S 2333 Introduced – Grid Security

Last month Sen. Cantwell (D,WA) introduced S 2333, the Energy Cybersecurity Act of 2019. The bill would require the Department of Energy to address electric grid cybersecurity, resiliency and risk assessment issues. This bill is essentially identical to S 2444 from last session which was also introduced by Cantwell. No action was taken on the earlier bill.

Cantwell is still a senior member of the Senate Energy and Natural Resources Committee to which this bill was assigned for consideration. That was not enough last session to ensure that the bill was considered in Committee. The problem remains the authorization for the expenditure of funds for the various programs in bill. It is unlikely that the new budget agreement reached just before the Senate left for summer recess will change the funding situation.

S 2444 Introduced – Grid Security

Earlier this month Sen Cantwell (D,WA) introduced S 2444, the Energy Cybersecurity Act of 2018. It would require the Department of Energy to address electric grid cybersecurity, resiliency and risk assessment issues.

Cybersecurity

Section 3(a) would require the Secretary to address energy sector cybersecurity issues. It would require DOE to develop cybersecurity applications and technologies to {§3(a)(1)(A)}:

• Identify and mitigate vulnerabilities; and

• Advance the security of field devices and third-party control systems;

The vulnerabilities that are required to be addressed specifically include {§3(a)(1)(A)(i)}:

• Dependencies on other critical infrastructure; and

• Impacts from weather and fuel supply.

The security advances would specifically include devices and systems such as {§3(a)(1)(A)(ii)}:

• Systems for generation, transmission, distribution, end use, and market functions;

• Specific electric grid elements including advanced metering, demand response, distributed generation, and electricity storage;

• Forensic analysis of infected systems; and

• Secure communications

The bill would authorize the expenditure of $65 million per year through 2026 for these efforts.

Cyberresilience Testing

Section 3(b) of the bill would require the Secretary to develop a cyberresilience testing program “to identify vulnerabilities of energy sector supply chain products to known threats” {§3(b)(1)(A)}. The program would include oversight of third party cyber-testing and developing procurement guidelines for energy sector supply chain components. The bill would authorize the expenditure of $15 million per year for this program.

Cyberresilience Operational Support

Section 3(c) of the bill would allow the Secretary to carry out a program to {§3(c)(1)}:

• Enhance and periodically test the emergency response capabilities

 of the Department in coordination with other agencies, the National Laboratories, and private industry;

• Expand cooperation of the Department with the intelligence communities for energy sector-related threat collection and analysis;

• Enhance the tools of the Department and ES–ISAC for monitoring the status of the energy sector;

• Expand industry participation in ES–ISAC; and

• Provide technical assistance to small electric utilities for purposes of assessing cyber-maturity level.

The bill would authorize the expenditure of $10 million per year for these activities.

Energy Sector Infrastructure Risk

Section 3(d) of the bill would require the Secretary to “develop an advanced energy security program to secure energy networks, including electric, natural gas, and oil exploration, transmission, and delivery” {§3(d)(1)}. The goal of the program would be “to increase the functional preservation of the electric grid operations or natural gas and oil operations in the face of natural and human-made threats and hazards, including electric magnetic pulse and geomagnetic disturbances” {§3(d)(2)}.

To support this effort the Secretary would be allowed to {§3(d)(3)}:

• Develop capabilities to identify vulnerabilities and critical components that pose major risks to grid security if destroyed or impaired;

• Provide modeling at the national level to predict impacts from natural or human-made events;

• Develop a maturity model for physical security and cybersecurity;

• Conduct exercises and assessments to identify and mitigate vulnerabilities to the electric grid, including providing mitigation recommendations;

• Conduct research hardening solutions for critical components of the electric grid;

• Conduct research mitigation and recovery solutions for critical components of the electric grid; and

• Provide technical assistance to States and other entities for standards and risk analysis.

The bill would authorize the expenditure of $10 million per year to support these activities.

Moving Forward

Cantwell is the Ranking Member on the Senate Energy and Natural Resources Committee to which this bill was assigned for consideration. This would seem to indicate that she could have the necessary influence to see this bill considered by that Committee. The lack of a Republican co-sponsor, however, may indicate the lack of bipartisan support necessary to see the bill moved out of Committee.

The big stumbling block to moving this bill forward is the inclusion of funding authorization for the programs described in the bill. While the amounts authorized are small on the federal money scale, under Senate rules they would still have to come out of existing funding. If Cantwell can identify funding sources for this bill, it would make moving the bill forward much easier.

Commentary

Section 2 of the bill does provide definitions of some of the organization terms used in the bill, but it does not address any of the technical definitions of terms like ‘cybersecurity’ or ‘cyberresilience’. I suspect that this was done to provide the Secretary with the widest possible latitude in exercising authority under this legislation. Unfortunately, I think that this actually have the opposite effect; actually limiting what actions are taken.

As I am with most pieces of cybersecurity legislation that I review, I am disappointed that Cantwell (and her Committee Staff who actually crafted this bill) fails to address the role of independent security researchers in discovering vulnerabilities in software and devices. Section 3(b) of this bill would have been an excellent place to address this issue.

Instead of establishing a “cybertesting (sic) and mitigation program to identify vulnerabilities of energy sector supply chain products” the bill should have established an office in the DOE responsible for the identification and coordination of cyber-vulnerability mitigation in devices and applications used in the energy sector. While this is very similar to what ICS-CERT is currently doing on a voluntary basis for a much wider range of devices, a DOE-CERT would be given the specific responsibility to push vulnerability communications down to covered user-entities. Positive vendor responses to vulnerability identification could be ensured by DOE-CERT requiring covered user-entities to take specific compensatory measures when vendors cannot or will not mitigate vulnerabilities. A DOE-CERT could also provide support to the independent researcher community buy managing a DOE bug bounty program.

Finally, I would have liked to have seen this bill specifically address supporting {in §3(c)} National Guard cyber units in preparing for emergency response for cyber related grid emergencies. This would be particularly appropriate for grid emergencies that cross State boundaries. A DOE resiliency office could serve a coordinating office for multi-state planning and execution of responses to grid emergencies. This non-military coordination would provide political and legal cover for posse comitatus concerns.

Bills Introduced – 02-15-18

With the Senate heading home for a week in district (and the House preparing to do the same) there were 65 bills introduced yesterday. Of those, four may be of specific interest to readers of this blog:

HR 5040 To authorize the President to control the export, reexport, and transfer of commodities, software, and technology to protect the national security, and to promote the foreign policy, of the United States, and for other purposes. Rep. Royce, Edward R. [R-CA-39]

S 2444 A bill to provide for enhanced energy grid security. Sen. Cantwell, Maria [D-WA]

S 2445 A bill to provide for the modernization of the electric grid, and for other purposes. Sen. Cantwell, Maria [D-WA] 

S 2447 A bill to accelerate smart building development, and for other purposes. Sen. Cantwell, Maria [D-WA]

With all of these bills I will be looking for control system cybersecurity issues in determining whether or not to continue coverage of the bill in this blog. I suspect hat S 2444 has the highest chance of future coverage.

As always, the large number of bills introduced before an extended stay outside of Washington is seldom due to an increased interest in legislative activity. Most of the bills introduced yesterday will receive no consideration on the Hill. Most are introduced to allow the submitter to claim to be taking action of interest in speaking before organizations and financial supporters back home.

Congressional Hearings – Week of 9-14-14

Currently this coming week is the last scheduled full week for both house of congress to be in Washington before the November elections (that may change), but there is currently only one hearing scheduled that might be of interest to readers of this blog; a markup hearing in the Senate.

Mark-up Hearing

The Senate Commerce, Science and Transportation Committee will hold an executive session on Wednesday where they will amend and/or vote on a number of bills. Two of those may be of specific interest to readers of this blog:

• S 2444, the Coast Guard Authorization Act for Fiscal Years 2015 and 2016 

• S 2777, Surface Transportation Board Reauthorization Act of 2014

NOTE: The STB bill does not currently contain any provisions specifically targeted at chemical transportation matters or that would be expected to affect consideration of chemical transportation matters.

Continuing CR

The House Majority Leader’s web site does say that HJ Res 124 will be considered on the floor this week under a rule. There is not currently a Rules Committee hearing set for that rule. I expect that we will see such a meeting on Monday or Tuesday.

S 2444 – Introduced – FY 2015 CG Authorization

As I noted earlier this month, Sen. Begich (D,AK) introduced S 2444, the Coast Guard Authorization Act for Fiscal Years 2015 and 2016. As has been common for a number of years now, there is no mention of chemical security issues or operations under the Maritime Transportation Security Act (MTSA).

The only mention of chemical transportation safety issues is a revision for vessel oil spill response plans that provides for worst case scenario planning oil drilling rigs {§508}.

As I mentioned earlier today, there will be a markup of this bill this week. I doubt that we will see any language on chemical security issues.

Bills Introduced – 06-05-14

The House met yesterday in pro forma session (so most members were still back home) and the Senate was in full session. Between the two there were 25 bills introduced; three of which may be of specific interest to readers of this blog:

S2437 Latest Title: An original bill making appropriations for Departments of Commerce and Justice, and Science, and Related Agencies for the fiscal year ending September 30, 2015, and for other purposes. Sponsor: Sen Mikulski, Barbara A. (D,MD)

S 2438 Latest Title: An original bill making appropriations for the Departments of Transportation, and Housing and Urban Development, and related agencies for the fiscal year ending September 30, 2015, and for other purposes. Sponsor: Sen Murray, Patty (D,WA)

S 2444 Latest Title: A bill to authorize appropriations for the Coast Guard for fiscal years 2015 through 2016, and for other purposes. Sponsor: Sen Begich, Mark (D,AK)

The CJS spending bill might contain cybersecurity provisions. The THUD spending bill will address chemical transportation issues. The CG Authorization bill might contain chemical security provisions. We will just have to wait and see when they are printed. As always with these types of bills, the Committee Reports will be almost as important as the actual bills.