S 768 Introduced – Smart Manufacturing

Last month Sen. Shaheen (D,NH) introduced S 768, the Smart Manufacturing Leadership Act. The bill would require the Secretary of Energy to develop a smart manufacturing plan and to provide assistance to small- and medium-sized manufacturers in implementing smart manufacturing programs.

Definition of Smart Manufacturing

The basic definition of smart manufacturing in this bill encompasses the technologies that digitally {§3(9)(A)}:

• Simulate manufacturing production lines;

• Operate computer-controlled manufacturing equipment;

• Monitor and communicate production line status; and

• Manage and optimize energy productivity and cost throughout production

The bill goes on to further expand the definition to include technologies that {§3(9)}:

• Model, simulate, and optimize the energy efficiency of a factory building;

• Monitor and optimize building energy performance;

• Model, simulate, and optimize the design of energy efficient and sustainable products, including the use of digital prototyping and additive manufacturing to enhance product design;

• Connect manufactured products in networks to monitor and optimize the performance of the networks, including automated network operations; and

• Digitally connect the supply chain network.

Smart Manufacturing Plan

Section 4 of the bill would require DOE to develop and implement a smart manufacturing plan within 3 years to improve the productivity and energy efficiency of the manufacturing sector of the United States. The plan would identify actions that the Federal government would take to {§4(b)(1)}:

• Facilitate quicker development, deployment, and adoption of smart manufacturing technologies and processes;

• Result in greater energy efficiency and lower environmental impacts for all American manufacturers; and

• Enhance competitiveness and strengthen the manufacturing sectors of the United States.

Moving Forward

Shaheen is not a member of the Senate Energy and Natural Resources Committee to which this bill was assigned for consideration. This means that there is little chance that she has the influence necessary to have that Committee take up the bill.

The only thing in this bill that would cause any significant opposition to its consideration (in committee or on the floor) is the inclusion of a relatively modest new grant program. The $10 million dollars authorized for the grant program would have to come out of an already limited budget environment. That would probably be sufficient to ensure that the bill will not receive consideration.

Commentary

Sharp eyed readers will see little above that indicate that I would spend any time evaluating this bill on this blog; there are no chemical safety or cybersecurity provisions mentioned in the bill. The lack of cybersecurity provisions in the bill is what concerns me here.

Shaheen does mention cybersecurity a couple of place in Section 2 of the bill; the congressional findings section. These finding spell out the reason that the programs outlined in the bill are necessary. And she lays out a pretty good set of reasons to include cybersecurity.

First, she establishes that “the interconnection of the many components of manufacturing within a manufacturing plant with other business functions within a company and across companies within a supply chain will enable new production efficiencies” {§2(4)}. Those of us who follow control system security recognize (and object to) these ‘interconnections’ as a great source of the vulnerability of control systems that until recently were considered to have isolation as their greatest security measure.

Second, in laying out the barriers to adoption of smart manufacturing technologies, she specifically identifies the lack of “common cybersecurity protocols and standards” {§2(7)(D)}.

Finally, she establishes that the Department of the Energy is (and should be) specifically working “with the private sector to reduce the market barriers through the development of voluntary protocols and standards” {§2(9)} to overcome these barriers to smart manufacturing technology adoption in the US.

So why is there no mention of cybersecurity in the discussion of the smart manufacturing plan the DOE is supposed to develop and implement? It is almost certainly not because Shaheen and her staff (who really write these bills) do not see the need; they specifically mentioned the need. It is probably not because they are technologically ill equipped to set cybersecurity standards; there is no specificity in the other requirements for the smart manufacturing plan. I do not even believe it is because of the current resistance in the business community to establishing cybersecurity regulations; the bill could have easily called for the establishment of ‘voluntary standards or protocols’ for cybersecurity.

No, I think that the problem here is committee politics. If Shaheen had added the word ‘cybersecurity’ to section 4 of the bill, it would have forced the bill to have been referred to at least one more Committee (the Commerce, Science, and Technology Committee) for consideration. This would have destroyed any minor hope that Shaheen would have had for being able to horse trade with a Committee Chair to get the bill considered by a committee to which she was not a member.

Further, I suspect that she was hoping that the bill would have been assigned to the Senate Committee on Small Business and Entrepreneurship (of which she is the Ranking Member) not the Energy and Natural Resources Committee. That was the reason that she makes a major point of addressing small business concerns in the bill. Unfortunately, the inclusion of the DOE really put a kibosh on that hope.

I really think that we might see this bill again later this year when the DOE authorization bill makes it to the floor of the Senate as an amendment to that bill. If it does, I would hope to see some added cybersecurity language. To that end, I would suggest the following specific language:

Add a new §3(10): “VOLUNTARY CYBERSECURITY STANDARDS AND PROTOCOLS -The term “voluntary cybersecurity standards and protocols” means a standard and/or protocol developed by the National Institute of Standards and Technology (NIST) or recognized independent standards setting organizations that an electronic equipment manufacturer, system integrator or system owner may voluntarily apply in the manufacture, integration or operation of an industrial control system, energy management system or information and communication technology system, that would protect such systems from a cyber threat as that term is defined in 6 USC 1501.”

Add a new §4(b)(1)(C): “encourage to the development, promulgation and implementation of voluntary cybersecurity standards and protocols in smart manufacturing operations; and”

This simple, generic language could add a significant measure of cybersecurity support to this bill without drawing any significant opposition from manufacturers fearing new government regulations.