Earlier this month Rep Bera (D,CA) introduced HR 5760, the Grid
Security Research and Development Act. The bill would require DOE to fund a
variety of electric sector cybersecurity research efforts. The bill would also
authorize funding for such activities. The bill would amend Title XIII of the
Energy Independence and Security Act of 2007 (
42
USC 17381 et seq.) by adding nine new sections.
Definitions
The new §1317 would add definitions for the Smart Grid Title.
Key definitions include:
• The term ‘cybersecurity’ means
protecting an information system or information that is stored on, processed
by, or transiting an information system from a cybersecurity threat or security
vulnerability.
• The term ‘cybersecurity threat’
has the meaning given the term in section 102 of the Cybersecurity Information Sharing
Act of 2015 (6 U.S.C. 1501).
• The term ‘information system’—has
the meaning given the term in section 102 of the Cybersecurity Information
Sharing Act of 2015 (6 U.S.C. 1501); and includes operational technology, information
technology, and communications.
• The term ‘security vulnerability’
has the meaning given the term in section 102 of the Cybersecurity Information
Sharing Act of 2015 (6 U.S.C. 1501).
• The term ‘transient devices’
means removable media, including floppy disks, compact disks, USB flash drives,
external hard drives, mobile devices, and other devices that utilize wireless
connections.
R&D Program
Section 1310 would require DOE “to carry out a research,
development, and demonstration program to protect the electric grid and energy
systems, including assets connected to the distribution grid, from cyber and
physical attacks” {new §1310(a)}. The program would include the award of research,
development, and demonstration grants to {new §1310(b)}:
• Identify cybersecurity risks to
information systems within, and impacting, the electricity sector, energy
systems, and energy infrastructure;
• Develop methods and tools to
rapidly detect cyber intrusions and cyber incidents, such as intrusion
detection, and security information and event management systems, to validate
and verify system behavior;
• Assess emerging cybersecurity
capabilities that could be applied to energy systems and develop technologies
that integrate cybersecurity features and procedures into the design and
development of existing and emerging grid technologies, including renewable
energy, storage, and demand-side management technologies;
• Identify existing vulnerabilities
in intelligent electronic devices, advanced analytics systems, and information
systems;
• Develop technologies that improve
the physical security of information systems, including remote assets;
Integrate human factors research
into the design and development of advanced tools and processes for dynamic
monitoring, detection, protection, mitigation, response, and cyber situational
awareness;
• Evaluate and understand the
potential consequences of practices used to maintain the cybersecurity of
information systems and intelligent electronic devices;
• Develop or expand the
capabilities of existing cybersecurity test beds to simulate impacts of cyber
attacks and combined cyber-physical attacks on information systems and
electronic devices; and
• Develop technologies that reduce
the cost of implementing effective cybersecurity technologies and tools,
including updates to these technologies and tools, in the energy sector.
Additionally, DOE would be required to work with relevant
entities to develop technologies or concepts that build or retrofit cybersecurity
features and procedures into work with relevant entities to develop technologies
or concepts that build or retrofit cybersecurity features and procedures into {new
§1310(b)(5)}:
• Information and energy management
system devices, components, software, firmware, and hardware, including
distributed control and management systems, and building management systems;
• Data storage systems, data management
systems, and data analysis processes;
• Automated- and
manually-controlled devices and equipment for monitoring and stabilizing the
electric grid;
• Technologies used to synchronize
time and develop guidance for operational contingency plans when time
synchronization technologies, are compromised;
• Power system delivery and end
user systems and devices that connect to the grid
• The supply chain of electric grid
management system components;
Resilience and Response
Section 1311 would require DOE to establish a separate grant
program “to enhance resilience and strengthen emergency response and management
pertaining to the energy sector” {new §1311(a)}. Grants would be awarded for
{new §1311(b)}:
• Developing methods to improve
community and governmental preparation for and emergency response to
large-area, long-duration electricity interruptions;
• Developing tools to help
utilities and communities ensure the continuous delivery of electricity to
critical facilities;
• Developing tools to improve
coordination between utilities and relevant Federal agencies to enable
communication, information-sharing, and situational awareness in the event of a
physical or cyber-attack on the electric grid;
• Developing technologies and
capabilities to withstand and address the current and projected impact of the
changing climate on energy sector infrastructure, including extreme weather
events and other natural disasters;
• Developing technologies capable
of early detection of deteriorating electrical equipment on the transmission
and distribution grid, including detection of spark ignition causing wildfires
and risks of vegetation contact; and
• Assessing upgrades and additions
needed to energy sector infrastructure due to projected changes in the energy
generation mix and energy demand.
Best Practices and Guidance
Section 1312 would require DOE to “coordinate the
development of guidance documents for research, development, and demonstration
activities to improve the cybersecurity capabilities of the energy sector
through participating agencies” {new §1312(a)}. This would include updating {new
§1312(a)(1)}:
• The Roadmap to Achieve Energy Delivery
Systems Cybersecurity;
• The Cybersecurity Procurement Language
for Energy Delivery Systems; and
• The Electricity Subsector
Cybersecurity Capability Maturity Model, including the development of metrics
to measure changes in cybersecurity readiness.
The changes to the cybersecurity procurement language
document would include suggestions for {new §1312(a)(1)(B)}:
• Contracting with third parties to
conduct vulnerability testing for information systems used across the energy
production, delivery, storage, and end use systems;
• Contracting with third parties
that utilize transient devices to access information systems; and
• Managing supply chain risks.
DOE would also be required to work with the National Institute
of Standards and Technology (NIST) to convene relevant stakeholders to develop consensus-based
best practices to improve cybersecurity for {new §1312(b)(1)}:
• Emerging energy technologies;
• Distributed generation and
storage technologies, and other distributed energy resources;
• Electric vehicles and electric
vehicle charging stations; and
• Other technologies and devices
that connect to the electric grid.
Section 1312(c) specifically states that none of the
activities authorized by this section “shall be construed to authorize
regulatory actions”.
Funding
Section 1318 authorizes funding for the programs outlined in
this bill. Funding would start at $150 million in 2021 and increase each year
to $182 million in 2025.
Amendments
On Wednesday the House Science, Space, and Technology
Committee held a
markup
hearing that included consideration of HR 5760. Three amendments were
offered by:
All three amendments were adopted by voice vote as was the
amended bill. Most of the changes made by the three amendments were relatively minor
wording changes. The most significant change was made by the Waltz amendment.
It would add a new §4, Critical Infrastructure Research and Construction, to
the bill (not another change to the Energy Independence and Security Act of
2007).
The new §4 would require DOE to establish and operate a
Critical Infrastructure Test Facility “that allows for scalable physical and
cyber performance testing to be conducted on industry-scale critical
infrastructure systems” {§4(d)}. The Test Facility would focus on cybersecurity
test beds and electric grid test beds. The Test Facility would be authorized to
operate for five years with the possibility of a single 5-year extension by DOE.
Moving Forward
This bill received bipartisan support in Committee, and I
expect that it would receive similar support on the floor of the House. This
bill could be brought to the floor under the suspension of the rules process or
it could be added to a DOE authorization or spending bill. Because of the monies
authorized for the grant programs, I suspect that this bill would receive less
opposition if it were included in an authorization bill.
Commentary
You have to give the Committee Staff credit; this is a very
comprehensive cybersecurity research program outlined in the bill.
Unfortunately, the paltry amount of funding authorized in the bill will hardly
make a start of a dent in the research program outlined. That amount of money,
however, is probably about as much as Congress is going to allocate for
cybersecurity research.
One thing that is interesting about this bill is the
recognition by the Staff that grid security is going to be affected by not just
by grid operators, but also by any number of entities that will be increasing
connecting to the grid. The rise of the ‘smart grid’ is increasing the amount
of cyber communication between grid operators and their customers. Those
communications channels are going to be an increasingly important pathway for
attackers to gain effective access to grid control mechanisms. The sooner
cybersecurity research starts focusing on that process access route, the sooner
defenses can begin to be appropriately arrayed to protect the grid.