HR 4120 Introduced – ICS Research

On Wednesday Rep. Bera (D,CA) introduced HR 4120, the Grid Cybersecurity Research and Development Act. The bill would provide for a comprehensive interdisciplinary research and development initiative to strengthen the capacity of the electricity sector to neutralize cyberattacks.

Definitions

Section 3 of the bill provides the working definitions for the bill. Since this is a stand-alone bill (not amending existing legislation) these definitions are very important. The terms include:

• Critical electric infrastructure information – uses definition from 16 USC 824o-1 (incorrectly printed in the bill as ‘824a-1’);

• Cybersecurity – “means a set of preventative measures to protect information from a digital device or system, including a device or system used to manage the electric grid, from being stolen, compromised, or used to carry out an attack” {§3(2)};

• Human factors research – “means research on human performance in social and physical environments, and on the integration of humans with physical systems and computer hardware and software” {§3(5)};

• Human-machine interface – “means technologies that present information to an operator about the state of a process or system, or accept human instructions to implement an action, including visualization displays such as a graphical user interface” {§3(6)}; and

• Transient devices – “means removable media, including floppy disks, compact disks, USB flash drives, external hard drives, mobile devices, and other devices that utilize wireless connections for limited periods of time {§3(8)}.

Energy Cybersecurity R&D

Section 4 of the bill requires the Secretary of Energy, in coordination with a variety of federal, state and local agencies and private sector groups, to “carry out a research, develop23

ment, and demonstration initiative to harden and mitigate the electric grid from the consequences of cyber attacks by increasing the cybersecurity capabilities of the electricity sector and accelerating the development of cyberse curity technologies and tools” {§4(a)}. It specifically identifies responsibility to carry out activities to {§4(b)}:

• Identify cybersecurity risks to the communication and control systems within, and impacting, the electricity sector;

• Develop methods and tools to rapidly detect cyber intruders and cyber incidents, including the use of data analytics techniques to validate and verify system behavior using multiple data streams reflecting the state of the system;

• Assess emerging energy technology cybersecurity capabilities, and integrate cybersecurity features and protocols into the design, development, and deployment of emerging technologies, including renewable energy technologies;

• Develop secure industrial control system protocols and identify vulnerabilities in existing protocols;

• Improve the physical security of communication technologies and industrial control systems, including remote assets;

• Integrate human factors research into the design and development of advanced tools and processes for dynamic monitoring, detection, protection, mitigation, and response;

• Advance the capabilities and use of relevant interdisciplinary mathematical and computer simulation modeling and analysis methods;

• Evaluate and understand the potential consequences of practices used to maintain the cybersecurity of information technology systems on the cybersecurity of industrial control systems;

• Increase access to and the capabilities of existing cybersecurity test beds to simulate impacts of cyber-attacks on industrial control system devices, components, software, and hardware; and

• Reduce the cost of implementing effective cybersecurity technologies and tools in the electricity sector.

Additionally, the Energy Department is specifically tasked with working “with manufacturers to build or retrofit security features and protocols into” {§4(b)(5)}:

• Communication and network systems and management processes;

industrial control and energy management system devices, components, software, firmware, and hardware, including distributed control and management systems and building management systems;

• Data storage systems and data management and analysis processes;

• Generation, transmission, distribution, and energy storage technologies;

• Automated and manually controlled devices and equipment for monitoring or managing frequency, voltage, and current;

• Technologies used to synchronize time and develop guidance for operational contingency plans when time synchronization technologies are compromised;

• End user elements that connect to the grid, and

• The supply chain of electric grid management system components.

Technical Guidance and Standards

Section 5 of the bill addresses support activities required by DOE and other federal agencies in developing and sharing technical guidance documents and standards.

DOE is required to facilitate the updating of {§5(a)(1)}:

• The Roadmap to Achieve Energy Delivery Systems Cybersecurity;

• The Cybersecurity Procurement Language for Energy Delivery Systems; and

• The Electricity Subsector Cybersecurity Capability Maturity Model.

DOE is also required to develop voluntary guidance to improve forensic analysis capabilities to include {§5(a)(2)}:

• Developing standardized terminology and monitoring processes;

Identifying minimum data needed; and

• Utilizing human factors research to develop more effective procedures for logging incident events; and

• Developing a mechanism to anonymize, aggregate, and share the testing results from cybersecurity industrial control system test beds to facilitate technology improvements by public and private sector researchers.

DOE and the National Institute of Standards and Technology (NIST) are tasked with developing voluntary, consensus-based standards to improve cybersecurity for {§5(c)(1)}:

• Emerging energy technologies;

• Distributed generation and storage technologies, and other distributed energy re24

sources;

• Electric vehicles; and other technologies and devices that connect to the electric grid that can affect voltage stability.

Vulnerability Testing

Section 6 of the bill requires DOE to work with owner/operators and the national laboratories to {§6(a)}:

• Utilize a range of methods, including voluntary vulnerability testing and red team-blue team exercises, to identify vulnerabilities in physical and cyber systems;

• Develop cybersecurity risk assessment tools and provide confidential analyses and recommendations to participating stakeholders;

• Work with stakeholders to develop methods to share anonymized and aggregated results in a format that enables the electricity sector, researchers, and the private sector to advance cybersecurity efforts, technologies, and tools;

• Identify information, research, staff training, and analysis tools needed to evaluate industrial control system cybersecurity issues and challenges in the electricity sector; and

• Facilitate the sharing of information and the development of tools needed to evaluate industrial control system cybersecurity issues.

Appropriations

Section 11 of the bill provides the authorization for spending money to support the various programs called for in this bill. It sets the following annual authorization amounts:

$65,000,000 for fiscal year 2018;

$68,250,000 for fiscal year 2019;

$71,662,500 for fiscal year 2020;

$75,245,625 for fiscal year 2021; and

$79,007,906 for fiscal year 2022.

Moving Forward

Bera is a member of the House Science, Space, and Technology Committee to which the bill was assigned for primary consideration. His three cosponsors are also influential Democrats on that Committee. This means that there may be enough influence to have the bill be considered in Committee. The one problem here is that there are no Republican cosponsors of the bill, indicating a potential lack of bipartisan support.

Since no regulatory actions are included (or authorized) by the bill the only thing that will draw any real opposition is the authorized spending. Those monies will have to come from somewhere in the budget and probably from the DOE budget. With money already tight, this will be the major stumbling block that the sponsors will have to overcome to see this bill considered in Committee and move it to the floor of the House.

Commentary

The Committee Staff members that crafted this bill are to be commended on developing a comprehensive energy sector cybersecurity bill. Section 2 of the bill, the Congressional Findings that support the need for the bill, is one of the best non-technical descriptions of the cybersecurity problems facing the electrical grid that I have seen. It includes an appropriately nuanced attention to the differences between information and operational technology and a realistic appreciation of the role of human factors in the problem. Good job.

Having said that, there are a few short comings that need to be addressed. The first is the issue of Critical Electric Infrastructure Information (CEII), the controlled but unclassified information system protecting information shared by the electric grid industry and the Department of Energy. Throughout this bill there are numerous references rightfully reiterating that the information shared by industry with DOE is protected from public disclosure under this program.

There are multiple references in the bill to ‘aggregating and anonymizing information’ as this is the key to ‘sharing’ the information provided under the CEII program. Unfortunately, the federal government does a poor job generally (and I suspect DOE specifically) of sanitizing and sharing restricted information. This may not be a problem within the grid operation community (I don’t have the information necessary to make the assessment), but DOE does not play well with outsiders.

This is a problem here because large amounts of the ICS cybersecurity research and development efforts outlined in the bill could have enormous positive impacts on the remainder of the ICS community. DOE has no incentive, nor even a mechanism, to share this valuable information outside of their regulated community.

This problem is further compounded by the failure to specifically include ICS-CERT in the federal agencies to be included in this development effort. ICS-CERT is the only federal agency with the sole focus on the cybersecurity of industrial control systems. And they have the mechanisms in place to share information with the remainder of the ICS security community.

The other major issue is the lack of attention to the issue of vulnerability disclosures. The bill attempts to address the issue in §6 of the bill, but it only really looks at system testing at the facility level. While this is certainly a valuable part of vulnerability testing, it ignores the much larger issue of the cybersecurity testing of individual components of the control systems done on a daily basis by independent security researchers and relatively small research companies.

Congress needs to come up with a way to incentivize those researchers to share their information with DOE instead of with the other existing organizations that pay researchers for their identified vulnerabilities and then provide the information to paying customers. DOE needs to establish a coordinating mechanism so that vulnerability reports from researchers are coordinated with the vendors and the mitigation measures are reported to the user community. OR the bill could just recognize the already existing mechanisms established by ICS-CERT and provide for priority disclosure of vulnerabilities and their mitigations to grid operators (and establishing a mechanism for doing that).