S 2556 Introduced – Cybersecurity Investments

Last month Sen. Murkowski (R,AK) introduced the Protecting Resources on the Electric Grid with Cybersecurity Technology (PROTECT) Act of 2019. The bill would provide energy cybersecurity investment incentives.

Incentives

Section 2 of the bill would amend the Federal Power Act (16 USC Chapter 12) by adding a new §219A, Incentives for Cybersecurity Investments. The new section begins by defining two new terms {new §219A(a)}:

• Advanced Cybersecurity Technology – any technology, operational capability, or service, including computer hardware, software, or a related asset, that enhances the security posture of public utilities through improvements in the ability to protect against, detect, respond to, or recover from a cybersecurity threat (as defined in 6 USC 1501).

• ADVANCED CYBERSECURITY TECHNOLOGY INFORMATION – information relating to advanced cybersecurity technology or proposed advanced cybersecurity technology that is generated by or provided to the Commission or another Federal agency.

Subsection (b) would require the Federal Energy Regulatory Commission (FERC) to “conduct a study to identify incentive-based, including performance-based, rate treatments for the transmission of electric energy subject to the jurisdiction of the Commission that could be used to encourage”:

• Investment by public utilities in advanced cybersecurity technology; and

• Participation by public utilities in cybersecurity threat information sharing programs.

Subsection (c) would require FERC to establish a rule providing for “incentive-based, including performance-based, rate treatments for the transmission of electric energy in interstate commerce by public utilities for the purpose of benefitting consumers by encouraging” the same investments and participation describe above. FERC may also include in that rulemaking additional incentives for {§219A(d)}:

• Defense critical electric infrastructure (as defined in section 215A(a)) and other facilities subject to the jurisdiction of the Commission that are critical to public safety, national defense, or homeland security, as determined by the Commission; and

• Facilities of small- or medium-sized public utilities with limited cybersecurity resources, as determined by the Commission.

Subsection (g) would provide protection against disclosure of advanced “cybersecurity technology information that is provided to, generated by, or collected by the Federal Government under subsection (b), (c), or (f)” by considering the information to be critical electric infrastructure information (CEII) under 16 USC 824o-1.

Grant Program

Section 3 of the bill would require the Department of Energy to establish the Rural and Municipal Utility Advanced Cybersecurity Grant and Technical Assistance Program to “to provide grants and technical assistance to, and enter into cooperative agreements with, eligible entities to protect against, detect, respond to, and recover from cybersecurity threats” {§3(b)}. The following types of entities would be eligible to apply for such grants or assistance {§3(a)}:

• A rural electric cooperative;

• A utility owned by a political subdivision of a State, such as a municipally owned electric utility;

• A utility owned by any agency, authority, corporation, or instrumentality of one or more political subdivisions of a State; and

• A not-for-profit entity that is in a partnership with not fewer than 6 entities described in subparagraph (A), (B), or (C).

DOE would be required to prioritize grants and technical assistance by giving priority to an eligible entity that, as determined by the Secretary {§3(d)(2)}:

• Has limited cybersecurity resources;

• Owns assets critical to the reliability of the bulk power system; or

• Owns defense critical electric infrastructure (as defined in 16 USC 824o–1(a).”

The bill would authorize $50 million per year for the next four years for this grant/assistance program.

Information provided to FERC or collected by FERC under this program would be protected from public disclosure, but would not specifically be considered CEII.

Moving Forward

Murkowski is the Chair of the Senate Energy and Natural Resources Committee to which this bill is assigned for consideration. Her cosponsors include Sen. Manchin (D,WV) who is the Ranking member of the Committee, and three other influential members of the Committee. This bill will almost certainly be considered in Committee and the bipartisan sponsorship would seem to indicate that the bill will receive significant bipartisan support in the Committee.

The big problem facing this bill is getting it to the Senate floor for consideration. There is just too much going on during the remainder of the year for this to be considered under the normal process. I do not suspect that this will be able to be considered under the unanimous consent process; too many Senators would see this bill as an ideal vehicle to add their own pet energy projects.

There may be a relatively short window next year that this bill could be considered before the election silly season gets into full swing.

Commentary

I am glad to see that Murkowski’s staff used the §1501 definition of ‘cybersecurity threat’ in their definition of ‘advanced cybersecurity technology’ since that definition relies on the ICS inclusive definition of ‘information system’. Having said that, the definition of ‘cybersecurity threat’ is still grossly lacking when it comes to energy system security since it relies on the IT triad of “availability, confidentiality, or integrity of an information system”. It does not specifically address the potential physical consequences of a cyber-attack on electric grid cyber assets.

I have addressed this definitional issue is some detail. Unfortunately, I doubt that my entire proposed solution will be attempted in this bill. Instead I would suggest the addition of the below listed definitions and the deletion of the reference to §1501 in the existing definition.

(5) the term ‘control system’ means a discrete set of information resources, sensors, communications interfaces and physical devices organized to monitor, control and/or report on physical processes, including power production, electric transmission or distribution, access control, and facility environmental controls;

(6) the term ‘cybersecurity threat’ means:

(A) threats to and vulnerabilities of information, information systems, or control systems and any related consequences caused by or resulting from unauthorized access, use, disclosure, degradation, disruption, modification, or destruction of such information, information systems, or control systems, including such related consequences caused by an act of terrorism; and

(B) does not include any action that solely involves a violation of a consumer term of service or a consumer licensing agreement; and

(7) the term "information system" has the meaning given that term in section 3502(8) of title 44.

The other problem with this bill is the inclusion of the protection of information under the provisions of CEII. While a great deal of the information addressed in this bill could well fit under the CEII designation, I question how much information provided in the rate filings under §219A(f) should receive that protection. The public deserves the right to see why rates are being changed. With that in mind I would re-write subsection (f):

(f) SINGLE-ISSUE RATE FILINGS.

(a) The Commission shall permit public utilities to apply for incentive based rate treatment under the rule issued under this section on a single-issue basis by submitting to the Commission a tariff schedule under section 205 that permits recovery of costs and incentives over the depreciable life of the applicable assets, without regard to changes in receipts or other costs of the public utility.

(b) Data submitted to the Commission to justify the rate change will include a sensitive annex listing computer hardware, software and services that will constitute the advanced cybersecurity technology justifying the incentive based rate treatment in (a). The sensitive data will be protected as critical electric infrastructure information (CEII) under 16 USC 824o-1.

(c) The information in the sensitive annex will include a detailed listing of costs and the depreciable life of the computer hardware, software and services described in (b). A summary of the costs and depreciable life of those assets will be included under the listing of ‘advanced cybersecurity technology’ in the public information provided to the Commission.