S 2444 Introduced – Grid Security

Earlier this month Sen Cantwell (D,WA) introduced S 2444, the Energy Cybersecurity Act of 2018. It would require the Department of Energy to address electric grid cybersecurity, resiliency and risk assessment issues.

Cybersecurity

Section 3(a) would require the Secretary to address energy sector cybersecurity issues. It would require DOE to develop cybersecurity applications and technologies to {§3(a)(1)(A)}:

• Identify and mitigate vulnerabilities; and

• Advance the security of field devices and third-party control systems;

The vulnerabilities that are required to be addressed specifically include {§3(a)(1)(A)(i)}:

• Dependencies on other critical infrastructure; and

• Impacts from weather and fuel supply.

The security advances would specifically include devices and systems such as {§3(a)(1)(A)(ii)}:

• Systems for generation, transmission, distribution, end use, and market functions;

• Specific electric grid elements including advanced metering, demand response, distributed generation, and electricity storage;

• Forensic analysis of infected systems; and

• Secure communications

The bill would authorize the expenditure of $65 million per year through 2026 for these efforts.

Cyberresilience Testing

Section 3(b) of the bill would require the Secretary to develop a cyberresilience testing program “to identify vulnerabilities of energy sector supply chain products to known threats” {§3(b)(1)(A)}. The program would include oversight of third party cyber-testing and developing procurement guidelines for energy sector supply chain components. The bill would authorize the expenditure of $15 million per year for this program.

Cyberresilience Operational Support

Section 3(c) of the bill would allow the Secretary to carry out a program to {§3(c)(1)}:

• Enhance and periodically test the emergency response capabilities

 of the Department in coordination with other agencies, the National Laboratories, and private industry;

• Expand cooperation of the Department with the intelligence communities for energy sector-related threat collection and analysis;

• Enhance the tools of the Department and ES–ISAC for monitoring the status of the energy sector;

• Expand industry participation in ES–ISAC; and

• Provide technical assistance to small electric utilities for purposes of assessing cyber-maturity level.

The bill would authorize the expenditure of $10 million per year for these activities.

Energy Sector Infrastructure Risk

Section 3(d) of the bill would require the Secretary to “develop an advanced energy security program to secure energy networks, including electric, natural gas, and oil exploration, transmission, and delivery” {§3(d)(1)}. The goal of the program would be “to increase the functional preservation of the electric grid operations or natural gas and oil operations in the face of natural and human-made threats and hazards, including electric magnetic pulse and geomagnetic disturbances” {§3(d)(2)}.

To support this effort the Secretary would be allowed to {§3(d)(3)}:

• Develop capabilities to identify vulnerabilities and critical components that pose major risks to grid security if destroyed or impaired;

• Provide modeling at the national level to predict impacts from natural or human-made events;

• Develop a maturity model for physical security and cybersecurity;

• Conduct exercises and assessments to identify and mitigate vulnerabilities to the electric grid, including providing mitigation recommendations;

• Conduct research hardening solutions for critical components of the electric grid;

• Conduct research mitigation and recovery solutions for critical components of the electric grid; and

• Provide technical assistance to States and other entities for standards and risk analysis.

The bill would authorize the expenditure of $10 million per year to support these activities.

Moving Forward

Cantwell is the Ranking Member on the Senate Energy and Natural Resources Committee to which this bill was assigned for consideration. This would seem to indicate that she could have the necessary influence to see this bill considered by that Committee. The lack of a Republican co-sponsor, however, may indicate the lack of bipartisan support necessary to see the bill moved out of Committee.

The big stumbling block to moving this bill forward is the inclusion of funding authorization for the programs described in the bill. While the amounts authorized are small on the federal money scale, under Senate rules they would still have to come out of existing funding. If Cantwell can identify funding sources for this bill, it would make moving the bill forward much easier.

Commentary

Section 2 of the bill does provide definitions of some of the organization terms used in the bill, but it does not address any of the technical definitions of terms like ‘cybersecurity’ or ‘cyberresilience’. I suspect that this was done to provide the Secretary with the widest possible latitude in exercising authority under this legislation. Unfortunately, I think that this actually have the opposite effect; actually limiting what actions are taken.

As I am with most pieces of cybersecurity legislation that I review, I am disappointed that Cantwell (and her Committee Staff who actually crafted this bill) fails to address the role of independent security researchers in discovering vulnerabilities in software and devices. Section 3(b) of this bill would have been an excellent place to address this issue.

Instead of establishing a “cybertesting (sic) and mitigation program to identify vulnerabilities of energy sector supply chain products” the bill should have established an office in the DOE responsible for the identification and coordination of cyber-vulnerability mitigation in devices and applications used in the energy sector. While this is very similar to what ICS-CERT is currently doing on a voluntary basis for a much wider range of devices, a DOE-CERT would be given the specific responsibility to push vulnerability communications down to covered user-entities. Positive vendor responses to vulnerability identification could be ensured by DOE-CERT requiring covered user-entities to take specific compensatory measures when vendors cannot or will not mitigate vulnerabilities. A DOE-CERT could also provide support to the independent researcher community buy managing a DOE bug bounty program.

Finally, I would have liked to have seen this bill specifically address supporting {in §3(c)} National Guard cyber units in preparing for emergency response for cyber related grid emergencies. This would be particularly appropriate for grid emergencies that cross State boundaries. A DOE resiliency office could serve a coordinating office for multi-state planning and execution of responses to grid emergencies. This non-military coordination would provide political and legal cover for posse comitatus concerns.