Friday, September 18, 2015

HR 8 Introduced – Energy Security

On Wednesday Rep Upton (R,MI) introduced HR 8, the North American Energy Security and Infrastructure Act of 2015. The bill mainly addresses energy supply chain issues, but it does have two provisions dealing with actual security issues. The first is protection of information about bulk electrical system security issues and the second is a new cybersecurity program.

Information Protection

Section 1104 of the bill would add a new section (§215A; Critical Electric Infrastructure Security) to the Federal Power Act (16 USC 824 et seq.). The new section would provide authority for the Secretary of Energy to address a grid security emergency {new §215A(b)} and establish a program for the protection of critical electric infrastructure information. The provisions of this section are essentially those found in HR 2271 which I have previously discussed in detail.

While a CEII program does currently exist, pending regulations on controlled but unclassified information (CUI) from the National Archives and Records administration, treat such programs differently if they are authorized by law.

Cyber Sense Program

Section 1106 requires the Energy Secretary to establish a Cyber Sense Program to identify and promote cyber-secure products intended for use in the bulk-power system. The program would allow voluntary industry participation and would include {§1106(b)}:

• A testing process to identify products and technologies intended for use in the bulk-power system, including products relating to industrial control systems, such as supervisory control and data acquisition systems;
• The establish and maintain cybersecurity vulnerability reporting processes and a related database for products in the Cyber Sense program;
• Regulations regarding vulnerability reporting processes for products tested and identified under the Cyber Sense program; and
• Technical assistance to utilities, product manufacturers, and other electric sector stakeholders to develop solutions to mitigate identified vulnerabilities in products tested and identified under the Cyber Sense program.

This section would also require the Secretary to provide for public notice and comments before establishing or changing the required testing program. Products included in the program would be required to be tested every two years.

The bill does not specifically mandate that the results of the product testing should be considered as Critical Electric Infrastructure Information (CEII). It does, however, require that “any vulnerability reported pursuant to regulations promulgated under subsection (b)(3), the disclosure of which could cause harm to critical electric infrastructure (as defined in section 215A of the Federal Power Act), shall be exempt from disclosure” under the Freedom of Information Act or any similar State and local laws.

Moving Forward
As I noted in my earlier post the assignment of ‘HR 8’ to this bill instead of a sequential bill number indicates that the Republican leadership in the House considers this bill a high political priority. It was considered in a markup hearing yesterday before the House Energy and Commerce Committee, but Committee web page does not yet provide any results of that consideration. I expect, however, that the bill was adopted by voice vote.


The new Cyber Sense Program proposed by this bill is the first serious attempt by Congress to deal with the problems associated with industrial control system security. The idea of the Federal government establishing a testing and certification program for ICS components and systems is certainly an innovative approach to control system security.

Since this bill does not provide any funding for the program, it is fairly clear that the authors intend this testing to be done by third-party organizations and that is reinforced by the requirement for the Secretary to “oversee Cyber Sense testing carried out by third parties” {§1106(b)(8)}. The problem becomes that, since the Energy Department is not paying for the testing, that it will most likely be the vendor that pays. This always raises the potential issues of testers being beholden to the people that make the products being tested.

The establishment of regulations for vulnerability reporting for Cyber Sense products is something that was fairly glibly added to this bill. But, taken along with the information sharing restrictions outlined, this is going to be problematic. Except for equipment that is uniquely used by the bulk-power system, trying to regulate how security vulnerability reporting is conducted without intimately involving at least ICS-CERT is going to create more problems than it solves.

A brief example will help explain the problem. A private security researcher discovers a vulnerability in a PLC that is part of the Cyber Sense program, but is also used in a wide variety of other industrial control systems. Normally he would have a choice of coordinating that vulnerability disclosure with the vendor, ICS-CERT (or any one of a number of other coordination agencies) or publicly disclosing the vulnerability. Under the new program, if he instead disclosed it to the Cyber Sense program, then there would be no public disclosure through ICS-CERT or the vendor. In fact, if the new regulations were to declare this disclosure to the Cyber Sense to be CEII information (a logical move), then ICS-CERT would not be able to post it to the US-CERT Secure Portal because people without a CEII need-to-know have access to that system.

Crafters of this bill missed one of the biggest potential incentives for using Cyber Sense components. DHS has the Safety Act program under their Science and Technology Directorate that provides important legal liability protections for providers of Qualified Anti-Terrorism Technologies. This bill should have set up a similar program for Cyber Sense vetted products.

I would like to suggest that instead of making the vulnerability information CEII and limiting the disclosure to just the energy sector, that the bill should have designated ICS-CERT as the agency responsible for coordinating disclosures of vulnerabilities for all Cyber Sense Products. It would then go on to require that ICS-CERT initially release the vulnerability information on the US-CERT Secure Portal and only make full public disclosure in coordination with the Department of Energy organization overseeing the Cyber Sense program. That way non-energy sector organizations using the same equipment would have an opportunity to fix their devices before the public disclosure of the vulnerability.

Now, I really like the idea of an independent agency that does in depth security vulnerability testing of control system components and certifying some level of minimum security for such devices. That would certainly make the purchasing of secure ICS components much easier. But we do need to be careful how that is done to prevent the most egregious unintended consequences.

No comments:

/* Use this with templates/template-twocol.html */