Last month Rep. Ruppersberger (D,MD) introduced HR 680, the Securing
Energy Infrastructure Act. This is a companion bill to S 174 that I
discussed yesterday. Ruppersberger introduced a similar bill last session (HR
3958), but no action was taken on that earlier bill.
Moving Forward
Neither Ruppersberger nor his single cosponsor {Rep. Carter
(R,TX)} are members of the House Science, Space, and Technology Committee to
which this bill was assigned for consideration. This means that the bill is
unlikely to receive consideration in that Committee unless additional sponsors
are signed. As I mentioned yesterday, this study and report bill is unlikely to
attract serious opposition other than the fact that it would require the
appropriation of $11.5 million.
Interestingly, both Ruppersberger and Carter are on the
House Appropriations Committee. That Committee has not been assigned
consideration of the bill, but their bipartisan support could help alleviate
concerns about the spending aspects of this bill if it were to make it to the
floor of the House. Unfortunately, neither are on the Energy and Water
Development, and Related Agencies Subcommittee which controls appropriations
for DOE.
Commentary
Yesterday, in a LinkedIn
comment on my S 174 post, Kenneth
Crowther made the comment that “I hope when they. ... "discover new
classes of vulnerabilities" they have a plan for responsible disclosure to
the vendor...” Unfortunately, there is
nothing in the legislation that would require the pilot program to effect
coordinated disclosures. It would certainly hamper the effort to increase grid
security if they did not.
Crowther’s point is well taken, and I would suggest that language
be added to §3 of both
bills to require that vulnerabilities detected during the program be
coordinated with the appropriate vendors via the DHS NCCIC-ICS. More
importantly, that language should include provisions for delayed public
disclosure of the vulnerabilities while secure disclosure is made to utilities
after vendors have developed adequate mitigation measures. Here is how that
language could read:
(b)
Coordinated Disclosure
(1) Any vulnerabilities identified during the pilot program will be
reported to vendors in coordination with the industrial control system team at
the National Cybersecurity & Communications Integration Center (NCCIC-ICS)
in the Department of Homeland Security;
(2) Once a vendor provides NCCIC-ICS with notification that appropriate
mitigation measures have been developed, NCCIC-ICS would provide limited
disclosure of the vulnerability through the Electricity Sector - Information
Sharing and Analysis Center (ES-ISAC);
(3) Ninety days after the ES-ISAC is notified the NCCIC-ICS will provide
public notification of the vulnerability; and
(4) If a vendor has not provided a reasonable schedule for mitigation
of the reported vulnerabilities within 45 days of initial notification of the vulnerability
by NCCIC-ICS, NCCIC-ICS will prepare an alert about the vulnerability and
publish that report in accordance with (2) and (3) above.
Posts
No comments:
Post a Comment