Sunday, May 10, 2015

S 1068 Introduced – Bulk Power Cybersecurity

Three weeks ago Sen Risch (R,ID) introduced S 1068 which would amend Part II of the Federal Power Act (16 USC 824 et seq) to give the Secretary of Energy specific authority over the cybersecurity of portions of the bulk power system.

The bill would add a new section (§224) to that statute. First it adopts two definitions (‘bulk power system’ and ‘Electric Reliability Organization’) from the existing statute {§824o(a)(1)} and then it provides a definition of a new term ‘cyber security threat’:

“The imminent danger of a malicious act that disrupts, attempts to disrupt, or poses a significant risk of disrupting the operation of programmable electronic devices or communications networks (including hardware, software, and data) essential to the reliable operation of the bulk-power system” {new §224(a)(2)}.

The bill would then provide the Secretary with the authority to “require, by order and with or without notice, any entity that owns, controls, or operates a bulk-power system facility to take such actions as the Secretary determines will best avert or mitigate the cyber security threat” {new §224(b)(1)}. That authority would be predicated on receiving a written finding from the President that “immediate action is necessary to protect the bulk-power system from a cyber security threat”.

The order could only be issued for a period of 30 days and the bill provides for procedures for up to two 30-day extensions of an order.

Moving Forward
Risch is the Chair of the Energy Subcommittee of the Senate Energy and Natural Resources Committee. Typically this means that this bill will likely be considered by that Committee in the near future. The bill is co-sponsored by Sen. Heinrich (D,NM) who is also a member of the Subcommittee (but not Ranking Member) so there does appear to be at least some bipartisan support for the bill. The 30-day limit on orders may assuage concerns of the bulk power community enough to allow this bill to make it to the floor of the Senate.

With all of the public foofaraw about cybersecurity vulnerabilities, particularly in the electric sector, I suspect that this bill would be able to be passed in the Senate and House. There is a remote possibility of this passing by unanimous consent, but that would depend on what changes the utilities would like to see made to this bill and if those changes were made in committee.

Commentary

 I’m not sure what changes could be made in a 90-day period that would adequately mitigate a ‘cyber security threat’. If an actual cyber attack had shut down a significant portion of the grid, I think that there is probably enough authority in place to respond to the situation and this added authority would not add anything to the adequacy of that response.

It is interesting, however, that the first thing described as being disrupted in the definition of ‘cyber security threat’ is “the operation of programmable electronic devices”. It is well understood in the cybersecurity community that a large number (if not most) of the PLCs in use in industrial control systems are specifically vulnerable to reprogramming by anyone that can gain access to the network on which they operate.

If we ascribe more technical knowledge than normal to the congressional staff that crafted this rather short bill (or the outside ‘consultant’ that pushed for the crafting) then a suspicious person might think that there could be a move made by DOE to require the replacement of all (more likely a specific sub-set) of the vulnerable by design PLCs with more modern and secure versions.


I don’t think that I am quite that paranoid, but I know enough people who are that the thought did cross my mind. If the authority had been given to DHS I would have dismissed this out of hand for lack of technical skills (outside of the relatively insignificant ICS-CERT; small size and out of regulatory loop) to require such a move. DOE, on the other hand, is much more technically oriented and may just have the technical and regulatory skills to pull of such a mandate.

No comments:

 
/* Use this with templates/template-twocol.html */