S 2095 – DOE Cybersecurity

Last month Sen. Gardner (R,CO) introduced S 2095, the Enhancing Grid Security through Public-Private Partnerships Act. The bill would require the Department of Energy (DOE) to establish a voluntary security program for electric utilities and provide a report to Congress on cybersecurity of electricity distribution systems. This bill is very similar to HR 359, which was ordered favorably reported by the House Energy and Commerce Committee last month.

Differences in the Bills

There are a number of differences between the two bills. Many of them are strictly structural; the definitions are in §2 of the Senate bill and §5 of the House bill. Others are editorial in nature; adding ‘of a State’ following ‘political subdivision’ in the Senate version. These changes are of interest only to grammarians, lawyers and judges.

Other changes are of more consequence. The senate bill does not include the section on electricity interruption information that was included as §4 in the House bill. There are two changes (an addition and a deletion) to the voluntary security program described in §3 of S 2095 (see below). Finally, the Senate bill adds a 1 year deadline for the required report to Congress on cybersecurity and distribution systems.

Security Program

The security program in this bill was originally introduced in HR 5240 in the 115^th Congress. That program would have required DOE to:

• Develop, and provide for voluntary implementation of, maturity models, self-assessments, and auditing methods for assessing the physical security and cybersecurity of electric utilities;

• Provide training to electric utilities to address and mitigate cybersecurity supply chain management risks;

• Increase opportunities for sharing best practices and data collection within the electric sector;

• Assist with cybersecurity training for electric utilities;

• Advance the cybersecurity of third-party vendors that work in partnerships with electric utilities; and

• Provide technical assistance for electric utilities subject to the program.

S 2095 modifies that program by removing the requirement for DOE to assist with cybersecurity training. This bill would substitute a requirement for DOE to “to assist with threat assessment and cybersecurity training for electric utilities” {§3(a)(2)}.

Moving Forward

Neither Booker nor his single cosponsor {Sen. Bennet (D,CO)} are members of the Senate Energy and Natural Resources Committee to which this bill was assigned for consideration. With no representation on that Committee it is unlikely that this bill will receive consideration.

The House version of the bill received bipartisan support in the markup of the bill last month in the House Energy and Commerce Committee. I suspect that this bill would also receive bipartisan support if it were considered in Committee. The changes described above would have no significant bearing on the support this bill would receive.

NOTE on HR 359

In my post on the introduction of HR 359 I noted that it would be considered by the full House on January 11^th, 2019 under the suspension of the rules process. This had been scheduled, along with the consideration of two other cybersecurity bills, HR 360 and HR 370. None of those bills were considered.

It looked like the new Democratic leadership was going to act quickly (if somewhat inadequately) on some critical infrastructure cybersecurity measures. It did not happen for reason which have not been made public. With that initial quick intent to pass these three cybersecurity bills, it is odd that no action was taken in Committee until a subcommittee markup (with no amendments) in May and full Committee markup in July.

The bipartisan support for these bills in Committee would seem to indicate that the bills would easily pass in the House under the suspension of the rule process. I would have thought that the initial pass on considering these bills indicated that there was an intent to revise these bills to include some sort of regulatory authority to insure that facilities complied with the ‘voluntary measures’ included in the bill. The lack of amendments in Committee would seem to indicate that the leadership has decided that such cybersecurity mandates were not going to make it to the President’s desk.

I suspect that all three House bills will be considered by the full House in September.