HR 5174 Introduced – DOE Cybersecurity Responsibilities

Last week Rep. Walberg (R,MI) introduced HR 5174, the Energy Emergency Leadership Act. The bill would generally set the Department responsibilities for energy emergency response and energy cybersecurity.

Responsibilities

The bill amends 42 USC 7133 which identifies the general function of the eight Assistant Secretaries in the Department of Energy. It adds a twelfth activity; energy emergency and energy security functions. These include “responsibilities with respect to infra9

structure, cybersecurity, emerging threats, supply, and emergency planning, coordination, response, and restoration” {§7133(a)(12(A)}. This also encompasses responsibility for providing, upon request, “technical assistance, support, and response capabilities with respect to energy security threats, risks, and incidents" {§7133(a)(12(B)} to State, local, or tribal governments or energy sector entities.

Moving Forward

This bill is currently scheduled for markup on Wednesday. Walberg’s cosponsor {Rep. Rush (D,IL) is the Ranking Member of the Energy Subcommittee to which this bill has been assigned for consideration. This almost certainly means that this bill will receive substantial bipartisan support in Wednesday’s hearing, future Energy and Commerce Committee hearings and probably on the floor of the whole House. There is nothing in this bill that would drive significant opposition.

Commentary

The one thing that is certainly missing from this bill is an effective definition of ‘cybersecurity’. Because of the nature of scope of DOE operations, the definition would clearly need to include operations technology and its attendant control systems. Again, this bill would be a good place to add the definitions that I have previously proposed (here for example). I would add a new paragraph (c):

(c) Definitions- In this chapter (42 USC Chapter 84, Department of Energy) the following definitions apply:

(1) The term ‘information system’ has the meaning given the term in section 3502 of title 44;

(2) The term ‘control system’ means a discrete set of information resources, sensors, communications interfaces and physical devices organized to monitor, control and/or report on physical processes including but not limited to; energy production, transportation, access control, and facility environmental controls;

(3) The term ‘cybersecurity risk’ means:

(A) threats to and vulnerabilities of information, information systems, or control systems and any related consequences caused by or resulting from unauthorized access, use, disclosure, degradation, disruption, modification, or destruction of such information, information systems, or control systems, including such related consequences caused by an act of terrorism; and

(B) does not include any action that solely involves a violation of a consumer term of service or a consumer licensing agreement;

(4) The term ‘incident’ means an occurrence that actually, or imminently jeopardizes, without lawful authority:

(A) the integrity, confidentiality, or availability of information on an information system,

(B) the timely availability of accurate process information, the predictable control of the designed process or the confidentiality of process information, or

(C) an information system or a control system;

This would then require changing the word ‘cybersecurity’ in paragraph 12(A) to ‘cybersecurity risk’. This would ensure that the assigned Assistant Secretary was focused on the risk to information systems and control systems, not the mechanics of system security.