In his testimony before the Energy and Commerce Committee, Duane Highley, President and CEO, Arkansas Electric Cooperative Corporation, told the Committee how the electric utility industry has worked with the North American Electric Reliability Corporation (NERC) to develop the Critical Infrastructure Protection (CIP), including nine devoted to cybersecurity. These CIP standards, and the Nuclear Regulatory Commission’s cybersecurity standards, are the only mandatory and enforceable cybersecurity standards for any critical infrastructure, and they come with fines of up to one million dollars per day per violation.
As the Administration develops its Cybersecurity Framework, as directed by the President’s Executive order, Mr. Highley urged the Administration to build off the processes, guidance, standards, and public-private partnerships already in place across critical infrastructure standards, instead of duplicating efforts. Most importantly, the framework must not undermine the current NERC standards and development process.
Mr. Highley also urged Congress to increase information sharing between the government and critical infrastructure and to expand liability protection to protect industry against civil penalties derived from information sharing.