HR 3163 Reported in House – FY 2020 THUD Spending

Earlier this week Rep. Price (D,NC) introduced HR 3163, the Transportation, Housing and Urban Development, and Related Agencies (THUD) Appropriations Act, 2020. The House Appropriations Committee also published their Report on the bill. There are lots of interesting provisions in the bill as well as some important discussions in the Report.

Control System Security

Section 195 (pgs 103-4) of the bill would prohibit DOT from issuing grants “to entities that do not comply with practices for control system procurement recommended by the U.S. Department of Homeland Security’s National Cybersecurity and Communications Integration Center” {§195(a)} This overly broad language does include an escape clause whereby the Secretary can waive the requirement when it “would be inconsistent with the public interest” {§195(b)(1)}.

The Report address the cybersecurity of a specific type of control system; Positive Train Control (PTC). On page 54 the Committee urges the Federal Railroad Administration (FRA) “to establish enhanced cyber security methods, standards, and best practices for PTC systems and future versions of this technology”.

Automated Transportation Systems

Section 106 of the bill would establish, within the Office of the Secretary, a Highly Automated Systems Safety Center of Excellence. The HASSCE would {§106(b)}:

• Serve as a single place within the Department of Transportation for expertise in automation and human behavior, computer science, machine learning, sensors, and other technologies involving automated systems;

• Support all Operating Administrations of the Department of Transportation; and

• Have a workforce composed of Department of Transportation employees, including direct hires or detailees from Operating [Modal] Administrations.

Employees of HASSCE would “audit, inspect, and certify highly automated systems to ensure their safety” {§106(c)}.

There is additional discussion of the role of HASSCE in the Report (pg 11). The role of the National Highway Transportation Safety Administration in the regulation of automated vehicles is addressed in pages 41 thru 42 of the Report.

Liquified Natural Gas by Rail

On page 53 of the Report the Committee ‘provides’ $2.5 million for “FRA to research and mitigate risks associated with the transportation of crude oil, ethanol, liquefied natural gas (LNG)”. That paragraph goes on to direct FRA and the Pipeline and Hazardous Material Safety Administration (PHMSA) “to continue to support cooperative research on the safe use of LNG in these applications [locomotive fuel and bulk rail transport] which could inform the development of new regulations”.

Page 75 provides a more detailed discussion of LNG by rail rulemaking being pursued by PHMSA. It directs PHMSA to fund a study by National Academies of Sciences, Engineering, and Medicine on the transportation of LNG by rail. The study would address multiple transportation scenarios and look at:

• Release events;

• Hazards when a spill is coupled with an ignition source;

• Leak detection;

• Impacted geographic areas;

• Route terrain challenges; and

• Emergency and first responder training and notification

The Report provides additional discussion of that last item, training, on pg 78. There the Committee “directs PHMSA to enhance its training curriculum for local emergency responders to account for LNG facilities and the transportation of LNG in rail tank cars.”

Commentary

It is odd that the Bill and the Committee Report both specifically address cybersecurity issues with transportation control systems, but then fail to address cybersecurity issues in their discussions of the HASSCE. While early discussions in DOT about highly automated driving systems did at least mention cybersecurity issues, there has been a glaring lack of such language in recent DOT rulemaking processes. Congress must insist that DOT include cybersecurity oversight in its regulation of automated driving systems. And it would have seemed to me that the language in §106 would have been an ideal place to do so.

With that in mind, I would like to suggest the following two changes to provisions within §106:

Revise §106(b)(1) to read:

(1) serve as a single place within the Department of Transportation for expertise in automation and human behavior, computer science, machine learning, sensors, cybersecurity, and other technologies involving automated systems;

Revise §106(c) to read:

(c) Employees of the Highly Automated Systems Safety Center of Excellence shall audit, inspect, and certify highly automated systems to ensure their safety and cybersecurity.

With regards to the control system supply chain security requirements of §195, the only recommended practices document that I can find on the CISA web site is the 2009 “Department of Homeland Security: Cyber Security Procurement Language for Control Systems”.

I am not sure how DOT would go about ensuring that those guidelines are being followed by organizations requesting various Transportation Department grants. Or, even more broadly, how they would determine what organizations would have control systems that would be covered by those recommendations.