House lawmakers passed bipartisan legislation yesterday that mandates both physical and cyber peril hazard analysis, pushing it down to the distribution layer of the US energy infrastructure and into the part of the grid closest to insured exposure.
Lawmakers passed H.R. 7257, the Securing Community Upgrades for a Resilient Grid Act (SECURE Grid Act), sponsored by Rep. Bob Latta (OH-05) with Rep. Doris Matsui (CA-07). It amends Section 366 of the Energy Policy and Conservation Act, the statute governing state energy security plans.
While the legislation is a planning-and-disclosure framework (and not a capital or risk-transfer directive) and its implementation will vary because approval rests with the states, it does create vocabulary and scope of physical and cyber hazard analysis anchored in energy distribution assets.
Federal grid-security focus has historically concentrated on the high-voltage bulk-power system, but the legislation defines the local distribution system — utility infrastructure operating at 100 kilovolts or less — and brings it into the scope of its mandates.
The legislation then rewrites the hazards state plans must address. These now include physical threats, named explicitly as weather-related vulnerabilities, physical attacks on distribution and bulk-power systems, and supply-chain risks for grid equipment. Those risks sit alongside cybersecurity threats and vulnerabilities, including threats to local distribution systems that may impact the bulk-power system.
The language of the legislation frames distribution-level cyber events not as isolated incidents but as potential triggers for cascading, system-wide impact. State plans must now address:
"cybersecurity threats and vulnerabilities, including threats to, and vulnerabilities of, local distribution systems that may impact the bulk-power system."
The bill also expands the parties utilities must consult to include suppliers of equipment for generation, transmission, and distribution. Supply-chain and third-party vendor compromise is already the dominant driver of systemic cyber-insurance loss; pulling equipment suppliers into state security planning formalizes the dependency that underwriters and modelers have been trying to quantify, and where silent-cyber and contingent business-interruption exposures live.
Finally, each plan must provide a risk-mitigation approach to enhance reliability and end-use resilience — identify the peril, mitigate, and plan recovery — applied uniformly across all fifty states, covering physical and cyber on equal footing. The bill extends the program's authorization to 2030 and clarifies that state submissions need not be approved by the Secretary.
