HR 5760 Introduced – Energy Security Research

Earlier this month Rep Bera (D,CA) introduced HR 5760, the Grid Security Research and Development Act. The bill would require DOE to fund a variety of electric sector cybersecurity research efforts. The bill would also authorize funding for such activities. The bill would amend Title XIII of the Energy Independence and Security Act of 2007 (42 USC 17381 et seq.) by adding nine new sections.

Definitions

The new §1317 would add definitions for the Smart Grid Title. Key definitions include:

• The term ‘cybersecurity’ means protecting an information system or information that is stored on, processed by, or transiting an information system from a cybersecurity threat or security vulnerability.

• The term ‘cybersecurity threat’ has the meaning given the term in section 102 of the Cybersecurity Information Sharing Act of 2015 (6 U.S.C. 1501).

• The term ‘information system’—has the meaning given the term in section 102 of the Cybersecurity Information Sharing Act of 2015 (6 U.S.C. 1501); and includes operational technology, information technology, and communications.

• The term ‘security vulnerability’ has the meaning given the term in section 102 of the Cybersecurity Information Sharing Act of 2015 (6 U.S.C. 1501).

• The term ‘transient devices’ means removable media, including floppy disks, compact disks, USB flash drives, external hard drives, mobile devices, and other devices that utilize wireless connections.

R&D Program

Section 1310 would require DOE “to carry out a research, development, and demonstration program to protect the electric grid and energy systems, including assets connected to the distribution grid, from cyber and physical attacks” {new §1310(a)}. The program would include the award of research, development, and demonstration grants to {new §1310(b)}:

• Identify cybersecurity risks to information systems within, and impacting, the electricity sector, energy systems, and energy infrastructure;

• Develop methods and tools to rapidly detect cyber intrusions and cyber incidents, such as intrusion detection, and security information and event management systems, to validate and verify system behavior;

• Assess emerging cybersecurity capabilities that could be applied to energy systems and develop technologies that integrate cybersecurity features and procedures into the design and development of existing and emerging grid technologies, including renewable energy, storage, and demand-side management technologies;

• Identify existing vulnerabilities in intelligent electronic devices, advanced analytics systems, and information systems;

• Develop technologies that improve the physical security of information systems, including remote assets;

Integrate human factors research into the design and development of advanced tools and processes for dynamic monitoring, detection, protection, mitigation, response, and cyber situational awareness;

• Evaluate and understand the potential consequences of practices used to maintain the cybersecurity of information systems and intelligent electronic devices;

• Develop or expand the capabilities of existing cybersecurity test beds to simulate impacts of cyber attacks and combined cyber-physical attacks on information systems and electronic devices; and

• Develop technologies that reduce the cost of implementing effective cybersecurity technologies and tools, including updates to these technologies and tools, in the energy sector.

Additionally, DOE would be required to work with relevant entities to develop technologies or concepts that build or retrofit cybersecurity features and procedures into work with relevant entities to develop technologies or concepts that build or retrofit cybersecurity features and procedures into {new §1310(b)(5)}:

• Information and energy management system devices, components, software, firmware, and hardware, including distributed control and management systems, and building management systems;

• Data storage systems, data management systems, and data analysis processes;

• Automated- and manually-controlled devices and equipment for monitoring and stabilizing the electric grid;

• Technologies used to synchronize time and develop guidance for operational contingency plans when time synchronization technologies, are compromised;

• Power system delivery and end user systems and devices that connect to the grid

• The supply chain of electric grid management system components;

Resilience and Response

Section 1311 would require DOE to establish a separate grant program “to enhance resilience and strengthen emergency response and management pertaining to the energy sector” {new §1311(a)}. Grants would be awarded for {new §1311(b)}:

• Developing methods to improve community and governmental preparation for and emergency response to large-area, long-duration electricity interruptions;

• Developing tools to help utilities and communities ensure the continuous delivery of electricity to critical facilities;

• Developing tools to improve coordination between utilities and relevant Federal agencies to enable communication, information-sharing, and situational awareness in the event of a physical or cyber-attack on the electric grid;

• Developing technologies and capabilities to withstand and address the current and projected impact of the changing climate on energy sector infrastructure, including extreme weather events and other natural disasters;

• Developing technologies capable of early detection of deteriorating electrical equipment on the transmission and distribution grid, including detection of spark ignition causing wildfires and risks of vegetation contact; and

• Assessing upgrades and additions needed to energy sector infrastructure due to projected changes in the energy generation mix and energy demand.

Best Practices and Guidance

Section 1312 would require DOE to “coordinate the development of guidance documents for research, development, and demonstration activities to improve the cybersecurity capabilities of the energy sector through participating agencies” {new §1312(a)}. This would include updating {new §1312(a)(1)}:

• The Roadmap to Achieve Energy Delivery Systems Cybersecurity;

• The Cybersecurity Procurement Language for Energy Delivery Systems; and

• The Electricity Subsector Cybersecurity Capability Maturity Model, including the development of metrics to measure changes in cybersecurity readiness.

The changes to the cybersecurity procurement language document would include suggestions for {new §1312(a)(1)(B)}:

• Contracting with third parties to conduct vulnerability testing for information systems used across the energy production, delivery, storage, and end use systems;

• Contracting with third parties that utilize transient devices to access information systems; and

• Managing supply chain risks.

DOE would also be required to work with the National Institute of Standards and Technology (NIST) to convene relevant stakeholders to develop consensus-based best practices to improve cybersecurity for {new §1312(b)(1)}:

• Emerging energy technologies;

• Distributed generation and storage technologies, and other distributed energy resources;

• Electric vehicles and electric vehicle charging stations; and

• Other technologies and devices that connect to the electric grid.

Section 1312(c) specifically states that none of the activities authorized by this section “shall be construed to authorize regulatory actions”.

Funding

Section 1318 authorizes funding for the programs outlined in this bill. Funding would start at $150 million in 2021 and increase each year to $182 million in 2025.

Amendments

On Wednesday the House Science, Space, and Technology Committee held a markup hearing that included consideration of HR 5760. Three amendments were offered by:

• Bera;

• Rep Lofgren (D,CA); and

• Rep Waltz (R,FL)

All three amendments were adopted by voice vote as was the amended bill. Most of the changes made by the three amendments were relatively minor wording changes. The most significant change was made by the Waltz amendment. It would add a new §4, Critical Infrastructure Research and Construction, to the bill (not another change to the Energy Independence and Security Act of 2007).

The new §4 would require DOE to establish and operate a Critical Infrastructure Test Facility “that allows for scalable physical and cyber performance testing to be conducted on industry-scale critical infrastructure systems” {§4(d)}. The Test Facility would focus on cybersecurity test beds and electric grid test beds. The Test Facility would be authorized to operate for five years with the possibility of a single 5-year extension by DOE.

Moving Forward

This bill received bipartisan support in Committee, and I expect that it would receive similar support on the floor of the House. This bill could be brought to the floor under the suspension of the rules process or it could be added to a DOE authorization or spending bill. Because of the monies authorized for the grant programs, I suspect that this bill would receive less opposition if it were included in an authorization bill.

Commentary

You have to give the Committee Staff credit; this is a very comprehensive cybersecurity research program outlined in the bill. Unfortunately, the paltry amount of funding authorized in the bill will hardly make a start of a dent in the research program outlined. That amount of money, however, is probably about as much as Congress is going to allocate for cybersecurity research.

One thing that is interesting about this bill is the recognition by the Staff that grid security is going to be affected by not just by grid operators, but also by any number of entities that will be increasing connecting to the grid. The rise of the ‘smart grid’ is increasing the amount of cyber communication between grid operators and their customers. Those communications channels are going to be an increasingly important pathway for attackers to gain effective access to grid control mechanisms. The sooner cybersecurity research starts focusing on that process access route, the sooner defenses can begin to be appropriately arrayed to protect the grid.