Review - S 1050 Introduced – Bulk Power System Protection

Last month, Sen Scott (R,FL) introduced S 1050, the Protect American Power Infrastructure Act. The bill would prohibit owners of defense critical electrical infrastructure from buying covered electrical power supply equipment from companies owned or controlled by foreign adversaries. No funding is authorized by this legislation.

Moving Forward

Scott is not a member of the Senate Energy and Natural Resources Committee to which this bill was assigned for consideration, nor are his three cosponsors. This means that it is unlikely that there will be sufficient influence to see the bill considered in Committee. I suspect that there would be some industry opposition to this broadly written rule, so if the bill were considered in Committee it is unclear at this point if there would be sufficient support for the bill to be favorably reported. I do not think that there would be enough support to see the bill considered under regular order by the full Senate.

 

For more details about the provisions of the bill, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/s-1050-introduced - subscription required.

Bills Introduced – 2-5-20

With both the House and Senate in session (and the Senate finishing with the impeachment process) there were 23 bills introduced. One of those bills may received additional coverage in this blog:

HR 5760 To provide for a comprehensive interdisciplinary research, development, and demonstration initiative to strengthen the capacity of the energy sector to prepare for and withstand cyber and physical attacks, and for other purposes. Rep. Bera, Ami [D-CA-7] 

This could get complicated.

Bills Introduced – 01-17-19

Yesterday with both the House and Senate in session there were 86 bills introduced. Of those, three may receive additional coverage on this blog:

HR 648 Consolidated Appropriations Act, 2019 Rep. Lowey, Nita M. [D-NY-17] 

HR 680 To provide for the establishment of a pilot program to identify security vulnerabilities of certain entities in the energy sector. Rep. Ruppersberger, C. A. Dutch [D-MD-2]

S 174 A bill to provide for the establishment of a pilot program to identify security vulnerabilities of certain entities in the energy sector. Sen. King, Angus S., Jr. [I-ME]

HR 648 is another version of an FY 2019 spending bill that addresses the spending for the shut down agencies in the Federal government (except for DHS). I will only be looking at this bill if there are specific provisions of the bill of interest. The schedule for next week has not yet been published, but I expect that it will be considered on the floor next week. This will be another attempt to get Republican support to re-open the government over Trump’s opposition.

It looks like the other two bills are companion bills, but I cannot be sure until I see the actual bills.

House Subcommittee Marks-Up Energy Security Bills

On Wednesday the Subcommittee on Energy, of the House Committee on Energy and Commerce, held a markup hearing on five energy bills. Four of the bills have been covered in this blog and those bills passed on voice votes; two of them were amended with substitute language from the original offerors. The four the bills that have been addressed in this blog:

• HR 5174, Energy Emergency Leadership Act;

• HR 5175, Pipeline and LNG Facility Cybersecurity Preparedness Act (amended);

• HR 5239, Cyber Sense Act (amended); and

• HR 5240, Enhancing Grid Security through Public-Private Partnerships Act

HR 5175 Changes

The one change made to HR 5175 in the substitute language is relatively minor. It adds a phrase to §2(1) to expand the coordination requirement by adding: “including through councils or other entities engaged in sharing, analysis, or sector coordinating”.

HR 5239 Changes

The changes to HR 5239 are mainly grammatical and would have little to do with the operation of the Cyber Sense program that is proposed by this bill. There is one potentially significant change; §2(b)(7) from the original bill was removed. That paragraph had provided a requirement for the Secretary of Energy to “establish procedures for disqualifying products that were tested and identified as cyber-secure under the Cyber Sense program but that no longer meet the qualifications to be identified cyber-secure products”. There is nothing in the revised program that would prohibit that disqualification.

Moving Forward

The bipartisan support received in the subcommittee will almost certainly be duplicated when these bills are taken up by the whole committee. The question then will be to see if the sponsors and the Committee leadership have enough influence (or are willing to expend the effort to influence) to bring these bills before the full House. I firmly expect that we will see some version of these bills reach the floor under the suspension of the rules procedure in the House. Again, that means limited debate and no floor amendments. I would not be surprised to see all five bills considered on a single day.

Commentary

The removal of the language in HR 5239 providing for the establishment of a process to disqualify products that no longer meet the Cyber Sense standards brings up an interesting legal situation. As I said earlier, there is nothing in the bill that would specifically prohibit the Secretary from establishing such rules. But, having said that, a good lawyer could argue before a friendly judge that the removal of the specific authority to establish such a disqualification process from the language in the bill establishes a congressional intent that such authority can no longer be exercised by the Secretary absent specific authorization by Congress.

What this very well could end up meaning is that once a vendor becomes authorized to use the ‘Cyber Sense’ label on their product, they will no longer have to work to maintain the ‘Cyber Sense’ standards because the Secretary would not have the authority to require the vendor to remove the ‘Cyber Sense’ labeling. If the vendor flaunting of the ‘Cyber Sense’ standards becomes wide spread, the efficacy of the whole program would be called into question, destroying the process.

If this problem is to be addressed, it will almost certainly have to be done during the Energy and Commerce mark-up hearing that will probably be conducted in the next couple of weeks. After that, if the bill moves forward, it would almost certainly be under processes in both the House and Senate that would not allow for amendments to the bill from the floor.

Not a Markup Hearing

Well, it turns out that the Energy Subcommittee hearing on the four DOE emergency response and security bills is not a mark-up hearing after all. Last night the witness list was announced, so it seems as if this will be an information gathering hearing with a possible mark-up at some later date.

Updated Hearing Information

The witness list includes:

• Mark Menezes, US Department of Energy;

• Scott Aaronson, Edison Electric Institute;

• Mark Engels, Dominion Energy;

• Kyle Pitsor, National Electrical Manufacturers Association;

• Zachary Tudor, Idaho National Laboratory; and

• Tristan Vance, Indiana Office of Energy Development

The links provided above are to the witness testimony that will be presented at tomorrow’s hearing. The Sub-Committee staff has also produced a background document for the meeting.

Interesting Info in Testimony

Menezes notes that (pg 1):

“To demonstrate our focus on the aforementioned mission [to protect the Nation’s critical energy infrastructure from physical security events, natural and man-made disasters, and cybersecurity threats], the Secretary announced last month that he is establishing an Office of Cybersecurity, Energy Security, and Emergency Response (CESER). This organizational change will strengthen the Department’s role as the Sector-Specific Agency (SSA) for Energy Sector Cybersecurity, supporting our national security responsibilities.”

Menezes also notes that (pg 6):

“Advancing the ability to improve situational awareness of OT networks is a key focus of DOE’s current activities. The Department is currently in the early stages of taking the lessons learned from CRISP and developing an analogous capability for threat detection on OT networks via the Cybersecurity for the Operational Technology Environment (CYOTE) pilot project. Observing anomalous traffic on networks – and having the ability to store and retrieve network traffic from the recent past – can be the first step in stopping an attack in its early stages.”

Engels notes that (pg 3):

“A more expedient [coordinating security activities of DOT and TSA] approach may be to encourage a Memo of Understanding (MOU)between DOE and TSA that outlines roles and responsibilities for dealing with cyber and physical security for the ONG sector. TSA already has an MOU with the DOT’s Pipeline and Hazardous Materials Safety Administration (PHMSA) which has responsibility for pipeline safety. Depending on the type of event, the TSA/DOT MOU has been critical in helping operators understand which Federal entity is the lead agency.”

Engels also notes that (pg 8):

“In 2016, TSA, again working with asset owners, industry associations, and the Department of Homeland Security’s Industrial Control System’s Cyber Emergency Response Team (DHS ICS-CERT), gathered input to update the Guidelines using the National Institute of Standards and Technology’s (NIST) Cyber Security Framework as a model. The updated [Pipeline Security] Guidelines are scheduled for release in the first half of 2018. Industry also provided input to augment the set of cybersecurity questions used in the Corporate Security Reviews (CSR) conducted by TSA.”

Engels also notes that (pgs 12-13):

“INL has undertaken several initiatives to stand up test environments for Industrial Control Systems (ICS). One such initiative was called RENDER (Risk Evaluation Nexus for Digital Age Energy Reliability). RENDER created a three way sharing arrangement involving the lab, the vendor and the asset owner. Previous projects excluded the asset owner from the equation, creating uncertainty associated with remediation of the vulnerabilities identified by INL. With RENDER, the asset owner not only could see what vulnerabilities were discovered, but provide input to the vendor about how critical or not the vulnerability was to the asset owner. This allowed the vendor to prioritize corrections that made the most sense to the asset owners.”

Tudor notes that (pg 4):

“INL developed and completed an initial pilot study of our proprietary Consequence driven, Cyber-informed Engineering (CCE) methodology with Florida Power and Light (FPL) through a Cooperative Research and Development Agreement (CRADA). CCE was developed to address the realization that constantly “chasing” threats and vulnerabilities, rather than getting ahead of these problems, is not sufficient to secure our critical systems. CCE is designed to assist asset owners in understanding the most effective and immediate actions they can take to eliminate the opportunity of the “worst-case” cyber-physical impacts from an attack by the most capable cyber adversaries. CCE leverages an organization’s knowledge and experiences with their systems and processes to “engineer out” the potential for the highest consequence events.”

This could be an interesting hearing.

DOE Sends Emergency Order Rule to OMB

Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had received a final rule for review from the Department of Energy establishing procedures for the issuance of grid security emergency orders. The Secretary of Energy derives the authority to issue such orders under 18 USC 824o-1(b).

The notice of proposed rulemaking (NPRM) was published on December 7, 2016.

Committee Hearings – Week of 7-16-17

With both the House and Senate in session there is a wide slate of congressional hearings this week. Spending bills are finishing up in the House and the Senate continues to plug away on nomination hearings. There are two cybersecurity hearings of potential interest, one a markup and one addressing energy security.

Spending Bills

The House Appropriations Committee is still working on ginning out their spending bills with two more hearings being conducted during the remainder of the week:

• 7-18-17 (full committee) FY2018 Homeland Security Appropriations Bill and FY2018 Interior Appropriations Bill;

• 7-19-17 (full committee) FY 2018 State and Foreign Operations Appropriations Bill, and FY2018 Labor, Health and Human Services, and Education Appropriations Bill;

Cybersecurity Mark-up

On Wednesday the Digital Commerce and Consumer Protection Subcommittee of the House Energy and Commerce Committee will mark-up a staff draft of a bill on highly automated vehicle testing and deployment. The Committee Draft of the bill contains a section on “Cybersecurity of automated driving systems” which I will try review later today.

Energy Security

Later this morning the Senate Energy and Natural Resources Committee will hold a hearing to examine the status and outlook for U.S. and North American energy and resource security. Cybersecurity is certainly going to be part of this discussion. The witness list includes:

• Fatih Birol, International Energy Agency;

• Stephen Cheney, American Security Project;

• Robert Coward, American Nuclear Society;

• Dan McGroarty, Carmot Strategic Group;

• Mark Mills, Manhattan Institute; and

• Jamie Webster, Center for Energy Impact

On the Floor of the House

Today the House will consider HR 3050, Enhancing State Energy Security Planning and Emergency Preparedness Act of 2017, under their suspension of the rules procedure. This means that there will be limited debate and no amendments will be considered. This usually means that the House leadership considers this to be a non-controversial bill with a high-probability of passage (which requires a super-majority). NOTE: The committee report on the bill has not yet been published, it will probably be submitted today, but will not actually be available on the Congress.gov site until later this week.

NOTE: The House Rules Committee called for amendments to HR 2997, 21st Century Aviation Innovation, Reform, and Reauthorization Act. This is the House version of the FY 2018 FAA reauthorization. I have not published a review of this bill yet because there is currently nothing of real interest included in the introduced version. It looks like that will be changing. No hearing is scheduled yet, but it may happen later this week.

HR 3050 Introduced – Energy Security

Last month Rep. Upton (R,MI) introduced HR 3050, the Enhancing State Energy Security Planning and Emergency Preparedness Act of 2017. The bill would amend the Energy Policy and Conservation Act (PL 94-193); Part D of title III (State Energy Conservation Programs; 42 USC 6321 – 6327) by adding a new §367 (§6328), State energy security plans.

Energy Security Plans

While the bill does not specifically require States to prepare energy security plans it does condition the future State receipt of federal energy conservation grants §6323 successful development and implementation of such security plans.

The plans would be required to address how the State intends to {new §367(a)}:

• Secure the energy infrastructure of the State against all physical and cybersecurity threats;

• Mitigate the risk of energy supply disruptions to the State and enhance the response to, and recovery from, energy disruptions; and

• Ensure the State has a reliable, secure, and resilient energy infrastructure.

Specifically, the plans would be required to contain provisions that {new §367(b)}:

• Address all fuels, including petroleum products, other liquid fuels, coal, electricity, and natural gas, as well as regulated and unregulated energy providers;

• Provide a State energy profile, including an assessment of energy production, distribution, and end-use;

• Address potential hazards to each energy sector or system, including physical threats and cybersecurity threats;

• Provide a risk assessment of energy infrastructure and cross-sector interdependencies;

• Provide a risk mitigation approach to enhance reliability and end-use resilience; and

• Address multi-State and regional coordination planning and response.

The bill would provide continued authorization for the energy efficiency grants (now including energy security) under §6323 at $90 million per year through 2022. The original program (2007 thru 2012) had a funding level set at $125 million per year.

House Mark-Up

On June 28^th the House Energy and Commerce Committee conducted a mark-up hearing that included HR 3050. Two amendments to this bill were adopted by voice vote and the bill was approved by a voice vote.

Of the two amendments on the Barton amendment contained any specific cybersecurity provisions. It modified two of the content requirements for the State energy security plans:

• Address potential hazards to each energy sector or system, including physical threats and cybersecurity threats and vulnerabilities; and

• Address multi-State and regional coordination planning and response and, to the extent practicable, encourage mutual assistance in cyber and physical response plans.

Moving Forward

Obviously, Upton and his cosponsor, Rep. Rush (D,IL), as Chair and Ranking Member of the Energy Subcommittee had the pull necessary to have the full Committee promptly consider this bill just days after it was introduced. Whether or not that support is strong enough to ensure consideration by the full House remains to be seen.

There is nothing in this bill that would engender any serious opposition and its passage by a voice vote in Committee indicates that it should receive substantial bipartisan support if it were to reach the floor. That would seem to indicate that if the bill were considered that it would proceed under the suspension of the rules provisions with limited debate and no floor amendments to be considered. This could allow the bill to be considered even before the summer recess if the Committee report is published in time.

Commentary

The one major deficiency that I see in this bill is that it does not include a specific definition of ‘cybersecurity’. This is especially important in the energy sector due to its substantial dependence on a wide variety of industrial control systems and increasing use of ‘smart technology’ based internet of things (IoT) devices at the delivery end of the systems.

I think that the crafters of this bill may trying to rely on the ‘all physical and cybersecurity threats’ language of §367(a)(1) to ensure that control system and IoT security issues will be addressed, but considering the congressional history of generally failing to address or even consider such issues in crafting cybersecurity legislation I think that is an inadequate shortcut. What I am really afraid of is the possibility that the staffers that wrote this bill did not even specifically intend to include control system or IoT security concerns.

I was impressed by the Barton amendment’s inclusion of the ‘vulnerability’ language with respect to the cybersecurity requirements. Even today, a policy wonk with little or no technical background could justifiably say that there is no real cybersecurity threat to the energy infrastructure in this country because there is no history of real, consequential attacks. The addition of the word ‘vulnerabilities’ significantly obviates that argument.

Finally, the amount of money authorized for the grant program, especially since it still includes energy efficiency programs, is ludicrously small. That is especially true if the ‘all physical and cybersecurity threats’ language is interpreted to include EMP and geomagnetic issues (again the lack of definition issue). Given the current budget issues, I suspect that this is all that is possible, but it is like providing funding for umbrellas to protect people from hurricanes.

Bills Introduced – 01-10-17

Yesterday with both the House and Senate in session there were 73 bills introduced. Of those two may be of specific interest to readers of this blog:

S 79 A bill to provide for the establishment of a pilot program to identify security vulnerabilities of certain entities in the energy sector. Sen. King, Angus S., Jr. [I-ME]

S 88 A bill to ensure appropriate spectrum planning and interagency coordination to support the Internet of Things. Sen. Fischer, Deb [R-NE]

It will be interesting to see if S 79 addresses physical security, cybersecurity, or both.

S 88 looks to be a continuation of efforts by Fischer to promote IOT development. How close this will be to S 2607 from the last session. That bill was reported out of committee but never made it to the floor of the Senate.

Bills Introduced – 06-06-16

With just the Senate back in session (the House returns to town today) there were eleven bills introduced. Of those three may be of specific interest to readers of this blog:

S 3017 An original bill to authorize appropriations for fiscal year 2017 for intelligence and intelligence-related activities of the United States Government, the Community Management Account, and the Central Intelligence Agency Retirement and Disability System, and for other purposes. Sen. Burr, Richard [R-NC]

S 3018 A bill to provide for the establishment of a pilot program to identify security vulnerabilities of certain entities in the energy sector. Sen. King, Angus S., Jr. [I-ME]

S 3024 A bill to improve cyber security for small businesses. Sen. Vitter, David [R-LA]

I’ll be watching the Intel authorization bill for cybersecurity related provisions. The same holds true for the other two bills as well.

House Amends and Passes HR 8

This morning the House passed HR 8 by a mainly party-line vote of 249 to 174. The House concluded their consideration of the 35 amendments to the bill before the vote. All four of the amendments I discussed Tuesday passed by voice votes yesterday.

With a Presidential veto promised if this bill passes a Senate vote today’s vote did not indicate that there was anywhere near enough support for this bill to overcome a veto if the bill were passed in the Senate. It is unlikely, however, that this bill will be considered in the Senate with the solid Democratic opposition to the bill.

HR 8 Introduced – Energy Security

On Wednesday Rep Upton (R,MI) introduced HR 8, the North American Energy Security and Infrastructure Act of 2015. The bill mainly addresses energy supply chain issues, but it does have two provisions dealing with actual security issues. The first is protection of information about bulk electrical system security issues and the second is a new cybersecurity program.

Information Protection

Section 1104 of the bill would add a new section (§215A; Critical Electric Infrastructure Security) to the Federal Power Act (16 USC 824 et seq.). The new section would provide authority for the Secretary of Energy to address a grid security emergency {new §215A(b)} and establish a program for the protection of critical electric infrastructure information. The provisions of this section are essentially those found in HR 2271 which I have previously discussed in detail.

While a CEII program does currently exist, pending regulations on controlled but unclassified information (CUI) from the National Archives and Records administration, treat such programs differently if they are authorized by law.

Cyber Sense Program

Section 1106 requires the Energy Secretary to establish a Cyber Sense Program to identify and promote cyber-secure products intended for use in the bulk-power system. The program would allow voluntary industry participation and would include {§1106(b)}:

• A testing process to identify products and technologies intended for use in the bulk-power system, including products relating to industrial control systems, such as supervisory control and data acquisition systems;

• The establish and maintain cybersecurity vulnerability reporting processes and a related database for products in the Cyber Sense program;

• Regulations regarding vulnerability reporting processes for products tested and identified under the Cyber Sense program; and

• Technical assistance to utilities, product manufacturers, and other electric sector stakeholders to develop solutions to mitigate identified vulnerabilities in products tested and identified under the Cyber Sense program.

This section would also require the Secretary to provide for public notice and comments before establishing or changing the required testing program. Products included in the program would be required to be tested every two years.

The bill does not specifically mandate that the results of the product testing should be considered as Critical Electric Infrastructure Information (CEII). It does, however, require that “any vulnerability reported pursuant to regulations promulgated under subsection (b)(3), the disclosure of which could cause harm to critical electric infrastructure (as defined in section 215A of the Federal Power Act), shall be exempt from disclosure” under the Freedom of Information Act or any similar State and local laws.

Moving Forward

As I noted in my earlier post the assignment of ‘HR 8’ to this bill instead of a sequential bill number indicates that the Republican leadership in the House considers this bill a high political priority. It was considered in a markup hearing yesterday before the House Energy and Commerce Committee, but Committee web page does not yet provide any results of that consideration. I expect, however, that the bill was adopted by voice vote.

Commentary

The new Cyber Sense Program proposed by this bill is the first serious attempt by Congress to deal with the problems associated with industrial control system security. The idea of the Federal government establishing a testing and certification program for ICS components and systems is certainly an innovative approach to control system security.

Since this bill does not provide any funding for the program, it is fairly clear that the authors intend this testing to be done by third-party organizations and that is reinforced by the requirement for the Secretary to “oversee Cyber Sense testing carried out by third parties” {§1106(b)(8)}. The problem becomes that, since the Energy Department is not paying for the testing, that it will most likely be the vendor that pays. This always raises the potential issues of testers being beholden to the people that make the products being tested.

The establishment of regulations for vulnerability reporting for Cyber Sense products is something that was fairly glibly added to this bill. But, taken along with the information sharing restrictions outlined, this is going to be problematic. Except for equipment that is uniquely used by the bulk-power system, trying to regulate how security vulnerability reporting is conducted without intimately involving at least ICS-CERT is going to create more problems than it solves.

A brief example will help explain the problem. A private security researcher discovers a vulnerability in a PLC that is part of the Cyber Sense program, but is also used in a wide variety of other industrial control systems. Normally he would have a choice of coordinating that vulnerability disclosure with the vendor, ICS-CERT (or any one of a number of other coordination agencies) or publicly disclosing the vulnerability. Under the new program, if he instead disclosed it to the Cyber Sense program, then there would be no public disclosure through ICS-CERT or the vendor. In fact, if the new regulations were to declare this disclosure to the Cyber Sense to be CEII information (a logical move), then ICS-CERT would not be able to post it to the US-CERT Secure Portal because people without a CEII need-to-know have access to that system.

Crafters of this bill missed one of the biggest potential incentives for using Cyber Sense components. DHS has the Safety Act program under their Science and Technology Directorate that provides important legal liability protections for providers of Qualified Anti-Terrorism Technologies. This bill should have set up a similar program for Cyber Sense vetted products.

I would like to suggest that instead of making the vulnerability information CEII and limiting the disclosure to just the energy sector, that the bill should have designated ICS-CERT as the agency responsible for coordinating disclosures of vulnerabilities for all Cyber Sense Products. It would then go on to require that ICS-CERT initially release the vulnerability information on the US-CERT Secure Portal and only make full public disclosure in coordination with the Department of Energy organization overseeing the Cyber Sense program. That way non-energy sector organizations using the same equipment would have an opportunity to fix their devices before the public disclosure of the vulnerability.

Now, I really like the idea of an independent agency that does in depth security vulnerability testing of control system components and certifying some level of minimum security for such devices. That would certainly make the purchasing of secure ICS components much easier. But we do need to be careful how that is done to prevent the most egregious unintended consequences.

Bills Introduced – 09-16-15

There were 33 bills introduced in the House and Senate yesterday. Of those only one may be of specific interest to readers of this blog:

HR 8 North American Energy Security and Infrastructure Act of 2015 Rep. Upton, Fred [R-MI-6]

This bill will only receive additional coverage here if it contains requirements for cybersecurity or physical security of power production or transmission facilities.

Note: The first 20 House bill numbers are reserved at the beginning of the session for the Speaker to use. They are typically doled out for legislation that has a high political priority for the majority party.

Energy Security Mark-up Hearing Announced

This evening the House Energy and Commerce Committee announced that they would be holding a markup hearing on Wednesday and Thursday for two energy related bills. Readers of this blog would probably be most interested in the North American Energy Security and Infrastructure Act of 2015, a bill that has not yet been introduced.

I do not intend to do a full analysis of this bill until it is introduced, but table of contents of the bill contains a listing of the bill’s sections that includes topics like:

Sec. 1104. Critical electric infrastructure security;

Sec. 1106. Cyber Sense; and

Sec. 3104. Collective energy security

A committee summary of the bill can be found here.

According to the draft version of the bill on the Committee web site Chairman Upton (R,MI) will be introducing this bill. This almost certainly ensures that it will be promptly reported out of Committee after this week’s two part hearing. I suspect that it would not, however, come to the floor until after October 1^st. It will be interesting to see if Ranking Member Pallone (D,NJ) will be a co-sponsor of the bill.

S 1241 Introduced – Enhanced Grid Security Act

Last month Sen. Cantwell (D,WA) introduced S 1241, the Enhanced Grid Security Act. The bill would require the Secretary of Energy to undertake a number of new programs to increase the ‘cyberresilience’ of the Energy Sector.

The bill outlines for major areas where these programs will be concentrated:

∙ Cybersecurity R&D

∙ Component Testing

∙ Support for Cyberresilience Program

∙ Modeling Energy Infrastructure Risk

The bill sets out these program areas with minimal guidance and provides funds ($100 Million per year authorization in Section 10) for their execution.

Cybersecurity R&D

Section 4 of the bill would require the Secretary of Energy carry out a program to:

∙ Develop advanced cybersecurity applications and technologies for the energy sector;

∙ Leverage electric grid architecture as a means to assess risks to the energy sector, including by implementing an all-hazards approach to communications infrastructure, control systems architecture, and power systems architecture;

∙ Perform pilot demonstration projects with the energy sector to gain experience with new technologies; and

∙ Develop workforce development curricula for energy sector-related cybersecurity.

Component Testing

Section 5 of the bill would require the Secretary to establish a program to:

∙ Establish a cyber-testing and mitigation program to identify vulnerabilities of energy sector supply chain products to known threats;

∙ Oversee third-party cyber-testing; and

∙ Develop procurement guidelines for energy sector supply chain components.

Support for Cyberresilience Program

Section 6 requires the Secretary to carry out a program to:

∙ Enhance and periodically test the emergency response capabilities of the Department;

∙ Expand cooperation of the Department with the intelligence communities for energy sector-related threat collection and analysis;

∙ Enhance the tools of the Department and ES-ISAC for monitoring the status of the energy sector;

∙ Expand industry participation in ES-ISAC; and

∙ Provide technical assistance to small electric utilities for purposes of assessing cyber-maturity posture.

Modeling Energy Infrastructure Risk

Section 7 requires the development of an advanced energy security program. This section provides the most complete congressional guidance found in this bill; it even provides a formal purpose of the program {§7(b)}:

“The objective of the program… is to increase the functional preservation of the electric grid operations or natural gas and oil operations in the face of natural and human-made threats and hazards, including electric magnetic pulse and geomagnetic disturbances.”

Then, instead of specifying the activities that will be included in the program, it provides permission to include activities to {§7(c)}:

∙ Develop capabilities to identify vulnerabilities and critical components that pose major risks to grid security if destroyed or impaired;

∙ Provide modeling at the national level to predict impacts from natural or human-made events;

∙ Develop a maturity model for physical security and cybersecurity;

∙ Conduct exercises and assessments to identify and mitigate vulnerabilities to the electric grid, including providing mitigation recommendations;

∙ Conduct research hardening solutions for critical components of the electric grid;

∙ Conduct research mitigation and recovery solutions for critical components of the electric grid; and

∙ Provide technical assistance to States and other entities for standards and risk analysis.

Moving Forward

Sen. Cantwell (D,WA) is the ranking member of the Senate Energy and Natural Resources Committee to which this bill has been referred. This means that there is a decent chance that this bill will be included in Chairwoman Murkowski’s (R,AK) rather extensive energy legislation agenda. This bill may be considered by the Committee before the summer recess, but it is unlikely to make it to the floor of the Senate this year.