Review - HR 2931 Introduced – Enhancing Grid Security

Back in March Rep McNerney (D,CA) introduced HR 2931, the Enhancing Grid Security through Public-Private Partnerships Act. The bill would require the Department of Energy (DOE) to establish a voluntary security program for electric utilities and provide a report to Congress on cybersecurity of electricity distribution systems. Similar bills have been introduced and passed in the House back through the 115^th Congress (See HR 5240 in the 115^th Congress)

NOTE: This bill was reviewed using a Committee Print, the GPO has not yet printed an official copy of the bill.

Moving Forward

Last Thursday, the House Energy and Commerce Committee held a markup hearing that included consideration of this bill. It was approved, without amendment, by a voice vote. This indicates that this bill, like the similar bills in the last two congresses, has strong bipartisan support. The bill will be considered in the full House under the suspension of the rules process. This means that there will be limited debate, no floor amendments and the bill will require a supermajority to pass. The bill will likely pass with strong bipartisan support.

Commentary

This bill is job justification legislation. Congresscritters want to get reelected, so they demonstrate that they take action to solve problems. This bill is designed to do just that. DOE is already doing most of what is required in this bill. That is why no funding authorization is needed in the bill, funds have already been allocated for these activities.

For a more detailed look at the provisions of this bill, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-2931-introduced (subscription required)

HR 359 Introduced – DOE Cybersecurity

Last week Rep. McNerney (D,CA) introduced HR 359, the Enhancing Grid Security through Public-Private Partnerships Act. This bill is nearly identical to HR 5240 that was introduced last session and cleared through the House Energy and Commerce Committee without modification. While the earlier bill did not make it to the floor of the House, HR 359 will be considered under suspension of rules tomorrow.

The only differences between the two bills in that HR 359 now includes ‘the Electric Reliability Organization’ in the §2(a) list of organizations with which the Secretary of Energy will consult in developing the program to promote and advance physical security and cybersecurity of electric utilities. The second and final change is that the new bill includes a definition f ‘the Electric Reliability Organization’ in the list of definitions in §5. Needless to say, these changes are inconsequential.

The House leadership expects that this bill will pass with substantial bipartisan support; the same support that it received in Committee last session.

Energy and Commerce Committee Takes up Cybersecurity Bills

Today in a markup hearing that was billed as being about opioid abuse legislation (and mostly was) the House Energy and Commerce Committee took up four cybersecurity bills that had previously been adopted in subcommittee action. The all four cybersecurity bills were adopted by voice votes with two of them being amended. The action on these cybersecurity bills came at the end of the almost 4-hour long hearing.

The four cybersecurity bills were:

• HR 5174, Energy Emergency Leadership Act;

• HR 5175, Pipeline and LNG Facility Cybersecurity Preparedness Act;

• HR 5239, Cyber Sense Act; and

• HR 5240, Enhancing Grid Security through Public-Private Partnerships Act

Committee Amendments

The pipeline cybersecurity bill was amended. The amendment was offered by Rep. Upton (R,MI) who is the Chair of the Energy Subcommittee. The major portion of this amendment was the addition of §3, Savings Clause. That section states:

“Nothing in this Act shall be construed to modify the authority of any Federal agency other than the Department of Energy relating to physical security or cybersecurity for natural gas pipelines (including natural gas transmission and distribution pipelines), hazardous liquid pipelines, or liquefied natural gas facilities.”

This amendment indirectly addresses the roles of both the DOT’s Pipeline and Hazardous Material Safety Administration (PHMSA) and DHS’ Transportation Security Administration in protecting pipeline safety and security. This should alleviate the conflicts with the House Transportation and Infrastructure Committee and the House Homeland Security Committee over jurisdictional issues that I identified in my earlier post.

The enhancing grid security bill was amended. The amendment was offered by Rep. Latta (R,OH). It added the Electric Reliability Organization as one of the agencies with which the Department of Energy would consult in developing the program outlined in the bill. The amendment also provided a definition of the term ‘Electric Reliability Organization’.

Moving Forward

This was probably the last time that there would be any opportunity to modify the language in these four bills. It is likely that they will move to the House floor, probably before the summer recess. They will almost certainly be considered under the House suspension of the rules provisions that limits debate and prohibits amendments from the floor. They will all almost certainly pass with broad bipartisan support.

If any of these bills get taken up by the Senate (impossible to predict) it will probably be under similar abbreviated consideration provisions as we will see in the House.

House Subcommittee Marks-Up Energy Security Bills

On Wednesday the Subcommittee on Energy, of the House Committee on Energy and Commerce, held a markup hearing on five energy bills. Four of the bills have been covered in this blog and those bills passed on voice votes; two of them were amended with substitute language from the original offerors. The four the bills that have been addressed in this blog:

• HR 5174, Energy Emergency Leadership Act;

• HR 5175, Pipeline and LNG Facility Cybersecurity Preparedness Act (amended);

• HR 5239, Cyber Sense Act (amended); and

• HR 5240, Enhancing Grid Security through Public-Private Partnerships Act

HR 5175 Changes

The one change made to HR 5175 in the substitute language is relatively minor. It adds a phrase to §2(1) to expand the coordination requirement by adding: “including through councils or other entities engaged in sharing, analysis, or sector coordinating”.

HR 5239 Changes

The changes to HR 5239 are mainly grammatical and would have little to do with the operation of the Cyber Sense program that is proposed by this bill. There is one potentially significant change; §2(b)(7) from the original bill was removed. That paragraph had provided a requirement for the Secretary of Energy to “establish procedures for disqualifying products that were tested and identified as cyber-secure under the Cyber Sense program but that no longer meet the qualifications to be identified cyber-secure products”. There is nothing in the revised program that would prohibit that disqualification.

Moving Forward

The bipartisan support received in the subcommittee will almost certainly be duplicated when these bills are taken up by the whole committee. The question then will be to see if the sponsors and the Committee leadership have enough influence (or are willing to expend the effort to influence) to bring these bills before the full House. I firmly expect that we will see some version of these bills reach the floor under the suspension of the rules procedure in the House. Again, that means limited debate and no floor amendments. I would not be surprised to see all five bills considered on a single day.

Commentary

The removal of the language in HR 5239 providing for the establishment of a process to disqualify products that no longer meet the Cyber Sense standards brings up an interesting legal situation. As I said earlier, there is nothing in the bill that would specifically prohibit the Secretary from establishing such rules. But, having said that, a good lawyer could argue before a friendly judge that the removal of the specific authority to establish such a disqualification process from the language in the bill establishes a congressional intent that such authority can no longer be exercised by the Secretary absent specific authorization by Congress.

What this very well could end up meaning is that once a vendor becomes authorized to use the ‘Cyber Sense’ label on their product, they will no longer have to work to maintain the ‘Cyber Sense’ standards because the Secretary would not have the authority to require the vendor to remove the ‘Cyber Sense’ labeling. If the vendor flaunting of the ‘Cyber Sense’ standards becomes wide spread, the efficacy of the whole program would be called into question, destroying the process.

If this problem is to be addressed, it will almost certainly have to be done during the Energy and Commerce mark-up hearing that will probably be conducted in the next couple of weeks. After that, if the bill moves forward, it would almost certainly be under processes in both the House and Senate that would not allow for amendments to the bill from the floor.

HR 5240 Introduced – DOE Cybersecurity Programs

Earlier this month Rep McNerney (D,CA) introduced HR 5240, the Enhancing Grid Security through Public-Private Partnerships Act. The bill would require the Department of Energy (DOE) to establish a voluntary security program for electric utilities and provide a report to Congress on cybersecurity of electricity distribution systems.

Voluntary Security Program

Section 2 of the bill would require DOE to establish a program that would {§2(a)}:

• Develop, and provide for voluntary implementation of, maturity models, self-assessments, and auditing methods for assessing the physical security and cybersecurity of electric utilities;

• Provide training to electric utilities to address and mitigate cybersecurity supply chain management risks;

• Increase opportunities for sharing best practices and data collection within the electric sector;

• Assist with cybersecurity training for electric utilities;

• Advance the cybersecurity of third-party vendors that work in partnerships with electric utilities; and

• Provide technical assistance for electric utilities subject to the program.

Distribution System Cybersecurity Report

Section 3 of the bill would require DOE to prepare a report to Congress that would assess {§3(a)}:

• Priorities, policies, procedures, and actions for enhancing the physical security and cybersecurity of electricity distribution systems to address threats to, and vulnerabilities of, such electricity distribution systems; and

• Implementation of such priorities, policies, procedures, and actions, including an estimate of potential costs and benefits of such implementation, including any public-private cost-sharing opportunities.

Moving Forward

Both McNerney and his sole co-sponsor, Rep Lata (R,OH) are senior members of the House Energy and Commerce to which this bill was assigned for consideration. They would certainly seem to have the influence necessary to see this bill considered in Committee.

There is nothing in the bill that would draw specific opposition and it would appear that there would be broad bipartisan support for the bill both within Committee and on the floor of the House should it reach that body.

Commentary

This is another motherhood and apple pie bill that is a perfect example of form over function. No monies are authorized for the programs, there is no deadline for the report to Congress, and there is not even a snazzy name for the voluntary program. This is simply a congressional look at us, we are doing something bill.

Normally, I would suspect that bills of this sort would have been crafted by Committee staff, given that there is bipartisan sponsorship by two different Committee members. I do not think that this is the case with this bill. Both §2 and §3 contain language providing protection from disclosure information provided to DOE by utilities in developing the voluntary program and the report to Congress. While this is certainly necessary when considering any security programs, the wording is incomplete. I would have expected to see Committee Staff, who should be experts in DOE programs, to have referred to the Critical Energy Infrastructure Information (CEII) program used by FERC, to provide more comprehensive information protection and to limit that protection to only security related matters.

Not a Markup Hearing

Well, it turns out that the Energy Subcommittee hearing on the four DOE emergency response and security bills is not a mark-up hearing after all. Last night the witness list was announced, so it seems as if this will be an information gathering hearing with a possible mark-up at some later date.

Updated Hearing Information

The witness list includes:

• Mark Menezes, US Department of Energy;

• Scott Aaronson, Edison Electric Institute;

• Mark Engels, Dominion Energy;

• Kyle Pitsor, National Electrical Manufacturers Association;

• Zachary Tudor, Idaho National Laboratory; and

• Tristan Vance, Indiana Office of Energy Development

The links provided above are to the witness testimony that will be presented at tomorrow’s hearing. The Sub-Committee staff has also produced a background document for the meeting.

Interesting Info in Testimony

Menezes notes that (pg 1):

“To demonstrate our focus on the aforementioned mission [to protect the Nation’s critical energy infrastructure from physical security events, natural and man-made disasters, and cybersecurity threats], the Secretary announced last month that he is establishing an Office of Cybersecurity, Energy Security, and Emergency Response (CESER). This organizational change will strengthen the Department’s role as the Sector-Specific Agency (SSA) for Energy Sector Cybersecurity, supporting our national security responsibilities.”

Menezes also notes that (pg 6):

“Advancing the ability to improve situational awareness of OT networks is a key focus of DOE’s current activities. The Department is currently in the early stages of taking the lessons learned from CRISP and developing an analogous capability for threat detection on OT networks via the Cybersecurity for the Operational Technology Environment (CYOTE) pilot project. Observing anomalous traffic on networks – and having the ability to store and retrieve network traffic from the recent past – can be the first step in stopping an attack in its early stages.”

Engels notes that (pg 3):

“A more expedient [coordinating security activities of DOT and TSA] approach may be to encourage a Memo of Understanding (MOU)between DOE and TSA that outlines roles and responsibilities for dealing with cyber and physical security for the ONG sector. TSA already has an MOU with the DOT’s Pipeline and Hazardous Materials Safety Administration (PHMSA) which has responsibility for pipeline safety. Depending on the type of event, the TSA/DOT MOU has been critical in helping operators understand which Federal entity is the lead agency.”

Engels also notes that (pg 8):

“In 2016, TSA, again working with asset owners, industry associations, and the Department of Homeland Security’s Industrial Control System’s Cyber Emergency Response Team (DHS ICS-CERT), gathered input to update the Guidelines using the National Institute of Standards and Technology’s (NIST) Cyber Security Framework as a model. The updated [Pipeline Security] Guidelines are scheduled for release in the first half of 2018. Industry also provided input to augment the set of cybersecurity questions used in the Corporate Security Reviews (CSR) conducted by TSA.”

Engels also notes that (pgs 12-13):

“INL has undertaken several initiatives to stand up test environments for Industrial Control Systems (ICS). One such initiative was called RENDER (Risk Evaluation Nexus for Digital Age Energy Reliability). RENDER created a three way sharing arrangement involving the lab, the vendor and the asset owner. Previous projects excluded the asset owner from the equation, creating uncertainty associated with remediation of the vulnerabilities identified by INL. With RENDER, the asset owner not only could see what vulnerabilities were discovered, but provide input to the vendor about how critical or not the vulnerability was to the asset owner. This allowed the vendor to prioritize corrections that made the most sense to the asset owners.”

Tudor notes that (pg 4):

“INL developed and completed an initial pilot study of our proprietary Consequence driven, Cyber-informed Engineering (CCE) methodology with Florida Power and Light (FPL) through a Cooperative Research and Development Agreement (CRADA). CCE was developed to address the realization that constantly “chasing” threats and vulnerabilities, rather than getting ahead of these problems, is not sufficient to secure our critical systems. CCE is designed to assist asset owners in understanding the most effective and immediate actions they can take to eliminate the opportunity of the “worst-case” cyber-physical impacts from an attack by the most capable cyber adversaries. CCE leverages an organization’s knowledge and experiences with their systems and processes to “engineer out” the potential for the highest consequence events.”

This could be an interesting hearing.

Committee Hearings – Week of 03-11-18

Both the House and Senate will be in Washington this week. Budget hearings continue to be the big news with hearings starting to get down to the agency level. There is also one cybersecurity markup hearing scheduled.

Budget Hearings

• Coast Guard, House, Subcommittee – Wednesday

• TSA, House, Full Committee – Wednesday

• DOT, House, Subcommittee – Thursday

• DOE, House, Subcommittee – Thursday

I do not pay much attention to budget hearings. They are just the start of the appropriations process and it is the end game that provides specific funding for specific programs that really means something in the real world.

Cybersecurity Markup

On Wednesday the Energy Subcommittee of the House Energy and Commerce Committee will hold a markup hearing looking at four bills dealing with cybersecurity issues in the Department of Energy. The bills include:

• HR 5174, Energy Emergency Leadership Act;

• HR 5175, Pipeline and LNG Facility Cybersecurity Preparedness Act;

• HR 5239, Cyber Sense; and

• HR 5240, Enhancing Grid Security

All of these bills were introduced last week and I have not seen official copies on the Congress.gov web site, so I have not reviewed any of these bills in detail. The links provided above are to Committee drafts of the bills; I will start my reviews later today based upon these copies.

Bills Introduced – 03-09-18

Yesterday, with just the House meeting in pro forma session, there were 12 bills introduced. Of those two may be of specific interest to readers of this blog:

HR 5239 To require the Secretary of Energy to establish a voluntary Cyber Sense program to identify and promote cyber-secure products intended for use in the bulk-power system, and for other purposes. Rep. Latta, Robert E. [R-OH-5]

HR 5240 To provide for certain programs and developments in the Department of Energy concerning the cybersecurity and vulnerabilities of, and physical threats to, the electric grid, and for other purposes. Rep. McNerney, Jerry [D-CA-9]