Definitions
Section 3 of the bill provides the working definitions for the
bill. Since this is a stand-alone bill (not amending existing legislation)
these definitions are very important. The terms include:
• Critical electric infrastructure
information – uses definition from
16
USC 824o-1 (incorrectly printed in the bill as ‘824a-1’);
• Cybersecurity – “means a set of
preventative measures to protect information from a digital device or system,
including a device or system used to manage the electric grid, from being
stolen, compromised, or used to carry out an attack” {§3(2)};
• Human factors research – “means
research on human performance in social and physical environments, and on the
integration of humans with physical systems and computer hardware and software”
{§3(5)};
• Human-machine interface – “means
technologies that present information to an operator about the state of a
process or system, or accept human instructions to implement an action,
including visualization displays such as a graphical user interface” {§3(6)}; and
• Transient devices – “means removable media,
including floppy disks, compact disks, USB flash drives, external hard drives,
mobile devices, and other devices that utilize wireless connections for limited
periods of time {§3(8)}.
Energy Cybersecurity R&D
Section 4 of the bill requires the Secretary of Energy, in
coordination with a variety of federal, state and local agencies and private
sector groups, to “carry out a research, develop23
ment, and demonstration initiative to harden and mitigate
the electric grid from the consequences of cyber attacks by increasing the
cybersecurity capabilities of the electricity sector and accelerating the
development of cyberse curity technologies and tools” {§4(a)}. It specifically identifies responsibility to
carry out activities to {§4(b)}:
• Identify cybersecurity risks to
the communication and control systems within, and impacting, the electricity
sector;
• Develop methods and tools to rapidly
detect cyber intruders and cyber incidents, including the use of data analytics
techniques to validate and verify system behavior using multiple data streams reflecting
the state of the system;
• Assess emerging energy technology
cybersecurity capabilities, and integrate cybersecurity features and protocols
into the design, development, and deployment of emerging technologies,
including renewable energy technologies;
• Develop secure industrial control
system protocols and identify vulnerabilities in existing protocols;
• Improve the physical security of
communication technologies and industrial control systems, including remote
assets;
• Integrate human factors research
into the design and development of advanced tools and processes for dynamic
monitoring, detection, protection, mitigation, and response;
• Advance the capabilities and use
of relevant interdisciplinary mathematical and computer simulation modeling and
analysis methods;
• Evaluate and understand the
potential consequences of practices used to maintain the cybersecurity of
information technology systems on the cybersecurity of industrial control
systems;
• Increase access to and the
capabilities of existing cybersecurity test beds to simulate impacts of cyber-attacks
on industrial control system devices, components, software, and hardware; and
• Reduce the cost of implementing
effective cybersecurity technologies and tools in the electricity sector.
Additionally, the Energy Department is specifically tasked
with working “with manufacturers to build or retrofit security features and
protocols into” {§4(b)(5)}:
• Communication and network systems
and management processes;
industrial control and energy
management system devices, components, software, firmware, and hardware,
including distributed control and management systems and building management
systems;
• Data storage systems and data management
and analysis processes;
• Generation, transmission,
distribution, and energy storage technologies;
• Automated and manually controlled
devices and equipment for monitoring or managing frequency, voltage, and
current;
• Technologies used to synchronize
time and develop guidance for operational contingency plans when time
synchronization technologies are compromised;
• End user elements that connect to
the grid, and
• The supply chain of electric grid
management system components.
Technical Guidance and Standards
Section 5 of the bill addresses support activities required
by DOE and other federal agencies in developing and sharing technical guidance
documents and standards.
DOE is required to facilitate the updating of {§5(a)(1)}:
DOE is also required to develop voluntary guidance to
improve forensic analysis capabilities to include {§5(a)(2)}:
• Developing standardized
terminology and monitoring processes;
Identifying minimum data needed;
and
• Utilizing human factors research
to develop more effective procedures for logging incident events; and
• Developing a mechanism to
anonymize, aggregate, and share the testing results from cybersecurity industrial
control system test beds to facilitate technology improvements by public and
private sector researchers.
DOE and the National Institute of Standards and Technology
(NIST) are tasked with developing voluntary, consensus-based standards to
improve cybersecurity for {§5(c)(1)}:
• Emerging energy technologies;
• Distributed generation and
storage technologies, and other distributed energy re24
sources;
• Electric vehicles; and other
technologies and devices that connect to the electric grid that can affect voltage
stability.
Vulnerability Testing
Section 6 of the bill requires DOE to work with
owner/operators and the national laboratories to {§6(a)}:
• Utilize a range of methods,
including voluntary vulnerability testing and red team-blue team exercises, to
identify vulnerabilities in physical and cyber systems;
• Develop cybersecurity risk
assessment tools and provide confidential analyses and recommendations to
participating stakeholders;
• Work with stakeholders to develop
methods to share anonymized and aggregated results in a format that enables the
electricity sector, researchers, and the private sector to advance
cybersecurity efforts, technologies, and tools;
• Identify information, research,
staff training, and analysis tools needed to evaluate industrial control system
cybersecurity issues and challenges in the electricity sector; and
• Facilitate the sharing of information and the
development of tools needed to evaluate industrial control system cybersecurity
issues.
Appropriations
Section 11 of the bill provides the authorization for
spending money to support the various programs called for in this bill. It sets
the following annual authorization amounts:
$65,000,000 for fiscal year 2018;
$68,250,000 for fiscal year 2019;
$71,662,500 for fiscal year 2020;
$75,245,625 for fiscal year 2021;
and
$79,007,906 for fiscal year 2022.
Moving Forward
Bera is a member of the House Science, Space, and Technology
Committee to which the bill was assigned for primary consideration. His three
cosponsors are also influential Democrats on that Committee. This means that
there may be enough influence to have the bill be considered in Committee. The
one problem here is that there are no Republican cosponsors of the bill,
indicating a potential lack of bipartisan support.
Since no regulatory actions are included (or authorized) by
the bill the only thing that will draw any real opposition is the authorized
spending. Those monies will have to come from somewhere in the budget and
probably from the DOE budget. With money already tight, this will be the major
stumbling block that the sponsors will have to overcome to see this bill
considered in Committee and move it to the floor of the House.
Commentary
The Committee Staff members that crafted this bill are to be
commended on developing a comprehensive energy sector cybersecurity bill. Section
2 of the bill, the Congressional Findings that support the need for the bill,
is one of the best non-technical descriptions of the cybersecurity problems
facing the electrical grid that I have seen. It includes an appropriately
nuanced attention to the differences between information and operational
technology and a realistic appreciation of the role of human factors in the
problem. Good job.
Having said that, there are a few short comings that need to
be addressed. The first is the issue of Critical Electric Infrastructure
Information (CEII), the controlled but unclassified information system
protecting information shared by the electric grid industry and the Department
of Energy. Throughout this bill there are numerous references rightfully
reiterating that the information shared by industry with DOE is protected from
public disclosure under this program.
There are multiple references in the bill to ‘aggregating
and anonymizing information’ as this is the key to ‘sharing’ the information
provided under the CEII program. Unfortunately, the federal government does a
poor job generally (and I suspect DOE specifically) of sanitizing and sharing
restricted information. This may not be a problem within the grid operation
community (I don’t have the information necessary to make the assessment), but
DOE does not play well with outsiders.
This is a problem here because large amounts of the ICS
cybersecurity research and development efforts outlined in the bill could have
enormous positive impacts on the remainder of the ICS community. DOE has no
incentive, nor even a mechanism, to share this valuable information outside of
their regulated community.
This problem is further compounded by the failure to specifically
include ICS-CERT in the federal agencies to be included in this development
effort. ICS-CERT is the only federal agency with the sole focus on the
cybersecurity of industrial control systems. And they have the mechanisms in
place to share information with the remainder of the ICS security community.
The other major issue is the lack of attention to the issue
of vulnerability disclosures. The bill attempts to address the issue in §6 of the bill, but it
only really looks at system testing at the facility level. While this is
certainly a valuable part of vulnerability testing, it ignores the much larger
issue of the cybersecurity testing of individual components of the control
systems done on a daily basis by independent security researchers and
relatively small research companies.
Congress needs to come up with a way to incentivize those
researchers to share their information with DOE instead of with the other
existing organizations that pay researchers for their identified
vulnerabilities and then provide the information to paying customers. DOE needs
to establish a coordinating mechanism so that vulnerability reports from
researchers are coordinated with the vendors and the mitigation measures are
reported to the user community. OR the bill could just recognize the already
existing mechanisms established by ICS-CERT and provide for priority disclosure
of vulnerabilities and their mitigations to grid operators (and establishing a
mechanism for doing that).