Tuesday, February 5, 2019

HR 680 Introduced – Energy Sector Security

Last month Rep. Ruppersberger (D,MD) introduced HR 680, the Securing Energy Infrastructure Act. This is a companion bill to S 174 that I discussed yesterday. Ruppersberger introduced a similar bill last session (HR 3958), but no action was taken on that earlier bill.

Moving Forward

Neither Ruppersberger nor his single cosponsor {Rep. Carter (R,TX)} are members of the House Science, Space, and Technology Committee to which this bill was assigned for consideration. This means that the bill is unlikely to receive consideration in that Committee unless additional sponsors are signed. As I mentioned yesterday, this study and report bill is unlikely to attract serious opposition other than the fact that it would require the appropriation of $11.5 million.

Interestingly, both Ruppersberger and Carter are on the House Appropriations Committee. That Committee has not been assigned consideration of the bill, but their bipartisan support could help alleviate concerns about the spending aspects of this bill if it were to make it to the floor of the House. Unfortunately, neither are on the Energy and Water Development, and Related Agencies Subcommittee which controls appropriations for DOE.


Yesterday, in a LinkedIn comment on my S 174 post, Kenneth Crowther made the comment that “I hope when they. ... "discover new classes of vulnerabilities" they have a plan for responsible disclosure to the vendor...”  Unfortunately, there is nothing in the legislation that would require the pilot program to effect coordinated disclosures. It would certainly hamper the effort to increase grid security if they did not.

Crowther’s point is well taken, and I would suggest that language be added to §3 of both bills to require that vulnerabilities detected during the program be coordinated with the appropriate vendors via the DHS NCCIC-ICS. More importantly, that language should include provisions for delayed public disclosure of the vulnerabilities while secure disclosure is made to utilities after vendors have developed adequate mitigation measures. Here is how that language could read:

(b) Coordinated Disclosure

(1) Any vulnerabilities identified during the pilot program will be reported to vendors in coordination with the industrial control system team at the National Cybersecurity & Communications Integration Center (NCCIC-ICS) in the Department of Homeland Security;

(2) Once a vendor provides NCCIC-ICS with notification that appropriate mitigation measures have been developed, NCCIC-ICS would provide limited disclosure of the vulnerability through the Electricity Sector - Information Sharing and Analysis Center (ES-ISAC);

(3) Ninety days after the ES-ISAC is notified the NCCIC-ICS will provide public notification of the vulnerability; and

(4) If a vendor has not provided a reasonable schedule for mitigation of the reported vulnerabilities within 45 days of initial notification of the vulnerability by NCCIC-ICS, NCCIC-ICS will prepare an alert about the vulnerability and publish that report in accordance with (2) and (3) above.

No comments:

/* Use this with templates/template-twocol.html */