HR 3050 Introduced – Energy Security

Last month Rep. Upton (R,MI) introduced HR 3050, the Enhancing State Energy Security Planning and Emergency Preparedness Act of 2017. The bill would amend the Energy Policy and Conservation Act (PL 94-193); Part D of title III (State Energy Conservation Programs; 42 USC 6321 – 6327) by adding a new §367 (§6328), State energy security plans.

Energy Security Plans

While the bill does not specifically require States to prepare energy security plans it does condition the future State receipt of federal energy conservation grants §6323 successful development and implementation of such security plans.

The plans would be required to address how the State intends to {new §367(a)}:

• Secure the energy infrastructure of the State against all physical and cybersecurity threats;

• Mitigate the risk of energy supply disruptions to the State and enhance the response to, and recovery from, energy disruptions; and

• Ensure the State has a reliable, secure, and resilient energy infrastructure.

Specifically, the plans would be required to contain provisions that {new §367(b)}:

• Address all fuels, including petroleum products, other liquid fuels, coal, electricity, and natural gas, as well as regulated and unregulated energy providers;

• Provide a State energy profile, including an assessment of energy production, distribution, and end-use;

• Address potential hazards to each energy sector or system, including physical threats and cybersecurity threats;

• Provide a risk assessment of energy infrastructure and cross-sector interdependencies;

• Provide a risk mitigation approach to enhance reliability and end-use resilience; and

• Address multi-State and regional coordination planning and response.

The bill would provide continued authorization for the energy efficiency grants (now including energy security) under §6323 at $90 million per year through 2022. The original program (2007 thru 2012) had a funding level set at $125 million per year.

House Mark-Up

On June 28^th the House Energy and Commerce Committee conducted a mark-up hearing that included HR 3050. Two amendments to this bill were adopted by voice vote and the bill was approved by a voice vote.

Of the two amendments on the Barton amendment contained any specific cybersecurity provisions. It modified two of the content requirements for the State energy security plans:

• Address potential hazards to each energy sector or system, including physical threats and cybersecurity threats and vulnerabilities; and

• Address multi-State and regional coordination planning and response and, to the extent practicable, encourage mutual assistance in cyber and physical response plans.

Moving Forward

Obviously, Upton and his cosponsor, Rep. Rush (D,IL), as Chair and Ranking Member of the Energy Subcommittee had the pull necessary to have the full Committee promptly consider this bill just days after it was introduced. Whether or not that support is strong enough to ensure consideration by the full House remains to be seen.

There is nothing in this bill that would engender any serious opposition and its passage by a voice vote in Committee indicates that it should receive substantial bipartisan support if it were to reach the floor. That would seem to indicate that if the bill were considered that it would proceed under the suspension of the rules provisions with limited debate and no floor amendments to be considered. This could allow the bill to be considered even before the summer recess if the Committee report is published in time.

Commentary

The one major deficiency that I see in this bill is that it does not include a specific definition of ‘cybersecurity’. This is especially important in the energy sector due to its substantial dependence on a wide variety of industrial control systems and increasing use of ‘smart technology’ based internet of things (IoT) devices at the delivery end of the systems.

I think that the crafters of this bill may trying to rely on the ‘all physical and cybersecurity threats’ language of §367(a)(1) to ensure that control system and IoT security issues will be addressed, but considering the congressional history of generally failing to address or even consider such issues in crafting cybersecurity legislation I think that is an inadequate shortcut. What I am really afraid of is the possibility that the staffers that wrote this bill did not even specifically intend to include control system or IoT security concerns.

I was impressed by the Barton amendment’s inclusion of the ‘vulnerability’ language with respect to the cybersecurity requirements. Even today, a policy wonk with little or no technical background could justifiably say that there is no real cybersecurity threat to the energy infrastructure in this country because there is no history of real, consequential attacks. The addition of the word ‘vulnerabilities’ significantly obviates that argument.

Finally, the amount of money authorized for the grant program, especially since it still includes energy efficiency programs, is ludicrously small. That is especially true if the ‘all physical and cybersecurity threats’ language is interpreted to include EMP and geomagnetic issues (again the lack of definition issue). Given the current budget issues, I suspect that this is all that is possible, but it is like providing funding for umbrellas to protect people from hurricanes.