S 3018 Introduced – Industrial Control System Security

Earlier this week Sen. King (I,ME) introduced S 3018, the Securing Energy Infrastructure Act. It would require the Secretary of Energy to establish a 2-year pilot program to study control system security in the energy sector. The pilot program would be funded at $10 Million for the 2-year study.

The Pilot Program

Section 3 of the bill would require the establishment of a “2-year control systems implementation pilot program within the National Laboratories” {§3} to study control system security in voluntarily participating energy sector critical infrastructure facilities “where a cybersecurity incident could reasonably result in catastrophic regional or national effects on public health or safety, economic security, or national security” (covered entity) {§2(1)}.

The pilot program would {§3}:

• Studying the covered entities in the energy sector that voluntarily participate in the Program to identify new classes of security vulnerabilities of the covered entities; and

• Researching, developing, testing, and implementing technology platforms and standards to isolate and defend industrial control systems of covered entities from security vulnerabilities and exploits in the most critical systems of the covered entities

The definition (both legal and operational) of ‘control system’ is very broadly written. It is specifically defined in the bill {§2(3)(a)} as “an operational technology used to measure, control, or manage industrial functions”. That definition specifically includes {§2(3)(b)}:

• Supervisory control and data acquisition systems;

• Distributed control systems; and

• Programmable logic or embedded controllers.

Additionally, the bill later operationally adds {§3(2)}:

• Analog and non-digital control systems;

• Purpose-built control systems; and

• Physical controls.

Working Group

The Energy Secretary is also required to form a working group to evaluate the technology platforms and standards used in the pilot program. More broadly the Working Group is tasked with {§4(a)(2)} developing “a national cyber-informed engineering strategy to isolate and defend covered entities from security vulnerabilities and exploits in the most critical systems of the covered entities”.

The Working Group would include representatives from{§4(b)}:

• The Department of Energy;

• The energy industry, including electric utilities and manufacturers recommended by the Energy

Sector coordinating councils.

• The Department of Homeland Security (or the Industrial Control Systems Cyber Emergency Response Team);

• The North American Electric Reliability Corporation;

• The Nuclear Regulatory Commission;

• The Office of the Director of National Intelligence (or the intelligence community);

• The Department of Defense (or the Assistant Secretary of Defense for Homeland Security and America’s Security Affairs):

• A State or regional energy agency;

• A national research body or academic institution; and

• The National Laboratories.

Participant Protections

There are two types of protection provided to private sector participants in the pilot program; information protection and liability protection. Information voluntarily submitted during participation in the program is protected {§7(2)} from public disclosure requirements at the Federal, State and local levels. The bill also specifically states that {§8(a)} a “cause of action against a covered entity for engaging in the voluntary activities authorized under section 3 [the Pilot Program] shall not lie or be maintained in any court; and shall be promptly dismissed by the applicable court.”

Moving Forward

King {as well as one of his co-sponsors, Sen. Risch (R,ID)} is a member of the Senate Energy and Natural Resources Committee, to which this bill was referred for consideration. That means that there is a good chance that the bill will be considered in Committee. The only thing that might hold up consideration of this bill is the $10 Million dollars is authorizes to complete the pilot program and the $1.5 Million for operations of the Working Group and report preparation. That money has to be squeezed out of the budget somewhere.

Since the money authorization is included in this bill, I would not be surprised to see this bill again as a proposed amendment to a spending bill.

If the budget issue can be resolved, I do not see any impediments to the passage of this bill if it does make it to the floor of the Senate.

Commentary

Needless to say I am very excited to see this bill introduced. I am somewhat disappointed that it is limited to energy sector facilities, but I would bet that much of what is learned here could easily be used to improve control system security across multiple sectors of the economy. I would have preferred to see an unclassified version of the report required by the bill to aid in that information sharing.

I am especially happy to see how widely the bill defined control systems. This realistically reflects the fact that for reliability purposes these control systems rely on a wide variety of devices to protect the system from physical faults and they can be reasonably expected to help limit the effectiveness of any cyber-attack. Any study that fails to take those safeguards into account could lead to an overly expensive and complicated security system.

I have a couple of points that I would like to raise about the make-up of the Working Group. First, I would have preferred to see ICS-CERT listed as a standalone member of the Group instead of being listed as a possible substitute for a DHS representative. Hopefully the DHS Secretary would ensure that ICS-CERT had the seat at the table, but they are a rather low level entity in DHS and DHS internal politics could see them shunted to the side.

Secondly, the Working Group is missing someone from the operational side of things. I understand that it would be difficult to pick a single utility and/or vendor (I would really like to see both) to sit in on the Working Group, I think that the operational insight would be invaluable in the Working Group’s deliberations. Perhaps each of the participating entities could select a group spokesman to represent their view point. Selecting a vendor representative would be more difficult, but perhaps FERC could nominate a widely recognized consultant in control system implementation to provide insight into that side of operational planning.

I really think that this bill is important enough to call for a little political involvement by those in the control system security community. It would certainly help if people would start a letter writing campaign to their Senators and Representatives to urge their support for this bill. People that live and/or work in States where their Senator is on the Energy and Natural Resources Committee (see here for a list of members) should specifically encourage their support of this bill in Committee. For letters to Representatives, they should encourage the introduction of a companion bill in the House and support for the bill when it gets to the floor for consideration.

This is the first bill that I have seen that takes a proactive stance on control system security issues. More importantly it puts some money into that stance, something that has been missing from most cybersecurity bills. We need to get behind this and push it.