Three weeks ago Sen Risch (R,ID) introduced S 1068
which would amend Part II of the Federal Power Act (16
USC 824 et seq) to give the Secretary of Energy specific authority over the
cybersecurity of portions of the bulk power system.
The bill would add a new section (§224) to that statute. First it adopts two definitions
(‘bulk power system’ and ‘Electric Reliability Organization’) from the existing
statute {§824o(a)(1)}
and then it provides a definition of a new term ‘cyber security threat’:
“The imminent danger of a malicious
act that disrupts, attempts to disrupt, or poses a significant risk of
disrupting the operation of programmable electronic devices or communications
networks (including hardware, software, and data) essential to the reliable
operation of the bulk-power system” {new §224(a)(2)}.
The bill would then provide the Secretary with the authority
to “require, by order and with or without notice, any entity that owns,
controls, or operates a bulk-power system facility to take such actions as the
Secretary determines will best avert or mitigate the cyber security threat” {new
§224(b)(1)}. That authority would be predicated on receiving a written finding
from the President that “immediate action is necessary to protect the
bulk-power system from a cyber security threat”.
The order could only be issued for a period of 30 days and
the bill provides for procedures for up to two 30-day extensions of an order.
Moving Forward
Risch is the Chair of the Energy Subcommittee of the Senate
Energy and Natural Resources Committee. Typically this means that this bill
will likely be considered by that Committee in the near future. The bill is
co-sponsored by Sen. Heinrich (D,NM) who is also a member of the Subcommittee
(but not Ranking Member) so there does appear to be at least some bipartisan
support for the bill. The 30-day limit on orders may assuage concerns of the
bulk power community enough to allow this bill to make it to the floor of the
Senate.
With all of the public foofaraw about cybersecurity
vulnerabilities, particularly in the electric sector, I suspect that this bill
would be able to be passed in the Senate and House. There is a remote
possibility of this passing by unanimous consent, but that would depend on what
changes the utilities would like to see made to this bill and if those changes
were made in committee.
Commentary
I’m not sure what
changes could be made in a 90-day period that would adequately mitigate a ‘cyber
security threat’. If an actual cyber attack had shut down a significant portion
of the grid, I think that there is probably enough authority in place to
respond to the situation and this added authority would not add anything to the
adequacy of that response.
It is interesting, however, that the first thing described
as being disrupted in the definition of ‘cyber security threat’ is “the operation
of programmable electronic devices”. It is well understood in the cybersecurity
community that a large number (if not most) of the PLCs in use in industrial
control systems are specifically vulnerable to reprogramming by anyone that can
gain access to the network on which they operate.
If we ascribe more technical knowledge than normal to the
congressional staff that crafted this rather short bill (or the outside ‘consultant’
that pushed for the crafting) then a suspicious person might think that there could
be a move made by DOE to require the replacement of all (more likely a specific
sub-set) of the vulnerable by design PLCs with more modern and secure versions.
I don’t think that I am quite that paranoid, but I know
enough people who are that the thought did cross my mind. If the authority had
been given to DHS I would have dismissed this out of hand for lack of technical
skills (outside of the relatively insignificant ICS-CERT; small size and out of
regulatory loop) to require such a move. DOE, on the other hand, is much more
technically oriented and may just have the technical and regulatory skills to
pull of such a mandate.
Posts
No comments:
Post a Comment