S 2201 Passed in House – Supply Chain Risk Training

Today, the House took up S 2201, the Supply Chain Security Training Act of 2021, and passed it by a voice vote with only seven minutes of ‘debate’. Since the same version of the the bill passed in the Senate, the bill now heads to President Biden for signature. There is no indication that the President has concerns about the bill, so it will probably be signed later this week.

The bill would require the General Services Administration to develop “a training program for officials with supply chain risk management responsibilities at executive agencies.” While the term ‘supply chain risk’ is not defined in the legislation, with both CISA and NIST referred to as coordination targets, I would suspect that the crafters were at least partially considering protecting hardware and software against unauthorized manipulation in transit between the manufacturer and the Federal user.

NOTE: S 1097, the Federal Rotational Cyber Workforce Program Act of 2021, also passed in the House this afternoon. Since this is purely a federal workforce issue with little or no potential effect on control system cybersecurity, I have not covered this bill. It also going to Biden for signature.

HR 3599 Introduced - Federal Rotational Cyber Workforce Program

I will not be covering HR 3599, the Federal Rotational Cyber Workforce Program Act of 2021. As introduced, the bill (like S 1097) is a purely federal level IT workforce development tool. It does not contain any language or definitions that would indicate that it would apply to control system staff positions. Similar language was included in the version of S 1260, the United States Innovation and Competition Act of 2021, that was passed in the Senate last month.

Review - S 1260 and Cybersecurity

With the recent publication of the engrossed version (passed in the Senate) of S 1260, the United States Innovation and Competition Act of 2021, I have now had a chance to go back and look at the cybersecurity related provisions that were included in the massive, 2375 pages, bill. In addition to the new sections added in the substitute language that I briefly mentioned earlier, there were a number of provisions added in passing that are worthy of mention.

Protecting research from cyber theft

Section 2305 amends 15 USC 272(e)(1)(A) by adding ‘institutions of higher education’ to the list of considerations NIST has to address in developing consensus-based cybersecurity standards. Additionally, §2305(b) requires NIST to “disseminate and make publicly available resources to help research institutions and institutions of higher education identify, protect the institution involved from, detect, respond to, and recover to manage the cybersecurity risk of the institution involved related to conducting research.”

NASA Cybersecurity

Section 2676 (pg 690) would amend 51 USC 20301 by adding a requirement for the NASA Administrator to “up-date and improve the cybersecurity of NASA space assets and supporting infrastructure” {new §20301(c)}. NASA would also be required to establish a Cyber Security Operations Center. Finally, it would authorize NASA to “implement a cyber threat hunt capability to proactively search NASA information systems for advanced cyber threats that otherwise evade existing security tools” {§2676(c)(1)}.

Cyber Response and Recovery

Section 4252 (pg 1238) is the Cyber Response and Recovery Act. It is essentially the language of S 1316, which I have previously described in detail.

Federal Rotational Cyber Workforce Program

Division D of the bill includes Title II, Cyber and Artificial Intelligence. Subtitle B (pg 1257) of that Title is the Federal Rotational Cyber Workforce Program Act of 2021. It is essentially the language of S 1097 which the Senate Homeland Security and Governmental Affairs Committee ordered reported favorably last month.

Commentary

Almost all of the cybersecurity provisions in this bill are limited to information technology because of the language or definitions involved. It is not clear that that was the intention of the crafters of this bill, but it is certainly the effect.

For a more detailed look at the cyber provisions of S 1260, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/s-1260-and-cybersecurity (subscription required).

HSGA Business Meeting – 5-12-21

Today the Senate Homeland Security and Governmental Affairs Committee met and considered 14 bills. This included four cybersecurity related pieces of legislation. Three of the four cybersecurity bills were ordered reported favorably by voice votes, two after substitute language was adopted. The fourth was held over pending additional work on amendments.

The approved bills were:

• S. 1097, Federal Rotational Cyber Workforce Program Act,

• S 1316, Cyber Response and Recovery Act, as amended,

• S 1350, National Risk Management Act of 2021, as amended.

The bill that was held over was S. 1324, Civilian Cyber Security Reserve Act.

The GPO printed official versions of all four bills this morning. I will be reviewing the introduced language in the coming days. The substitute language approved today will not be available for some time.

Update for Senate HSGA Markup – 5-12-21

The Senate.gov website now lists the bills that will be marked up by the Senate Homeland Security and Governmental Affairs Committee on Wednesday. The thirteen bills scheduled include four cybersecurity related measures:

• S 1097, to establish a Federal rotational cyber workforce program for the Federal cyber workforce {Sen. Peters, (D,MI)}

• S 1316, to amend the Homeland Security Act of 2002 to authorize the Secretary of Homeland Security to make a declaration of a significant incident {Sen. Peters, (D,MI)},

• S 1324, to establish a Civilian Cyber Security Reserve as a pilot project to address the cyber security needs for the United States with respect to national security {Sen Rosen (D,NV)}, and

• S 1350, to require the Secretary of Homeland Security to establish a national risk management cycle {Sen Hassan (D,NH)},

The GPO has not yet published official versions of any of these bills, nor can I find them posted to the HSGA web site. Hassan’s web site does have a submission draft copy posted for S 1350, the ‘National Risk Management Act of 2021. I will have a detailed review of that bill, based upon that draft available later this evening. We may see S 1097 published this evening, but I doubt the GPO will get to S 1316 or S 1324 before Wednesday morning.

Bills Introduced – 4-13-21

Yesterday, with both the House and Senate in session, there were 84 bills introduced. One of those bills may receive additional coverage in this blog:

S 1097 A bill to establish a Federal rotational cyber workforce program for the Federal cyber workforce. Sen. Peters, Gary C. [D-MI]

I will be watching this bill for specific language and definitions that would include control system workforce personnel.

HR 2139 Introduced – Gas Pipeline Safety

Earlier this month Rep. Trahan (D,MA) introduced HR 2139, the Leonel Rondon Pipeline Safety Act. The bill would make amendments to gas distribution pipeline safety rules. This bill is a companion bill (identical language) to S 1097.

While Trahan is not on either of the two Committees to which this bill was assigned, one of her two co-sponsors {Rep. Kennedy (D,MA)} is a member of the House Energy and Commerce Committee. This means that it is possible that this bill will be considered in Committee. While S 1097 is unlikely to be considered in the Senate, the Energy and Commerce Committee is likely to take up this bill where I would suspect that it would pass with a strictly partisan vote. Committee Chair politics almost ensures that the bill would not move to the floor of the House unless sponsors are added that have some influence on the Transportation and Infrastructure Committee.

The lack of bipartisan support for this bill ensures that it would have to be considered by the whole House subject to a rule. It is unlikely that anyone currently associated with the bill has enough political influence to see that happen.

These two bills are political moves to demonstrate to constituents that were directly or closely affected by a serious pipeline safety event that the sponsors of the bill are trying to do something to fix the problem. This is good politics even if no further action is taken on either bill.

S 1097 Introduced – Gas Pipeline Safety

Earlier this month Sen. Markey (D,MA) introduced S 1097, the Leonel Rondon Pipeline Safety Act. The bill would make amendments to gas distribution pipeline safety rules. Leonel Rondon was a teenager killed in the 2018 Merrimack Valley gas explosions. That incident is the impetus for the introduction of this legislation.

Distribution Integrity Management Plans

Section 2 of the bill would amend 49 USC 60109(e), Distribution Integrity Management Programs. The new sub-paragraph (7) would require the Secretary of Transportation within one year of adoption of this legislation to issue new regulations that would modify the requirements for distribution integrity management plan developed by operators of a distribution pipeline. The new language would require the evaluation of {new §60109(e)(7)(A)}:

• The risks resulting from the presence of cast iron pipes and mains in the distribution system; and

• The risks that could lead to or result from the operation of a distribution pipeline above the maximum allowable operating pressure.

This section would also require covered operators to submit to regulators within 180 days of the enactment of this bill {new §60109(e)(7)(C)}:

• The distribution integrity management plan of the operator;

• The emergency response plan under section 192.615 of title 49 CFR; and

• The procedural manual for operations, maintenance, and emergencies under section 192.605 of title 49 CFR.

The Secretary would also be required to promulgate regulations that would ensure that authorized State Regulating Authorities have the capabilities to review and evaluate the documents required to be submitted by this section.

Emergency Response Plans

Section 3 of the bill would amend 49 USC 60102 by adding a new paragraph (q). It would require the Secretary to amend the emergency response plan requirements of 49 CFR 192.615 by adding requirements for written procedures for {new §60102(q)}:

• Establishing communication with fire, police, and other relevant public officials as soon as practicable, but not later than 30 minutes, after a gas pipeline emergency;

• Establishing public communication as soon as practicable and in consultation with fire, police, and other public officials after a gas pipeline emergency; and

• The development and implementation of a voluntary, opt-in system that would allow operators of distribution pipelines to rapidly communicate with customers in the event of an emergency.

Operations and Maintenance Manuals

Section 4 of the bill would also amend §60102 by adding a new paragraph (r). This new paragraph would require the amendment of 49 CFR 192.605 to include requirements that the procedure manuals required by that paragraph include written procedures for {new §192.605(r)}:

• Responding to over pressurization alarms, including a clear timeline and order of operations for shutting down portions of the gas distribution system, if necessary; and

• A detailed procedure for a management of change process, which shall be applied to all changes to the distribution system, and which shall ensure that relevant employees of an operator of a distribution pipeline review construction documents for accuracy, completeness, and correctness.

Pipeline Safety Management Systems

Section 5 of the bill would further amend §60102 with another new paragraph (s). This would require regulations establishing requirements for distribution  pipeline operators to develop and implement a pipeline safety management systems framework in accordance with Recommended Practice 1173 of the American Petroleum Institute. Copies of the framework would be submitted to regulators. Regulators would then be required to evaluate the documents to ensure that {new §60102(s)(4)}:

• Those frameworks are effective and complete; and

• Operators of distribution pipelines are in compliance with those frameworks.

The use of 3^rd party auditors to conduct the required evaluations would be authorized by this bill.

Pipeline Safety Practices

Section 6 of the bill would finally add a new paragraph (t) to §60102. This would also require the Secretary to prepare new regulations to:

• Add new record keeping requirements;

• Require a licensed professional engineer to approve work plans required under 49 CFR 192.801(b);

Include in those work plans a requirement to “monitor gas pressure and have the capability to shut down the flow of gas at a district regulator station during any construction project that has the potential to cause a hazardous over-pressurization at that station” {new §60102(t)(3)(A)};

• Require gas line distribution operators to ensure that {new §60102(t)(4)(A)}:

◦ There is no possibility for a common mode of failure in the regulator technology of the station that could lead to an operating pressure that is greater than the maximum allowable operating pressure;

◦ The station has monitoring technology that provides constant awareness of gas pressure at the station; and

◦ The station has additional pressure-relieving safety technology, such as a relief valve or automatic shutoff valve, as appropriate for the configuration and siting of the station.

• Promote sufficient staffing for monitoring and regulating gas pressure levels by each operator of a distribution pipeline.

Civil Penalties

Section 7 of the bill amends 49 USC 60122(a)(1) increasing civil penalty limits for both per violation and total amount for a related series of violations of 49 USC 60114(b) and (d) (One-call notification system requirements) and §60118(a) (safety standards and integrity management program mandate). The minimum per violation – per day penalty limit would be increased from $200 thousand to $20 million and the penalty limit for a related series of violations would be increased from $2 million to $200 million.

Moving Forward

Markey and one of this two cosponsors {Sen. Blumenthal (D,CT)} are both influential members of the Senate Commerce, Science, and Transportation Committee. Generally, this is sufficient to make it likely that the bill would be considered in Committee. Unfortunately, the fine increases in §7 of the bill will almost certainly cause the Republican committee leadership to ignore this bill and I suspect that the Republican members of the Committee would quickly fall in line to oppose this bill if it were brought before the Committee.

Commentary

Some of the changes to 49 USC proposed in this legislation directly address recommendations made by the National Transportation Safety Board (NTSB) in their interim Safety Recommendation Report on the Merrimack Valley incident. The NTSB report targets their recommendations at the Commonwealth of Massachusetts NiSource, Inc, rather than at the gas pipeline industry in general. Markey’s bill would make the recommended changes across the gas transmission pipeline industry. Whether or not that is regulatory overreach remains to be seen. It would be interesting to see what congressional hearings on the topic revealed.

One of the problems with knee-jerk legislative-responses to very visible tragic industrial accidents is that there are frequently unintended consequences of well-meaning legislative-requirements. It is usually difficult to predict those unintended consequences, but there is one in this bill that could potentially be far reaching. In the new §60122(t)(4)(A)(i) the bill requires new DOT regulations to ensure that “there is no possibility for a common mode of failure in the regulator technology of the station that could lead to an operating pressure that is greater than the maximum allowable operating pressure”. One very real ‘common mode of failure in regulatory technology’ would be a cyberattack on the industrial control system that controlled the pipeline pressure. Since we have seen that even automated safety systems are potentially subject to cyber-attack, the ‘no-possibility’ standard would require a fully-analog safety system. While such systems are also subject to failure, they generally would be unaffected by the ‘common mode failure’ due to cyber-attack.

While I would certainly argue that the reasonable regulation of cybersecurity for gas transmission pipelines would be a good thing, such regulations should be carefully considered and well thought out by both regulators and the system operators. A backdoor cybersecurity requirement in a knee-jerk response to mainly analog system incident certainly does not meet that standard.