Understanding Ohio CERCLA for Energy & Utility Companies

 

In Ohio, energy and utility companies must comply with both federal CERCLA (Comprehensive Environmental Response, Compensation, and Liability Act) regulations and Ohio-specific requirements. While CERCLA is primarily an environmental law, it has significant cybersecurity implications for utility infrastructure protection.

 

Ohio-Specific CERCLA Requirements for Energy/Utilities

 

• Energy and utility companies in Ohio must follow the Ohio EPA's Voluntary Action Program (VAP), which provides a streamlined process for investigating and remediating contaminated properties, including digital infrastructure protection
• The Ohio Revised Code Chapter 3746 outlines specific requirements for remediation of environmental contamination that may affect critical energy infrastructure
• Utilities must comply with the Ohio Administrative Code 3745-300, which includes specialized rules for reporting cybersecurity incidents that could lead to environmental releases
• The Public Utilities Commission of Ohio (PUCO) enforces additional cybersecurity requirements for utilities under CERCLA-related regulations

 

Key Cybersecurity Obligations Under Ohio CERCLA for Utilities

 

• Digital Release Notification Requirements: Ohio energy companies must report cyber incidents that could potentially lead to hazardous substance releases within 24 hours to both the National Response Center and the Ohio EPA
• Security Vulnerability Assessment: Ohio utilities must conduct specialized security assessments for digital control systems that manage potentially hazardous materials or processes
• Critical Infrastructure Protection Plans: Energy providers must develop and maintain Ohio-specific plans that address both physical and cyber vulnerabilities of facilities containing hazardous substances
• Response Integration: Utilities must maintain integrated cybersecurity and environmental incident response protocols compliant with Ohio Emergency Management Agency standards

 

Ohio Energy Sector CERCLA Liability Considerations

 

• Ohio follows a strict liability framework where utilities can be held responsible for releases caused by cyber attacks, even without negligence
• The Ohio Water Development Authority (OWDA) has special provisions for water utilities regarding cyber protection of treatment systems to prevent CERCLA releases
• Energy companies face potentially unlimited cleanup costs for environmental damage resulting from cyber incidents affecting control systems
• Ohio law provides limited liability protection for utilities that implement certified cybersecurity frameworks like the Ohio Data Protection Act

 

Practical Cybersecurity Measures for Ohio Utilities Under CERCLA

 

• Air Gap Critical Systems: Physically separate networks controlling hazardous processes from internet-connected systems
• Implement the Ohio Energy Assurance Plan cybersecurity requirements, which exceed federal standards for SCADA (Supervisory Control and Data Acquisition) systems
• Conduct Ohio-specific tabletop exercises that simulate cyber attacks resulting in hazardous releases, coordinated with county Emergency Management Agencies
• Deploy specialized OT (Operational Technology) monitoring for industrial control systems unique to Ohio's energy infrastructure
• Maintain detailed digital logs of all access to systems controlling CERCLA-regulated substances to demonstrate due diligence under Ohio law

 

Ohio-Specific Reporting Requirements

 

• Report cybersecurity incidents to the Ohio Homeland Security Strategic Analysis and Information Center (SAIC) if they potentially affect CERCLA-regulated facilities
• File Ohio EPA Form 4411 for any cyber incident that results in or threatens release of hazardous substances
• Submit an annual cybersecurity posture report to PUCO detailing protective measures for systems controlling CERCLA-regulated materials
• Notify the Ohio Emergency Response Commission (OERC) of any cybersecurity vulnerabilities discovered in critical infrastructure within 72 hours

 

Ohio CERCLA Enforcement for Energy Utilities

 

• The Ohio Attorney General's Environmental Enforcement Section can bring civil and criminal charges for cybersecurity negligence leading to contamination
• Joint PUCO-EPA inspections assess cybersecurity controls for utility systems managing hazardous substances
• Penalties under Ohio law can reach $25,000 per day for violations, including inadequate cybersecurity measures for systems controlling hazardous materials
• Consent orders often require implementation of enhanced cybersecurity measures beyond federal requirements

 

Compliance Resources for Ohio Energy & Utility Companies

 

• The Ohio Utilities Protection Service (OUPS) provides specialized guidance on protecting digital infrastructure controlling underground utilities
• The Ohio EPA's Office of Compliance Assistance and Pollution Prevention offers free consultations on cybersecurity for environmental compliance
• The Ohio Energy and Advanced Manufacturing Center provides technical assistance for securing industrial control systems
• The Ohio Critical Infrastructure Committee offers sector-specific cybersecurity best practices for CERCLA compliance