection, and information governance issues. Our goal is to provide fresh insights not just on where the law has gone, with new decisions, new laws, new rules, trends, and other developments, but also on where the law looks to be going and where it should go, at least in our view. We bring deep knowledge of standards and principles emerging from the courts, government agencies, and other authorities and integrate our litigation, antitrust, white collar, health care, government contracts, labor and employment, intellectual property, and corporate capabilities to address the most relevant, important, and practical issues, policies, and strategies.
