Bills Introduced – 02-15-18

With the Senate heading home for a week in district (and the House preparing to do the same) there were 65 bills introduced yesterday. Of those, four may be of specific interest to readers of this blog:

HR 5040 To authorize the President to control the export, reexport, and transfer of commodities, software, and technology to protect the national security, and to promote the foreign policy, of the United States, and for other purposes. Rep. Royce, Edward R. [R-CA-39]

S 2444 A bill to provide for enhanced energy grid security. Sen. Cantwell, Maria [D-WA]

S 2445 A bill to provide for the modernization of the electric grid, and for other purposes. Sen. Cantwell, Maria [D-WA] 

S 2447 A bill to accelerate smart building development, and for other purposes. Sen. Cantwell, Maria [D-WA]

With all of these bills I will be looking for control system cybersecurity issues in determining whether or not to continue coverage of the bill in this blog. I suspect hat S 2444 has the highest chance of future coverage.

As always, the large number of bills introduced before an extended stay outside of Washington is seldom due to an increased interest in legislative activity. Most of the bills introduced yesterday will receive no consideration on the Hill. Most are introduced to allow the submitter to claim to be taking action of interest in speaking before organizations and financial supporters back home.

HR 4206 Introduced – Grid Modernization

On Wednesday Rep. Sarbanes (D,MD) introduced HR 4206, the 21st Century Power Grid Act. The bill would require the Secretary of Energy to establish a financial assistance program for projects to modernize the electric production, transmission and distribution system to continue to provide safe, secure, reliable, and affordable power. The bill does not include any authorization for funding.

Eligible Projects

The projects would be required to {§2(b)(1)}:

• Improve the performance and efficiency of the future electric grid;

• Provide new options for customer-owned resources; and

• Demonstrate secure integration and management of energy resources as well as secure integration and interoperability of communications and information technologies.

The projects would be required to include at least one of the following{§2(b)(3)(B)}:

• An investor-owned electric utility;

• A publicly owned utility;

• A technology provider;

• A rural electric cooperative;

• A regional transmission organization; or

• An independent system operator.

Each project would be required to include a Cybersecurity Plan {§2(c)} and a Privacy Risk Analysis {§2(d)}.

Moving Forward

Sarbanes and his two co-sponsors {Rep. Ellmers (R,NC) and Rep. McNerny (D,CA)} are on the Energy and Power Subcommittee of the House Energy and Commerce Committee, one of the two Committees to which this bill was referred for consideration. This means that there is a chance that this bill could make it before the Committee next year.

Since there is no new money authorized for this program and no new requirements are being placed upon industry, there is unlikely to be any significant opposition to this bill.

Commentary

As I have mentioned a number of times with a variety of different bills, it is interesting to continue to see generic cybersecurity language in this bill. It would be helpful, however, if Congress provided a little bit more guidance in what they are going to consider to be a ‘cybersecurity plan’ about which they expect the Secretary to provide guidance.

I’m not asking for any level of technical detail. That is not the job of the legislative branch and it certainly is not their strong point. What I am asking for is a little political guidance on what such a plan should include. If I were writing this bill I would include requirements to:

• Conduct a risk analysis to determine the worst case failure modes for the system;

• An outline of the devices and systems that could lead to those failures;

• A plan to insure that the devices and systems are designed, installed and maintained in a manner to reduce the likelihood of those failure modes;

• A plan to isolate those devices and systems from potential attack; and

• An identification of the requirements to recover from a successful attack against those failure modes.

Furthermore, the mere publication of a document that is called a cybersecurity plan should not be sufficient. It needs to be reviewed and approved by an appropriate agency within the DOE before any funding is provided.

Bills Introduced – 12-09-15

With both the House and Senate in session yesterday there were 24 bills introduced. Of those two may be of specific interest to readers of this blog:

HR 4206 To provide for a technology demonstration program related to the modernization of the electric grid. Rep. Sarbanes, John P. [D-MD-3] 

HJ Res 75 Making further continuing appropriations for fiscal year 2016, and for other purposes. Rep. Rogers, Harold [R-KY-5]

HR 4206 will only be followed in this bill if it includes specific cybersecurity language.

HJ Res 75 is a short term continuing resolution (CR) that would continue current government funding until next Wednesday, December 16^th. The House Rules Committee will be meeting later today to construct the rule that will include consideration of this bill on the floor of the House. That Rule will almost certainly include provisions allowing for same day voting on the omnibus spending bill when it is introduced.