Sunday, October 11, 2015

Energy and Commerce Committee Amends and Passes HR 8

A week and a half ago the House Energy and Commerce Committee marked up HR 8, the North American Energy Security and Infrastructure Act of 2015 with a party line final vote on passage of 32 to 20. The substitute language amended and adopted by the Committee turned the bill from one enjoying at least some measure ofr bipartisan support to a bill that was approved along mostly party lines. In addition to the substitute language there were another 40 amendments offered to the bill in two days of hearings.

Only five of those amendments will be of specific interest to readers of this blog. Two of those amendments dealt with internet of things (IOT) provisions, one modified the rules for Critical Electric Infrastructure Information, one included cybersecurity requirements for technology demonstration projects and the final one set cybersecurity requirements for smart building research.

IOT Requirements

There were two amendments to the bill submitted by Rep. Lujan (D,NM) that dealt with IOT issues. The first was a short amendment adding IOT reporting requirements to existing requirements for an updated report on Server and Data Center Energy Efficiency {§4112(d)} and on energy and water savings from thermal insulation in federal buildings (§4113).

The second amendment would add a new section to the bill {§4127} that would require the Secretary to submit a report to Congress on “the utilization of advanced technologies such as Internet of Things end-to-end platform solutions to provide real-time actionable analytics and enable predictive maintenance and asset management to improve energy efficiency wherever feasible”. It requires the Secretary to “to encourage and utilize Internet of Things energy management solutions that have security tightly integrated into the hardware and software [emphasis added] from the outset”.

Only the first amendment was actually considered by the Committee and it was adopted by a voice vote.

CEII Requirements

An amendment by Rep Eshoo (D,CA) modified the new §215a being added to the Electric Power Act by §1104 of the bill. It added three new subparagraphs to §215a(d) and modified a fourth. It modified (d)(7) to clarify that the implementation of the CEII requirements would be used only to “protect from disclosure only the minimum amount of information necessary to protect the security and reliability of the bulk-power system and distribution facilities”. The new provisions establish:

• That CEII designations do not prohibit sharing the protected information with Congress;
• A 5 year time limit for CEII designation on information;
• CEII designation removal requirements when the information can “no longer be used to impair the security or reliability of the bulk-power system or distribution facilities”; and
• Judicial review procedures for CEII information designations.

This amendment was adopted by a voice vote.

Technology Demonstration Projects

Rep. Sarbanes (D,MD) introduced an amendment that added a new §1111 to the bill that addressed requirements for the Secretary to establish a financial assistance program for technology demonstration projects “related to the modernization of the electric grid, including the application of technologies to improve observability, advanced controls, and prediction of system performance on the distribution system and related transmission system inter-dependencies” {§1111(a)}.

Key requirements for these programs include the demonstration of “secure integration and management [emphasis added]of energy resources, including distributed energy generation, combined heat and power, micro grids, energy storage, electric vehicles, energy efficiency, demand response, and intelligent loads” {§1111(b)(2)(A)} as well as “secure integration [emphasis added] and interoperability of communications and information technologies” {§1111(b)(2)(B)}.

While ‘secure integration’ is not specifically defined there is a specific requirement that each eligible project “shall include the development of a cybersecurity plan written in accordance with guidelines developed by the Secretary” {§1111(c)}.

This amendment was not officially considered by the Committee.

Smart Building Acceleration

Rep. Welch (D,VT) proposed an amendment that called for the establishment of a Federal Smart Building Program. There were a number of cybersecurity requirements included the new §4117 that would be added to HR 8.

The most interesting are included in the definition portion of the new section. First the term ‘internet of things technology solution’ was defined as “a solution that improves energy efficiency and predictive maintenance through cutting-edge technologies that utilize internet connected technologies including sensors, intelligent gateways, and security embedded hardware [emphasis added]” {§4117(a)(1)}. Then the term ‘smart building’ includes the requirement that it is “cybersecure” {§4117(a)(3)}.

The descriptions of the technologies that to be included in the studies outlined in this new section include a requirement that selection includes ‘showing promise for’ “establishing cybersecurity” {eg: §4117(c)(3)(A)(ii)(IV)}.

Additionally, as part of the existing ‘Better Building Challenge’ paragraph (d) includes a requirement that new research and development programs should include (among other things) “protecting against cybersecurity threats and addressing security vulnerabilities of building systems or equipment” {§4117(d)(2)(B)(vi)}.

This amendment was not officially considered by the Committee.

Moving Forward

When this bill was originally introduced it looked like it would enjoy significant bipartisan support. The version of the bill being reported out of Committee has been modified with enough controversial items (none of specific interest to readers of this blog) that the bill will have to be brought to the floor of the House under a rule, probably with extended debate and at least a number of floor amendments. If not substantially amended it looks like this bill will not make it to the floor of the Senate after it passes in the House.


The Committee web page dedicated to this markup hearing has a lot of information on it but it is missing even more. There are 41 listed amendments proposed for the bill but actions are listed only for 28. Since six of those listed actions are “withdrawn” it is not clear what happened to the other 13 amendments. It is possible that some of them were adopted ‘without objection’ and that that disposition was not reported on the page. I won’t be able to tell for sure until the Committee Report is printed.

This is kind of important for those of us concerned about cybersecurity issues. All of the amendments that contained cybersecurity provisions fall among those 13 missing amendments (that I reported above as not being ‘officially considered’.

Even if none of those amendments make their way into the bill, the cybersecurity provisions that I reported above mark a sea change in the way that Congress is trying to deal with cybersecurity issues. I have noted this on a couple of occasions now, but it bears repeating that smaller, targeted provisions like these will probably have more effect (when adopted) on private sector cybersecurity activities than will big cybersecurity bills like the still uncompleted information sharing bills wending their inconclusive ways through the halls of Congress, even if they are eventually passed (and that is far from a foregone conclusion).

What is really important about this change is that it shows that congress critters and their staffs are finally starting to realize that cybersecurity is not a standalone topic, but rather a part of everything in our lives that includes cyber devices. All of the public beating of the cybersecurity drums is finally starting to pay off. If this is finally starting to be recognized by Congress it can only mean that the upper echelons of corporate America are also starting to realize the seriousness of the cybersecurity problems that we are facing in the 21st Century.

No comments:

/* Use this with templates/template-twocol.html */