Last month Sen. Shaheen (D,NH) introduced
S 768, the Smart
Manufacturing Leadership Act. The bill would require the Secretary of
Energy to develop a smart manufacturing plan and to provide assistance to small-
and medium-sized manufacturers in implementing smart manufacturing programs.
Definition of Smart Manufacturing
The basic definition of smart manufacturing in this bill encompasses
the technologies that digitally {§3(9)(A)}:
• Simulate manufacturing production
lines;
• Operate computer-controlled manufacturing
equipment;
• Monitor and communicate production
line status; and
• Manage and optimize energy productivity and cost
throughout production
The bill goes on to further expand the definition to include
technologies that {§3(9)}:
• Model, simulate, and optimize the
energy efficiency of a factory building;
• Monitor and optimize building
energy performance;
• Model, simulate, and optimize the
design of energy efficient and sustainable products, including the use of digital
prototyping and additive manufacturing to enhance product design;
• Connect manufactured products in
networks to monitor and optimize the performance of the networks, including
automated network operations; and
• Digitally connect the supply
chain network.
Smart Manufacturing Plan
Section 4 of the bill would require DOE to develop and
implement a smart manufacturing plan within 3 years to improve the productivity
and energy efficiency of the manufacturing sector of the United States. The
plan would identify actions that the Federal government would take to {§4(b)(1)}:
• Facilitate quicker development,
deployment, and adoption of smart manufacturing technologies and processes;
• Result in greater energy
efficiency and lower environmental impacts for all American manufacturers; and
• Enhance competitiveness and
strengthen the manufacturing sectors of the United States.
Moving Forward
Shaheen is not a member of the Senate Energy and Natural
Resources Committee to which this bill was assigned for consideration. This
means that there is little chance that she has the influence necessary to have
that Committee take up the bill.
The only thing in this bill that would cause any significant
opposition to its consideration (in committee or on the floor) is the inclusion
of a relatively modest new grant program. The $10 million dollars authorized
for the grant program would have to come out of an already limited budget
environment. That would probably be sufficient to ensure that the bill will not
receive consideration.
Commentary
Sharp eyed readers will see little above that indicate that
I would spend any time evaluating this bill on this blog; there are no chemical
safety or cybersecurity provisions mentioned in the bill. The lack of
cybersecurity provisions in the bill is what concerns me here.
Shaheen does mention cybersecurity a couple of place in
Section 2 of the bill; the congressional findings section. These finding spell
out the reason that the programs outlined in the bill are necessary. And she
lays out a pretty good set of reasons to include cybersecurity.
First, she establishes that “the interconnection of the many
components of manufacturing within a manufacturing plant with other business
functions within a company and across companies within a supply chain will
enable new production efficiencies” {§2(4)}.
Those of us who follow control system security recognize (and object to) these ‘interconnections’
as a great source of the vulnerability of control systems that until recently were
considered to have isolation as their greatest security measure.
Second, in laying out the barriers to adoption of smart
manufacturing technologies, she specifically identifies the lack of “common
cybersecurity protocols and standards” {§2(7)(D)}.
Finally, she establishes that the Department of the Energy
is (and should be) specifically working “with the private sector to reduce the
market barriers through the development of voluntary protocols and standards” {§2(9)} to overcome these
barriers to smart manufacturing technology adoption in the US.
So why is there no mention of cybersecurity in the
discussion of the smart manufacturing plan the DOE is supposed to develop and
implement? It is almost certainly not because Shaheen and her staff (who really
write these bills) do not see the need; they specifically mentioned the need.
It is probably not because they are technologically ill equipped to set
cybersecurity standards; there is no specificity in the other requirements for
the smart manufacturing plan. I do not even believe it is because of the
current resistance in the business community to establishing cybersecurity
regulations; the bill could have easily called for the establishment of ‘voluntary
standards or protocols’ for cybersecurity.
No, I think that the problem here is committee politics. If
Shaheen had added the word ‘cybersecurity’ to section 4 of the bill, it would
have forced the bill to have been referred to at least one more Committee (the
Commerce, Science, and Technology Committee) for consideration. This would have
destroyed any minor hope that Shaheen would have had for being able to horse
trade with a Committee Chair to get the bill considered by a committee to which
she was not a member.
Further, I suspect that she was hoping that the bill would
have been assigned to the Senate Committee on Small Business and Entrepreneurship
(of which she is the Ranking Member) not the Energy and Natural Resources
Committee. That was the reason that she makes a major point of addressing small
business concerns in the bill. Unfortunately, the inclusion of the DOE really
put a kibosh on that hope.
I really think that we might see this bill again later this
year when the DOE authorization bill makes it to the floor of the Senate as an
amendment to that bill. If it does, I would hope to see some added cybersecurity
language. To that end, I would suggest the following specific language:
Add a new §3(10): “VOLUNTARY CYBERSECURITY STANDARDS AND
PROTOCOLS -The term “voluntary cybersecurity standards and protocols” means a
standard and/or protocol developed by the National Institute of Standards and
Technology (NIST) or recognized independent standards setting organizations that
an electronic equipment manufacturer, system integrator or system owner may
voluntarily apply in the manufacture, integration or operation of an industrial
control system, energy management system or information and communication
technology system, that would protect such systems from a cyber threat as that
term is defined in 6 USC 1501.”
Add a new §4(b)(1)(C): “encourage to the development,
promulgation and implementation of voluntary cybersecurity standards and
protocols in smart manufacturing operations; and”
This simple, generic language could add a significant
measure of cybersecurity support to this bill without drawing any significant
opposition from manufacturers fearing new government regulations.