Not a Markup Hearing

Well, it turns out that the Energy Subcommittee hearing on the four DOE emergency response and security bills is not a mark-up hearing after all. Last night the witness list was announced, so it seems as if this will be an information gathering hearing with a possible mark-up at some later date.

Updated Hearing Information

The witness list includes:

• Mark Menezes, US Department of Energy;

• Scott Aaronson, Edison Electric Institute;

• Mark Engels, Dominion Energy;

• Kyle Pitsor, National Electrical Manufacturers Association;

• Zachary Tudor, Idaho National Laboratory; and

• Tristan Vance, Indiana Office of Energy Development

The links provided above are to the witness testimony that will be presented at tomorrow’s hearing. The Sub-Committee staff has also produced a background document for the meeting.

Interesting Info in Testimony

Menezes notes that (pg 1):

“To demonstrate our focus on the aforementioned mission [to protect the Nation’s critical energy infrastructure from physical security events, natural and man-made disasters, and cybersecurity threats], the Secretary announced last month that he is establishing an Office of Cybersecurity, Energy Security, and Emergency Response (CESER). This organizational change will strengthen the Department’s role as the Sector-Specific Agency (SSA) for Energy Sector Cybersecurity, supporting our national security responsibilities.”

Menezes also notes that (pg 6):

“Advancing the ability to improve situational awareness of OT networks is a key focus of DOE’s current activities. The Department is currently in the early stages of taking the lessons learned from CRISP and developing an analogous capability for threat detection on OT networks via the Cybersecurity for the Operational Technology Environment (CYOTE) pilot project. Observing anomalous traffic on networks – and having the ability to store and retrieve network traffic from the recent past – can be the first step in stopping an attack in its early stages.”

Engels notes that (pg 3):

“A more expedient [coordinating security activities of DOT and TSA] approach may be to encourage a Memo of Understanding (MOU)between DOE and TSA that outlines roles and responsibilities for dealing with cyber and physical security for the ONG sector. TSA already has an MOU with the DOT’s Pipeline and Hazardous Materials Safety Administration (PHMSA) which has responsibility for pipeline safety. Depending on the type of event, the TSA/DOT MOU has been critical in helping operators understand which Federal entity is the lead agency.”

Engels also notes that (pg 8):

“In 2016, TSA, again working with asset owners, industry associations, and the Department of Homeland Security’s Industrial Control System’s Cyber Emergency Response Team (DHS ICS-CERT), gathered input to update the Guidelines using the National Institute of Standards and Technology’s (NIST) Cyber Security Framework as a model. The updated [Pipeline Security] Guidelines are scheduled for release in the first half of 2018. Industry also provided input to augment the set of cybersecurity questions used in the Corporate Security Reviews (CSR) conducted by TSA.”

Engels also notes that (pgs 12-13):

“INL has undertaken several initiatives to stand up test environments for Industrial Control Systems (ICS). One such initiative was called RENDER (Risk Evaluation Nexus for Digital Age Energy Reliability). RENDER created a three way sharing arrangement involving the lab, the vendor and the asset owner. Previous projects excluded the asset owner from the equation, creating uncertainty associated with remediation of the vulnerabilities identified by INL. With RENDER, the asset owner not only could see what vulnerabilities were discovered, but provide input to the vendor about how critical or not the vulnerability was to the asset owner. This allowed the vendor to prioritize corrections that made the most sense to the asset owners.”

Tudor notes that (pg 4):

“INL developed and completed an initial pilot study of our proprietary Consequence driven, Cyber-informed Engineering (CCE) methodology with Florida Power and Light (FPL) through a Cooperative Research and Development Agreement (CRADA). CCE was developed to address the realization that constantly “chasing” threats and vulnerabilities, rather than getting ahead of these problems, is not sufficient to secure our critical systems. CCE is designed to assist asset owners in understanding the most effective and immediate actions they can take to eliminate the opportunity of the “worst-case” cyber-physical impacts from an attack by the most capable cyber adversaries. CCE leverages an organization’s knowledge and experiences with their systems and processes to “engineer out” the potential for the highest consequence events.”

This could be an interesting hearing.