A week and a half ago the House Energy and Commerce
Committee marked
up HR 8, the
North American Energy Security and Infrastructure Act of 2015 with a party
line final
vote on passage of 32 to 20. The substitute
language amended and adopted by the Committee turned the bill from one
enjoying at least some measure ofr bipartisan support to a bill that was
approved along mostly party lines. In addition to the substitute language there
were another 40 amendments offered to the bill in two days of hearings.
Only five of those amendments will be of specific interest
to readers of this blog. Two of those amendments dealt with internet of things
(IOT) provisions, one modified the rules for Critical Electric Infrastructure
Information, one included cybersecurity requirements for technology demonstration
projects and the final one set cybersecurity requirements for smart building
research.
IOT Requirements
There were two amendments to the bill submitted by Rep.
Lujan (D,NM) that dealt with IOT issues. The
first was a short amendment adding IOT reporting requirements to existing requirements
for an updated report on Server and Data Center Energy Efficiency {§4112(d)} and
on energy and water savings from thermal insulation in federal buildings (§4113).
The second
amendment would add a new section to the bill {§4127} that would require
the Secretary to submit a report to Congress on “the utilization of advanced
technologies such as Internet of Things end-to-end platform solutions to
provide real-time actionable analytics and enable predictive maintenance and
asset management to improve energy efficiency wherever feasible”. It requires
the Secretary to “to encourage and utilize Internet of Things energy management
solutions that have security tightly integrated into the hardware and software [emphasis
added] from the outset”.
Only the first amendment was actually considered by the
Committee and it was adopted by a voice vote.
CEII Requirements
An
amendment by Rep Eshoo (D,CA) modified the new §215a being added to the Electric Power Act by §1104 of the bill. It
added three new subparagraphs to §215a(d)
and modified a fourth. It modified (d)(7) to clarify that the implementation of
the CEII requirements would be used only to “protect from disclosure only the
minimum amount of information necessary to protect the security and reliability
of the bulk-power system and distribution facilities”. The new provisions
establish:
• That CEII designations do not
prohibit sharing the protected information with Congress;
• A 5 year time limit for CEII
designation on information;
• CEII designation removal
requirements when the information can “no longer be used to impair the security
or reliability of the bulk-power system or distribution facilities”; and
• Judicial review procedures for CEII information
designations.
This amendment was adopted by a voice vote.
Technology
Demonstration Projects
Rep. Sarbanes (D,MD) introduced an
amendment that added a new §1111
to the bill that addressed requirements for the Secretary to establish a
financial assistance program for technology demonstration projects “related to
the modernization of the electric grid, including the application of
technologies to improve observability, advanced controls, and prediction of
system performance on the distribution system and related transmission system
inter-dependencies” {§1111(a)}.
Key requirements for these programs include the
demonstration of “secure integration and management [emphasis added]of energy
resources, including distributed energy generation, combined heat and power, micro
grids, energy storage, electric vehicles, energy efficiency, demand response,
and intelligent loads” {§1111(b)(2)(A)}
as well as “secure integration [emphasis added] and interoperability of
communications and information technologies” {§1111(b)(2)(B)}.
While ‘secure integration’ is not specifically defined there
is a specific requirement that each eligible project “shall include the
development of a cybersecurity plan written in accordance with guidelines
developed by the Secretary” {§1111(c)}.
This amendment was not officially considered by the
Committee.
Smart Building Acceleration
Rep. Welch (D,VT) proposed an
amendment that called for the establishment of a Federal Smart Building
Program. There were a number of cybersecurity requirements included the new §4117 that would be added
to HR 8.
The most interesting are included in the definition portion
of the new section. First the term ‘internet of things technology solution’ was
defined as “a solution that improves energy efficiency and predictive
maintenance through cutting-edge technologies that utilize internet connected
technologies including sensors, intelligent gateways, and security embedded hardware
[emphasis added]” {§4117(a)(1)}.
Then the term ‘smart building’ includes the requirement that it is “cybersecure” {§4117(a)(3)}.
The descriptions of the technologies that to be included in
the studies outlined in this new section include a requirement that selection
includes ‘showing promise for’ “establishing cybersecurity” {eg: §4117(c)(3)(A)(ii)(IV)}.
Additionally, as part of the existing ‘Better Building
Challenge’ paragraph (d) includes a requirement that new research and
development programs should include (among other things) “protecting against
cybersecurity threats and addressing security vulnerabilities of building
systems or equipment” {§4117(d)(2)(B)(vi)}.
This amendment was not officially considered by the
Committee.
Moving Forward
When this bill was originally introduced it looked like it
would enjoy significant bipartisan support. The version of the bill being
reported out of Committee has been modified with enough controversial items
(none of specific interest to readers of this blog) that the bill will have to
be brought to the floor of the House under a rule, probably with extended
debate and at least a number of floor amendments. If not substantially amended
it looks like this bill will not make it to the floor of the Senate after it
passes in the House.
Commentary
The Committee web page dedicated to this markup hearing has
a lot of information on it but it is missing even more. There are 41 listed
amendments proposed for the bill but actions are listed only for 28. Since six
of those listed actions are “withdrawn” it is not clear what happened to the
other 13 amendments. It is possible that some of them were adopted ‘without
objection’ and that that disposition was not reported on the page. I won’t be
able to tell for sure until the Committee Report is printed.
This is kind of important for those of us concerned about
cybersecurity issues. All of the amendments that contained cybersecurity
provisions fall among those 13 missing amendments (that I reported above as not
being ‘officially considered’.
Even if none of those amendments make their way into the
bill, the cybersecurity provisions that I reported above mark a sea change in
the way that Congress is trying to deal with cybersecurity issues. I have noted
this on a couple of occasions now, but it bears repeating that smaller,
targeted provisions like these will probably have more effect (when adopted) on
private sector cybersecurity activities than will big cybersecurity bills like
the still uncompleted information sharing bills wending their inconclusive ways
through the halls of Congress, even if they are eventually passed (and that is
far from a foregone conclusion).
What is really important about this change is that it shows
that congress critters and their staffs are finally starting to realize that
cybersecurity is not a standalone topic, but rather a part of everything in our
lives that includes cyber devices. All of the public beating of the
cybersecurity drums is finally starting to pay off. If this is finally starting
to be recognized by Congress it can only mean that the upper echelons of
corporate America are also starting to realize the seriousness of the
cybersecurity problems that we are facing in the 21st Century.
Posts
No comments:
Post a Comment