Bipartisan bill proposes $50M cyber threat analysis program for energy sector

Bipartisan legislation proposed in the Senate would allocate $50 million from fiscal year 2025 to 2029 to improve cyber security information sharing across the U.S. energy sector. Experts say the private sector would welcome the new initiative.

U.S. and Canadian electric grids face a growing threat from hackers and physical attacks, and greater communication, coordination and advance planning are required to counter them, officials at the North American Electric Reliability Corp. have warned.

The Energy Threat Analysis Program Act would authorize the U.S. Department of Energy’s Energy Threat Analysis Center to coordinate information sharing on threat assessments and mitigation measures between the DOE, the Cybersecurity and Infrastructure Security Agency, the intelligence community and the private sector.

The legislation was introduced by Sens. Jim Risch, R-Idaho, and John Hickenlooper, D-Colo., and has been referred to the Committee on Energy and Natural Resources.

“Increased risk of cyberattacks requires more diligent information sharing to effectively monitor and mitigate threats to America’s energy sector,” Risch said in a Thursday statement. The new legislation “will support these efforts and better protect the U.S. from future cyberattacks.”

According to the legislation, the energy threat analysis program aims to support public-private operational collaboration by developing “actionable operational information” relating to energy sector threats and offering threat mitigation advice and actions.

The new program will improve “understanding of national security risks associated with the energy sector that are or could be exploited by adversaries, including nation-states,” and achieve a deeper understanding “of the tactics, capabilities, and activities of threat actors that have the potential to impact systemic risks to the energy sector,” the legislation says.

The program would be directed by the Secretary of Energy, managed by the DOE’s Office of Cybersecurity, Energy Security, and Emergency Response, and supported by its Office of Intelligence and Counterintelligence.

Energy storage and other distributed energy resources could be particularly vulnerable to cyberattack, security experts say.

“Our national security depends on a resilient and secure energy grid,” Hickenlooper said. “We need to address our vulnerabilities and modernize our grid to protect our energy future.”

The legislation “would be a welcome public/private partnership,” Chris Rouland, CEO of Phosphorus Cybersecurity, said in an email.

“Nation-states threat actors are actively targeting U.S. critical infrastructure,” Rouland said. “To reach true national cyber resilience, our government and private sector will need to come together and share information with the goal of reinforcing our critical infrastructure.”

“With new devices being introduced in areas like renewable energy, basic security compliance issues are still paramount, including password management and maintaining a regular patching cadence — which is not happening today,” Rouland warned.