HR 5527 Introduced – Grid Modernization Grants

Last month Rep Sarbanes (D,MD) introduced HR 5527, the 21st Century Power Grid Act. The bill would require DOE to establish a grant program to carry out projects related to the modernization of the electric grid. The plan includes cybersecurity provisions.

Grant Program

The grant program would include projects {§2(a)}:

• For the deployment of technologies to improve monitoring of, advanced controls for, and prediction of performance of, a distribution system; and

• Related to transmission system planning and operation

Eligible projects would be designed to {§2(b)}:

• Improve the resiliency, performance, or efficiency of the electric grid, while ensuring the continued provision of safe, secure, reliable, and affordable power;

• Deploy a new product or technology that could be used by customers of an electric utility.

Additionally, the projects would be required to demonstrate {§2(b)(3)}:

• Secure integration and management of energy resources, including through distributed energy generation, combined heat and power, microgrids, energy storage, electric vehicles, energy efficiency, demand response, or controllable loads; or

• Secure integration and interoperability of communications and information technologies related to the electric grid.

Each approved project would be required “include the development of a cybersecurity plan written in accordance with guidelines developed by the Secretary of Energy” {§2(c)}.

The bill would authorize $200 million per year through 2025 to fund the grant program.

Moving Forward

Sarbanes and his three cosponsors {Rep McNerney (D,CA), Rep Kennedy (D,MA), and Rep Veasey (D,TX} are all members of the House Energy and Commerce Committee to which this bill was assigned for consideration. They are also members of the Energy Subcommittee which would have jurisdiction within the Committee for the bill. This means that it is likely that they would have sufficient influence to see this bill considered in at least the Energy Subcommittee.

There are two things that might engender opposition to the bill; the spending authorization and the cybersecurity plan requirement. Spending monies have to come from somewhere and that is generally a zero-sum game, so some other programs would likely pay the bill. Any bill that gives and Executive Branch agency the authority to require a private sector entity to do something is going to face some knee jerk opposition from Republicans. I am afraid that this is the reason that there are no Republican cosponsors to the bill.

I do suspect that the bill still could receive some bipartisan support in Committee, but probably not enough to allow the House leadership to see this bill considered on the floor under the suspension of the rules process; it probably would not receive the supermajority required for passage under that procedure.

Commentary

Again, this is not strictly speaking a cybersecurity bill, but it will certainly have cybersecurity impacts. Because grid management is all about communications between various independent control systems, the provisions about demonstrating ‘secure integration and interoperability of communications and information technologies related to the electric grid’ is almost as much about cybersecurity as it is about communications and information technologies.

The interesting provision here, and one that is likely to be modified if broader support is to be found for this bill, is the cybersecurity plan requirements. The crafters of the bill gave DOE total leeway in determining what sort of guidelines would be required for the grantees to comply with in crafting their cybersecurity plan. I was particularly surprised not to see a reference to the NIST Cybersecurity Framework in this requirement. While the CSF has nothing to do with crafting a cybersecurity plan (it is a risk management tool not an operational guideline), it is a congressional favorite for pawning off ideas about cybersecurity issues; it makes folks sound like they know something about cybersecurity.

I think that the following rewording of §2(c) might be a way to accomplish what the committee staff was trying to accomplish with this plan provision while allowing more Republicans to support the measure:

(c) Cybersecurity Plan

(1) Each project carried out with financial assistance provided under subsection (a) shall include the development of a cybersecurity plan written in accordance with guidelines developed by the Secretary of Energy;

(2) In crafting the guidelines describe in (1) the Secretary will:

(A) establish risk-based performance measures that the plans would be required to meet; and

(B) keep in mind that each grantee will have unique systems and equipment requirements that would make requiring any specific security measure or equipment in the guidelines counter-productive;

(C) refer to the NIST Cybersecurity Framework for the risk management objective of the plan;

(3) Each submitted plan will be approved by the Secretary before any of the funds provided under (a) allocated;

(4) Disapproval of plan will only be done because the plan does not meet one or more of the risk-based performance standards established in (2)(A);

(5) For plans that are determined by the Secretary to not adequately address the risk-based performance standards in (2)(A), the Secretary will:

(A) provide detailed explanations about the deficiencies in the cybersecurity plan to any requestor whose cybersecurity plan did not adequately address the risk-based performance standards in (A); and

(B) ensure that requesters will be provided one opportunity to modify their proposed cybersecurity plans if the Secretary finds that they do not meet the risk-based performance measures outlined in the guidelines; and

(6) Nothing in this bill would authorize the Secretary to require the use of these guidelines by any entity that is not applying for financial assistance under the program described in (a).

I know, I cribbed the basic idea from the Chemical Facility Anti-Terrorism Standards (CFATS) program, but it is probably the best way to craft standards that would have applicability to a wide variety of varied installations.