HR 3050 Introduced – Energy Security

Last month Rep. Upton (R,MI) introduced HR 3050, the Enhancing State Energy Security Planning and Emergency Preparedness Act of 2017. The bill would amend the Energy Policy and Conservation Act (PL 94-193); Part D of title III (State Energy Conservation Programs; 42 USC 6321 – 6327) by adding a new §367 (§6328), State energy security plans.

Energy Security Plans

While the bill does not specifically require States to prepare energy security plans it does condition the future State receipt of federal energy conservation grants §6323 successful development and implementation of such security plans.

The plans would be required to address how the State intends to {new §367(a)}:

• Secure the energy infrastructure of the State against all physical and cybersecurity threats;

• Mitigate the risk of energy supply disruptions to the State and enhance the response to, and recovery from, energy disruptions; and

• Ensure the State has a reliable, secure, and resilient energy infrastructure.

Specifically, the plans would be required to contain provisions that {new §367(b)}:

• Address all fuels, including petroleum products, other liquid fuels, coal, electricity, and natural gas, as well as regulated and unregulated energy providers;

• Provide a State energy profile, including an assessment of energy production, distribution, and end-use;

• Address potential hazards to each energy sector or system, including physical threats and cybersecurity threats;

• Provide a risk assessment of energy infrastructure and cross-sector interdependencies;

• Provide a risk mitigation approach to enhance reliability and end-use resilience; and

• Address multi-State and regional coordination planning and response.

The bill would provide continued authorization for the energy efficiency grants (now including energy security) under §6323 at $90 million per year through 2022. The original program (2007 thru 2012) had a funding level set at $125 million per year.

House Mark-Up

On June 28^th the House Energy and Commerce Committee conducted a mark-up hearing that included HR 3050. Two amendments to this bill were adopted by voice vote and the bill was approved by a voice vote.

Of the two amendments on the Barton amendment contained any specific cybersecurity provisions. It modified two of the content requirements for the State energy security plans:

• Address potential hazards to each energy sector or system, including physical threats and cybersecurity threats and vulnerabilities; and

• Address multi-State and regional coordination planning and response and, to the extent practicable, encourage mutual assistance in cyber and physical response plans.

Moving Forward

Obviously, Upton and his cosponsor, Rep. Rush (D,IL), as Chair and Ranking Member of the Energy Subcommittee had the pull necessary to have the full Committee promptly consider this bill just days after it was introduced. Whether or not that support is strong enough to ensure consideration by the full House remains to be seen.

There is nothing in this bill that would engender any serious opposition and its passage by a voice vote in Committee indicates that it should receive substantial bipartisan support if it were to reach the floor. That would seem to indicate that if the bill were considered that it would proceed under the suspension of the rules provisions with limited debate and no floor amendments to be considered. This could allow the bill to be considered even before the summer recess if the Committee report is published in time.

Commentary

The one major deficiency that I see in this bill is that it does not include a specific definition of ‘cybersecurity’. This is especially important in the energy sector due to its substantial dependence on a wide variety of industrial control systems and increasing use of ‘smart technology’ based internet of things (IoT) devices at the delivery end of the systems.

I think that the crafters of this bill may trying to rely on the ‘all physical and cybersecurity threats’ language of §367(a)(1) to ensure that control system and IoT security issues will be addressed, but considering the congressional history of generally failing to address or even consider such issues in crafting cybersecurity legislation I think that is an inadequate shortcut. What I am really afraid of is the possibility that the staffers that wrote this bill did not even specifically intend to include control system or IoT security concerns.

I was impressed by the Barton amendment’s inclusion of the ‘vulnerability’ language with respect to the cybersecurity requirements. Even today, a policy wonk with little or no technical background could justifiably say that there is no real cybersecurity threat to the energy infrastructure in this country because there is no history of real, consequential attacks. The addition of the word ‘vulnerabilities’ significantly obviates that argument.

Finally, the amount of money authorized for the grant program, especially since it still includes energy efficiency programs, is ludicrously small. That is especially true if the ‘all physical and cybersecurity threats’ language is interpreted to include EMP and geomagnetic issues (again the lack of definition issue). Given the current budget issues, I suspect that this is all that is possible, but it is like providing funding for umbrellas to protect people from hurricanes.

Committee Hearings – Week of 6-25-17

This week with both the House and Senate in session, we are starting to see movement on spending bills, continued work on the National Defense Authorization Act (NDAA) and a couple of interesting markup hearings this week.

NDAA

As I mentioned last week the House Armed Services Committee started their work on HR 2810 in subcommittee markups. This week they will move to a full committee markup on Wednesday. The Senate bill has not been made public at this point.

Senate Armed Services Committee, 6-28-17 and 6-29-17 (maybe 6-30-17)

House Armed Services Committee, 6-28-17

The HASC web site has a link to a brief (16 page) description of HR 2810. There is an interesting one paragraph blurb on cyber issues on page 11.

Spending Bills

The House Appropriations Committee starts public work on the FY 2018 spending bills this week, starting with markups of the individual spending bills by the appropriate subcommittee. We will be starting with the DOD spending bill (actually the Defense Construction and Veterans Affairs bill was marked-up last week) and the Commerce, Justice and Science (CJS) bill this week. A committee draft of the DOD bill is available, but I have not had a chance to look at it.

DOD, House, subcommittee markup, 6-26-17

CJS, House, subcommittee markup, 6-29-17

Other Mark-up Hearings

On Wednesday the House Energy and Commerce will be holding a mark-up hearing looking at a number of bills including HR 3050, Enhancing State Energy Security Planning and Emergency Preparedness Act of 2017. I did not catch this bill when it was introduced on Friday because of the way it was described at Congress.gov. Seeing the title of the bill today got me to take a quick look at the available committee draft (GPO version is not yet available) and it does have cybersecurity provisions (more later). I will be watching this bill.

On Thursday the Senate Commerce, Science, and Transportation Committee will be holding an executive session that will include the markup of S 1405, the FY 2018 FAA authorization bill. The GPO version is not yet available but the committee draft shows that a number of sections of the bill deal with unmanned aircraft systems (UAS) including a re-write of the model aircraft restrictions on the FAA regulatory authority. There is currently no mention of cybersecurity in the bill.