Saturday, January 28, 2017

S 79 Introduced – Energy Sector Security

Earlier this month Sen. King (I,ME) introduced S 79, the Securing Energy Infrastructure Act. It would require the Secretary of Energy to establish a 2-year pilot program to study control system security in the energy sector. The pilot program would be funded at $10 Million for the 2-year study. This bill is essentially the same as S 3018 introduced late in the 114th Congress; that bill saw no action in committee. Attentive readers might recall that I suggested a letter writing campaign to support that bill.

I am not going to repeat the detailed explanation of the bill since I covered that in my post on the introduction of S 3018. I would like to address two items that I did not mention in that earlier post; the definition of ‘industrial control system’ and the use of the term ‘cyber-informed engineering'.

Industrial Control System

The bill defines ‘industrial control system’ as “an operational technology used to measure, control, or manage industrial functions” {§(2)(3)(A)}. That definition is expanded in sub-paragraph (B) to specifically include “supervisory control and data acquisition systems, distributed control systems, and programmable logic or embedded controllers”.

The initial definition could clearly be interpreted to include manual control systems with no electronic component. This is important because later in the bill ‘physical controls’ (as opposed to digital or analog) are one concept that is suggested as a way to avoid the security vulnerabilities in existing systems.

Cyber-Informed Engineering

This term was first used in S 2943, the FY 2017 National Defense Authorization Act. There it was used to describe a pilot program the DOD would run “to increase the resilience of military installations against cybersecurity threats and prevent or mitigate the potential for high-consequence cyberattacks” {§1634(a)}. The Armed Services Committee report (S Rept 114-255) provides a more detailed explanation:

“A consequence-driven, cyber-informed engineering approach is based on an evaluation of the operating environment that discriminates between targeted and indiscriminate attacks, analyzes vulnerabilities beyond traditional Information Technology security, and addresses systems created to control critical infrastructure that were designed primarily to meet engineering requirements with little or sometimes no consideration of security requirements.”

In S 79 the term shows up in the §4 description of the working group. In the second portion of the description of the working group purpose the bill it states that the working group will “develop a national cyber-informed engineering strategy to isolate and defend covered entities from security vulnerabilities and exploits in the most critical systems [emphasis added] of the covered entities” {§4(a)(2)}.

This sounds very much like how safety systems are configured in chemical operations. The sensors and actuators of safety systems are isolated from the active control system so that a failure (or compromise) of components of the control system cannot affect the proper operation of the safety system. And those safety systems are only designed to protect against catastrophic failure of the chemical manufacturing system, not general failures of the control scheme to maintain product quality or process efficiency.

As I mentioned in my post about S 2943, there is an interesting paper from 2015 published by the Idaho National Laboratory (INL) about the concept of ‘cyber-informed engineering’ (Note: the link in the original post is no longer good, it has been corrected.)

Moving Forward

In the last session, this bill had bipartisan support in the Senate Energy and Natural Resources Committee and it does again this session. I suspect that the reason that the bill did not move forward in the last session was due to its late introduction and short amount of time available.

The biggest thing stopping this bill from moving forward is the spending authorization for the pilot program ($10 million) and the inclusion of spending authorization for the working group activities ($1.5 million). While that is not a great deal of money (at Federal spending levels), it is money that will have to come from somewhere. Figuring out the spending offsets for that §11.5 million will take some doing. Once that is accomplished, this bill should be able to move forward pretty easily if it makes it to the floor.

No comments:

/* Use this with templates/template-twocol.html */