Last month Sen. Gardner (R,CO) introduced S 2095, the Enhancing
Grid Security through Public-Private Partnerships Act. The bill would require
the Department of Energy (DOE) to establish a voluntary security program for
electric utilities and provide a report to Congress on cybersecurity of
electricity distribution systems. This bill is very similar to HR
359, which was ordered
favorably reported by the House Energy and Commerce Committee last month.
Differences in the Bills
There are a number of differences between the two bills.
Many of them are strictly structural; the definitions are in §2 of the Senate bill and
§5 of the House
bill. Others are editorial in nature; adding ‘of a State’ following ‘political
subdivision’ in the Senate version. These changes are of interest only to grammarians,
lawyers and judges.
Other changes are of more consequence. The senate bill does
not include the section on electricity interruption information that was
included as §4 in
the House bill. There are two changes (an addition and a deletion) to the
voluntary security program described in §3
of S 2095 (see below). Finally, the Senate bill adds a 1 year deadline for the
required report to Congress on cybersecurity and distribution systems.
Security Program
The security program in this bill was originally introduced
in HR
5240 in the 115th Congress. That program would have required DOE
to:
• Develop, and provide for
voluntary implementation of, maturity models, self-assessments, and auditing
methods for assessing the physical security and cybersecurity of electric
utilities;
• Provide training to electric utilities
to address and mitigate cybersecurity supply chain management risks;
• Increase opportunities for
sharing best practices and data collection within the electric sector;
• Assist with cybersecurity
training for electric utilities;
• Advance the cybersecurity of
third-party vendors that work in partnerships with electric utilities; and
• Provide technical assistance for
electric utilities subject to the program.
S 2095 modifies that program by removing the requirement for
DOE to assist with cybersecurity training. This bill would substitute a
requirement for DOE to “to assist with threat assessment and cybersecurity
training for electric utilities” {§3(a)(2)}.
Moving Forward
Neither Booker nor his single cosponsor {Sen. Bennet (D,CO)}
are members of the Senate Energy and Natural Resources Committee to which this
bill was assigned for consideration. With no representation on that Committee
it is unlikely that this bill will receive consideration.
The House version of the bill received bipartisan support in
the markup of the bill last month in the House Energy and Commerce Committee. I
suspect that this bill would also receive bipartisan support if it were
considered in Committee. The changes described above would have no significant
bearing on the support this bill would receive.
NOTE on HR 359
In my post on the introduction of HR 359 I noted that it
would be considered by the full House on January 11th, 2019 under
the suspension of the rules process. This had
been scheduled, along with the consideration of two other cybersecurity
bills, HR
360 and HR
370. None of those bills were considered.
It looked like the new Democratic leadership was going to
act quickly (if somewhat inadequately) on some critical infrastructure
cybersecurity measures. It did not happen for reason which have not been made
public. With that initial quick intent to pass these three cybersecurity bills,
it is odd that no action was taken in Committee until a subcommittee markup
(with no amendments) in May and full Committee markup in July.
The bipartisan support for these bills in Committee would
seem to indicate that the bills would easily pass in the House under the
suspension of the rule process. I would have thought that the initial pass on
considering these bills indicated that there was an intent to revise these
bills to include some sort of regulatory authority to insure that facilities complied
with the ‘voluntary measures’ included in the bill. The lack of amendments in
Committee would seem to indicate that the leadership has decided that such
cybersecurity mandates were not going to make it to the President’s desk.
I suspect that all three House bills will be considered by
the full House in September.
Posts
No comments:
Post a Comment