HR 5239 Introduced – DOE Cyber Sense

Earlier this month Rep Lata (R,OH) introduced HR 5239, the Cyber Sense Act of 2018. The bill would require DOE to establish “a voluntary Cyber Sense program to identify and promote cyber-secure products intended for use in the bulk-power system” {§2(a)}. Similar provisions were included in §1106 of HR 8 in the 114^th Congress (passed in House, stalled in Senate).

Cyber Sense Program

As I mentioned above, this bill has very similar requirements to establish and maintain a testing program “to identify products and technologies intended for use in the bulk-power system that are cyber-secure, including products relating to industrial control systems” {§2(b)(1)}. There are, however, three significant differences between this bill and the earlier §1106 provisions.

First, this bill removes the requirement for DOE to “promulgate regulations regarding vulnerability reporting processes for products tested and identified under the Cyber Sense program” that was found in §1106(b)(3). Both bills contain provisions requiring DOE to “establish and maintain cybersecurity vulnerability reporting processes and a related database” {(b)(2) in the respective sections}.

Second, this bill adds a requirement for DOE to “provide reasonable notice to the public, and solicit comments from the public, prior to establishing or revising the Cyber Sense testing process” {§2(b)(6)}.

Finally, in the disclosure protection paragraph, there are two changes. The first is structural; since the language in §1106(c) referred to the disclosure reporting regulations that are not included in HR 5239, the disclosure protection language now refers to the broader vulnerability reporting processes and database in §2(b)(2). Second, the language specifically prohibiting disclosure under “section 552(b)(3) of title 5, United States Code, and any State, tribal, or local law requiring disclosure of information or records” {§1106(c)} has been removed in the new bill.

Moving Forward

Both Latta and his co-sponsor, Rep McNerney (D,CA) are senior members of the Energy and Commerce Committee to which this bill was assigned for consideration. Thus, it would seem likely that they would have the influence necessary to have the bill considered by Committee. There are no provisions in the bill that would draw the specific ire of the regulated community, so I suspect that there would be bipartisan support for this bill both in the Committee and before the full House.

Commentary

The vulnerability reporting requirements of the earlier bill were going to be problematic, because the regulated community has very little to do with the disclosure and reporting of vulnerabilities. Establishing effective regulations for vulnerability reporting would have to be targeted at either the independent researcher community (which is increasingly international in scope) or the manufacturers of the affected devices (which is very much international).

The earlier attempt to bring vulnerability reporting for Cyber Secure devices under the disclosure rules of the Critical Energy/Electric Infrastructure Information (CEII) program was doomed to failure. First, the CEII program only prohibits information disclosure by Federal, State and local governments agencies (including, of course FERC and NERC). It would not preclude independent researchers or vendors from releasing vulnerability information.

The interesting thing about the CEII provisions of both of these bills is that there might end up being unintended effects on ICS-CERT. A large portion of the devices that would likely be tested under the cyber sense program would also be used in control systems in other industries not directly affected by the CEII program. If ICS-CERT were notified by the operator of the Cyber Sense program (NERC?) of vulnerabilities reported under §2(b)(2), they would not be able share that information under their normal alert/advisory publication program. Similarly, if ICS-CERT were to share information with the Cyber Sense program, it could be argued that they could not subsequently share that information with the wider industrial control system community.

What the program should be required to do instead of labeling the vulnerabilities as CEII would be to require notifications to be made to registered members of the bulk power industry and then after a set period of time (two months?) the Cyber Sense operator would be required to notify ICS-CERT for general vulnerability publication for the remaining affected industries. Similarly, ICS-CERT would be required to check vulnerability disclosures to see if they involve Cyber Sense listed devices. If so, they would be required to first notify the Cyber Sense operator and withhold general industry notification for the same set period of time.