S 3153 Introduced – FY 2018/19 Intel Authorization

Last month Sen. Burr (R,NC) introduced S 3153, the Matthew Young Pollard Intelligence Authorization Act for Fiscal Years 2018 and 2019. Both the bill and the accompanying Committee Report pay special attention to control system security issues.

Energy Sector Cybersecurity

Section 732 of the bill would require the Secretary of Energy to establish a 2-year pilot program to study control system security in the energy sector. The pilot program would be funded at $10 Million for the 2-year study. This section is essentially the same as S 79 which was reported in the Senate earlier this year by the Energy and Natural Resources Committee.

ICS Security and the Intelligence Community

On page 17 of the Committee Report, the matter of industrial control system security is directly addressed. The Report notes:

“The Committee is aware of significant threats to our critical infrastructure and industrial control systems posed by foreign adversaries. The sensitive nature of the information related to these threats make the role of the IC of vital importance to United States defensive efforts. The Committee has grave concerns that current IC resources dedicated to analyzing and countering these threats are neither sufficient nor closely coordinated. The Committee includes provisions within this legislation to address these concerns.”

Section 732 of the bill (described above) is the only place that I can find in the unclassified portions of the bill and annexes that directly mentions activities related to ICS security.

Moving Forward

The House passed HR 6237, the House version of this bill earlier this month. While the House bill did receive a large measure of bipartisan support, the Senate will still take up this version of the bill as an amendment to HR 6237 when it comes to the floor of the Senate. I expect that to happen sometime after the Senate returns from the abbreviated summer recess next month. There will be some contentious political amendments offered for the bill when it makes it to the floor, but eventually a version of the bill will be passed and then a conference committee will meld the two versions together into a workable whole.

Commentary

It is interesting to see the language from S 79 appear in this bill. Sen. King (I,ME) has been trying to get this bill to move forward through two sessions of Congress now, so it is not unexpected that he would use his position on the Intelligence Committee to try to advance the bill when it was apparently stalled after being approved in the Energy and Natural Resource Committee.

The association between this bill and the intelligence community is vague to say the least. The working group to be established would be under the Department of Energy which does have some tenuous ties to the IC, but that has been mainly in support of nuclear weapons program, not power generation. King has always included a representative of the IC in the working group {§732(c)(2)(F) in this bill}, but that always seemed to me to be a pro forma inclusion as a source of information rather than an actual participant.

It will be interesting to see where the funds come from to support this program. If they come out the intelligence spending bill, then I expect that the role of the IC will be much more important in the activities of the working group and the resulting study.

One political fact is certain however. Since the authorization for the program (if it makes it to the final bill that reaches the President’s desk) comes from the Intelligence Committee, it will be that Committee (and it’s House counterpart) that will provide the oversight for the program, that alone will color many of the decisions made as the program proceeds.

S 79 Reported in Senate – Energy Sector Security

This week the Senate Energy and Natural Resources Committee published their report on S 79, the Securing Energy Infrastructure Act. It was accompanied by the revised language for the bill that was adopted by that Committee earlier this year. The next step for the bill will be for its consideration before the Senate.

I have already covered the changes in the bill so most of this report is old news. The ‘Background and Need’ section of the report (pgs 3-4) is well worth reading as a succinct statement about the state of control system security, at least as it is seen by Congress. The whole thing is worth reading, but I would like to quote the last paragraph in full:

“As it has become increasingly clear that industrial control systems are vulnerable to attack, it has also become apparent that there is insufficient information available to the Department of Energy, the National Laboratories, electric utilities, manufacturers of grid-related equipment, and other interested entities about the security vulnerabilities of these systems. Also lacking is a sufficient evaluation of technology and standards to isolate and defend industrial control systems from security vulnerabilities in the most critical systems. Finally, as identifying cyber vulnerabilities and defending against them is a responsibility shared by multiple government agencies and private sector institutions including asset owners, further opportunities for working-level collaboration by these entities are necessary.”

It will be interesting to see if/when this bill makes it to the floor of the Senate. With the strong bipartisan support that it received in Committee, I expect that it will be able to pass if it is considered. Again, probably the strongest impediment to this bill passing is the $11.5 million authorized to supports its requirements. That is federal-chump-change, but the money has to come from somewhere and that can be contentious.

Senate Committee Marks-up S 79 – Energy Sector Security

Yesterday the Senate Energy and Natural Resources Committee marked up a number of bills, including S 79, the Securing Energy Infrastructure Act. The Committee adopted substitute language by voice vote. The new language made only minor changes.

Changes

In §2 of the bill, a new definition was added; ‘Appropriate Committee of Congress’. This is a standard term used to specify which committees are to receive copies of the reports outlined in the bill.

Section 5 of the bill was modified to add an interim report (after 180 days) to Congress in addition to the report after two years.

The order of sections 6, 7, and 8 was shuffled for some unfathomable reason.

The new §7 (previously 6) was reworded to more explicitly outline the protections from disclosure that would be applied to information shared by the private sector with DOE as part of the studies outlined in the bill.

Moving Forward

The second step in the legislative process (congressional hearings) has now been cleared on this bill. The bipartisan support that the bill received yesterday is certainly indicative of the support that could be expected if/when the bill makes it to the floor of the Senate. The question now is if the Committee Chair {Murkowski (R,AK)} will exert enough influence to get the bill to the Senate floor. The bill is innocuous enough (other than the spending provisions) that it would probably be considered under the Senate’s ‘without objection’ process; which eases the time constraint problem legislation has in the Senate.

HR 3958 Introduced – Energy Infrastructure Security

Last week Rep. Ruppersberger (D,MD) introduced HR 3958, the Securing Energy Infrastructure Act of 2017. This bill is very similar to S 79, introduced earlier this year. This is not technically a companion bill because several additions have been made to the language of the bill, but it does serve the same purpose.

Changes Made

This bill adds some relatively minor bits of language to that found in S 79. Those include:

• Section 2(2) – Adds the definition of ‘Director’ as the DOE Director of Intelligence and Counterintelligence;

• Section 5(a) – Adds a requirement for an interim report to Congress at 180 days; and

• Section 5(c) – Adds a definition of ‘Appropriate Committees of Congress’.

Moving Forward

Neither Ruppersberger, nor his single co-sponsor {Rep. Carter (R,TX) are members of the House Science, Space, and Technology Committee to which this bill was assigned for consideration. This means that the bill is not likely to be taken up by that Committee.

There are some funds authorized by this bill ($10 million for the pilot and $1.5 million for government study and report) which makes passage of the bill more complicated. Ruppersberger and Carter are both on the House Appropriations Committee, so that problem may be lessened. There is nothing else in this bill that would engender any significant opposition if brought to a vote.

Commentary

As I mentioned when a version of this bill was introduced in the 114^th Congress, I think that this is potentially game changing legislation. It is one of the few bills that actually tries to address a control system security issue with something that appears to be a workable route to a solution. The fact that funding is specifically provided instead of requiring an executive agency to rob Peter to pay Paul is especially encouraging.

It will be interesting to see if either this bill or S 79 moves forward at all in this session. The both bills have been introduced early enough that there should be no procedural hurdle to their consideration. It remains to be seen if the leadership of either house really has any intention of moving legislation forward that actually does something about a cybersecurity issue.

Committee Hearings – Week of 3-26-17

This week both the House and Senate will be in session. There are a number of committee hearings that will be held on both sides of the Capitol, but there is only one, a cybersecurity hearing, that may be of specific interest to readers of this blog.

On Tuesday the Energy Subcommittee of the Senate Energy and Natural Resources Committee will be holding a hearing to look at cybersecurity threats to the US electric grid. The hearing will also receive testimony on S 79, the Securing Energy Infrastructure Act. The witness list includes:

• Michael Bardee, Federal Energy Regulatory Commission;

• John DiStasio, Large Public Power Council;

• Thomas Zacharia, Oak Ridge National Laboratory; and

• Ben Fowke III, Xcel Energy

S 79 Introduced – Energy Sector Security

Earlier this month Sen. King (I,ME) introduced S 79, the Securing Energy Infrastructure Act. It would require the Secretary of Energy to establish a 2-year pilot program to study control system security in the energy sector. The pilot program would be funded at $10 Million for the 2-year study. This bill is essentially the same as S 3018 introduced late in the 114^th Congress; that bill saw no action in committee. Attentive readers might recall that I suggested a letter writing campaign to support that bill.

I am not going to repeat the detailed explanation of the bill since I covered that in my post on the introduction of S 3018. I would like to address two items that I did not mention in that earlier post; the definition of ‘industrial control system’ and the use of the term ‘cyber-informed engineering'.

Industrial Control System

The bill defines ‘industrial control system’ as “an operational technology used to measure, control, or manage industrial functions” {§(2)(3)(A)}. That definition is expanded in sub-paragraph (B) to specifically include “supervisory control and data acquisition systems, distributed control systems, and programmable logic or embedded controllers”.

The initial definition could clearly be interpreted to include manual control systems with no electronic component. This is important because later in the bill ‘physical controls’ (as opposed to digital or analog) are one concept that is suggested as a way to avoid the security vulnerabilities in existing systems.

Cyber-Informed Engineering

This term was first used in S 2943, the FY 2017 National Defense Authorization Act. There it was used to describe a pilot program the DOD would run “to increase the resilience of military installations against cybersecurity threats and prevent or mitigate the potential for high-consequence cyberattacks” {§1634(a)}. The Armed Services Committee report (S Rept 114-255) provides a more detailed explanation:

“A consequence-driven, cyber-informed engineering approach is based on an evaluation of the operating environment that discriminates between targeted and indiscriminate attacks, analyzes vulnerabilities beyond traditional Information Technology security, and addresses systems created to control critical infrastructure that were designed primarily to meet engineering requirements with little or sometimes no consideration of security requirements.”

In S 79 the term shows up in the §4 description of the working group. In the second portion of the description of the working group purpose the bill it states that the working group will “develop a national cyber-informed engineering strategy to isolate and defend covered entities from security vulnerabilities and exploits in the most critical systems [emphasis added] of the covered entities” {§4(a)(2)}.

This sounds very much like how safety systems are configured in chemical operations. The sensors and actuators of safety systems are isolated from the active control system so that a failure (or compromise) of components of the control system cannot affect the proper operation of the safety system. And those safety systems are only designed to protect against catastrophic failure of the chemical manufacturing system, not general failures of the control scheme to maintain product quality or process efficiency.

As I mentioned in my post about S 2943, there is an interesting paper from 2015 published by the Idaho National Laboratory (INL) about the concept of ‘cyber-informed engineering’ (Note: the link in the original post is no longer good, it has been corrected.)

Moving Forward

In the last session, this bill had bipartisan support in the Senate Energy and Natural Resources Committee and it does again this session. I suspect that the reason that the bill did not move forward in the last session was due to its late introduction and short amount of time available.

The biggest thing stopping this bill from moving forward is the spending authorization for the pilot program ($10 million) and the inclusion of spending authorization for the working group activities ($1.5 million). While that is not a great deal of money (at Federal spending levels), it is money that will have to come from somewhere. Figuring out the spending offsets for that §11.5 million will take some doing. Once that is accomplished, this bill should be able to move forward pretty easily if it makes it to the floor.

Bills Introduced – 01-10-17

Yesterday with both the House and Senate in session there were 73 bills introduced. Of those two may be of specific interest to readers of this blog:

S 79 A bill to provide for the establishment of a pilot program to identify security vulnerabilities of certain entities in the energy sector. Sen. King, Angus S., Jr. [I-ME]

S 88 A bill to ensure appropriate spectrum planning and interagency coordination to support the Internet of Things. Sen. Fischer, Deb [R-NE]

It will be interesting to see if S 79 addresses physical security, cybersecurity, or both.

S 88 looks to be a continuation of efforts by Fischer to promote IOT development. How close this will be to S 2607 from the last session. That bill was reported out of committee but never made it to the floor of the Senate.