[Congressional Bills 117th Congress]
[From the U.S. Government Publishing Office]
[H.R. 4939 Introduced in House (IH)]

<DOC>






117th CONGRESS
  1st Session
                                H. R. 4939

To provide for a comprehensive interdisciplinary research, development, 
 and demonstration initiative to strengthen the capacity of the energy 
sector to prepare for and withstand cyber and physical attacks, and for 
                            other purposes.


_______________________________________________________________________


                    IN THE HOUSE OF REPRESENTATIVES

                             August 6, 2021

Mr. Bera (for himself and Mr. Weber of Texas) introduced the following 
   bill; which was referred to the Committee on Science, Space, and 
Technology, and in addition to the Committee on Homeland Security, for 
a period to be subsequently determined by the Speaker, in each case for 
consideration of such provisions as fall within the jurisdiction of the 
                          committee concerned

_______________________________________________________________________

                                 A BILL


 
To provide for a comprehensive interdisciplinary research, development, 
 and demonstration initiative to strengthen the capacity of the energy 
sector to prepare for and withstand cyber and physical attacks, and for 
                            other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Grid Security Research and 
Development Act''.

SEC. 2. FINDINGS.

    Congress finds the following:
            (1) The Nation, and every critical infrastructure sector, 
        depends on reliable electricity.
            (2) Intelligent electronic devices, advanced analytics, and 
        information systems used across the energy sector are essential 
        to maintaining reliable operation of the electric grid.
            (3) The cybersecurity threat landscape is constantly 
        changing and attacker capabilities are advancing rapidly, 
        requiring ongoing modifications, advancements, and investments 
        in technologies, procedures, and workforce development to 
        maintain security.
            (4) It is in the national interest for Federal agencies to 
        invest in innovative cybersecurity research that informs and 
        facilitates private sector investment and use of new and 
        advanced cybersecurity tools and procedures to protect 
        information systems.
            (5) The number of devices and systems connecting to the 
        electric grid is increasing, and integrating cybersecurity 
        protections into information systems when they are designed and 
        built is more effective than modifying products after 
        installation to meet cybersecurity goals.
            (6) An understanding of human factors can be leveraged to 
        understand the behavior of cyber threat actors, develop 
        strategies to counter threat actors, improve cybersecurity 
        training programs, optimize the design of human-machine 
        interfaces and cybersecurity tools, and increase the capacity 
        of the energy sector workforce to prevent unauthorized access 
        to critical systems.

SEC. 3. AMENDMENT TO DIVISION Z OF THE CONSOLIDATED APPROPRIATIONS ACT, 
              2021.

    Title VIII of division Z of the Consolidated Appropriations Act, 
2021 (Public Law 116-260) is amended by inserting after section 8012 
the following:

``SEC. 8013. ENERGY SECTOR SECURITY RESEARCH, DEVELOPMENT, AND 
              DEMONSTRATION PROGRAM.

    ``(a) In General.--The Secretary, in coordination with appropriate 
Federal agencies, the Electricity Subsector Coordinating Council, the 
Electric Reliability Organization, State, tribal, local, and 
territorial governments, the private sector, and other relevant 
stakeholders, shall carry out a research, development, and 
demonstration program to protect the electric grid and energy systems, 
including assets connected to the distribution grid, and associated 
supply chains, from cyber and physical attacks by increasing the cyber 
and physical security capabilities of the energy sector and 
accelerating the development of relevant technologies and tools.
    ``(b) Department of Energy.--As part of the initiative described in 
subsection (a), the Secretary shall award research, development, and 
demonstration grants to--
            ``(1) identify cybersecurity risks to information 
        technology and operational technology within, and impacting, 
        the electricity sector, energy systems, and energy 
        infrastructure;
            ``(2) develop methods and tools to rapidly detect cyber 
        intrusions and cyber incidents, including through the use of 
        data and big data analytics techniques, such as intrusion 
        detection, and security information and event management 
        systems, to validate and verify system behavior;
            ``(3) assess emerging cybersecurity capabilities that could 
        be applied to energy systems and develop technologies that 
        integrate cybersecurity features and procedures into the design 
        and development of existing and emerging grid technologies, 
        including renewable energy, storage, and demand-side management 
        technologies;
            ``(4) identify existing vulnerabilities in intelligent 
        electronic devices, advanced analytics systems, and information 
        systems;
            ``(5) work with relevant entities to develop technologies 
        or concepts that build or retrofit cybersecurity features and 
        procedures into--
                    ``(A) information and energy management system 
                devices, components, software, firmware, and hardware, 
                including distributed control and management systems, 
                and building management systems;
                    ``(B) data storage systems, data management 
                systems, and data analysis processes;
                    ``(C) automated and manually controlled devices and 
                equipment for monitoring and stabilizing the electric 
                grid;
                    ``(D) technologies used to synchronize time and 
                develop guidance for operational contingency plans when 
                time synchronization technologies, are compromised;
                    ``(E) power system delivery and end user systems 
                and devices that connect to the grid, including--
                            ``(i) meters, phasor measurement units, and 
                        other sensors;
                            ``(ii) distribution automation 
                        technologies, smart inverters, and other grid 
                        control technologies;
                            ``(iii) distributed generation, energy 
                        storage, and other distributed energy 
                        technologies;
                            ``(iv) demand response technologies;
                            ``(v) home and building energy management 
                        and control systems;
                            ``(vi) electric and plug-in hybrid vehicles 
                        and electric vehicle charging systems; and
                            ``(vii) other relevant devices, software, 
                        firmware, and hardware; and
                    ``(F) the supply chain of electric grid management 
                system components;
            ``(6) develop technologies, including information 
        technologies and operational technologies, that improve the 
        physical security of the electric grid, including remote 
        assets;
            ``(7) integrate human factors research into the design and 
        development of advanced tools and processes for dynamic 
        monitoring, detection, protection, mitigation, response, and 
        cyber situational awareness;
            ``(8) evaluate and understand the potential consequences of 
        practices used to maintain the cybersecurity of information 
        systems and intelligent electronic devices;
            ``(9) develop or expand the capabilities of existing 
        cybersecurity test beds to simulate impacts of cyber attacks 
        and combined cyber-physical attacks on information systems and 
        electronic devices, including by increasing access to existing 
        and emerging test beds for cooperative utilities, utilities 
        owned by a political subdivision of a State, such as 
        municipally owned electric utilities, and other relevant 
        stakeholders; and
            ``(10) develop technologies that reduce the cost of 
        implementing effective cybersecurity technologies and tools, 
        including updates to these technologies and tools, in the 
        energy sector.
    ``(c) National Science Foundation.--The National Science 
Foundation, in coordination with other Federal agencies as appropriate, 
shall through its cybersecurity research and development programs--
            ``(1) support basic research to advance knowledge, 
        applications, technologies, and tools to strengthen the 
        cybersecurity of information systems that support the electric 
        grid and energy systems, including interdisciplinary research 
        in--
                    ``(A) evolutionary systems, theories, mathematics, 
                and models;
                    ``(B) economic and financial theories, mathematics, 
                and models; and
                    ``(C) big data analytical methods, mathematics, 
                computer coding, and algorithms; and
            ``(2) support cybersecurity education and training focused 
        on information systems for the electric grid and energy 
        workforce, including through the Advanced Technological 
        Education program, the Cybercorps program, graduate research 
        fellowships, and other appropriate programs.
    ``(d) Department of Homeland Security Science and Technology 
Directorate.--The Science and Technology Directorate of the Department 
of Homeland Security shall coordinate with the Department of Energy, 
the private sector, and other relevant stakeholders, to research 
existing cybersecurity technologies and tools used in the defense 
industry in order to--
            ``(1) identify technologies and tools that may meet 
        civilian energy sector cybersecurity needs;
            ``(2) develop a research strategy that incorporates human 
        factors research findings to guide the modification of defense 
        industry cybersecurity tools for use in the civilian sector;
            ``(3) develop a strategy to accelerate efforts to bring 
        modified defense industry cybersecurity tools to the civilian 
        market; and
            ``(4) carry out other activities the Secretary of Homeland 
        Security considers appropriate to meet the goals of this 
        subsection.

``SEC. 8014. GRID RESILIENCE AND EMERGENCY RESPONSE.

    ``(a) In General.--Not later than 180 days after the enactment of 
the Grid Security Research and Development Act, the Secretary shall 
establish a research, development, and demonstration program to enhance 
resilience and strengthen emergency response and management pertaining 
to the energy sector.
    ``(b) Grants.--The Secretary shall award grants to eligible 
entities under subsection (d) on a competitive basis to conduct 
research and development with the purpose of improving the resilience 
and reliability of the electric grid by--
            ``(1) developing methods to improve community and 
        governmental preparation for and emergency response to large-
        area, long-duration electricity interruptions, including 
        through the use of energy efficiency, storage, and distributed 
        generation technologies;
            ``(2) developing tools to help utilities and communities 
        ensure the continuous delivery of electricity to critical 
        facilities;
            ``(3) developing tools to improve coordination between 
        utilities and relevant Federal agencies to enable 
        communication, information-sharing, and situational awareness 
        in the event of a physical or cyber-attack on the electric 
        grid;
            ``(4) developing technologies and capabilities to withstand 
        and address the current and projected impact of the changing 
        climate on energy sector infrastructure, including extreme 
        weather events, other natural disasters, and wildfires;
            ``(5) developing technologies capable of early detection of 
        malfunctioning electrical equipment on the transmission and 
        distribution grid, including detection of spark ignition 
        causing wildfires and risks of vegetation contact;
            ``(6) assessing upgrades and additions needed to energy 
        sector infrastructure due to projected changes in the energy 
        generation mix and energy demand;
            ``(7) upgrading tools used to estimate the costs of outages 
        longer than 24 hours; and
            ``(8) developing tools and technologies to assist with the 
        planning, safe execution of, and safe and timely restoration of 
        power after cyber and physical attacks, natural disasters, and 
        emergency power shut offs, such as those conducted to reduce 
        risks of wildfires started by grid infrastructure.
    ``(c) Concurrent and Co-Located Disasters.--In carrying out the 
program under subsection (a), the Secretary shall support research and 
development on tools, techniques, and technologies for improving 
electric grid and energy sector safety and resilience in the event of 
multiple simultaneous or co-located weather or climate events leading 
to extreme conditions, such as extreme wind, wildfires, extreme cold, 
and extreme heat.
    ``(d) Eligible Entities.--The entities eligible to receive grants 
under this section include--
            ``(1) an institution of higher education, including a 
        historically Black college or university or a minority-serving 
        institution;
            ``(2) a nonprofit organization;
            ``(3) a National Laboratory;
            ``(4) a unit of State, local, or tribal government;
            ``(5) an electric utility or electric cooperative;
            ``(6) a retail service provider of electricity;
            ``(7) a private commercial entity;
            ``(8) a partnership or consortium of 2 or more entities 
        described in paragraphs (1) through (7); and
            ``(9) any other entities the Secretary deems appropriate.
    ``(e) Relevant Activities.--Grants awarded under subsection (b) 
shall include funding for research and development activities related 
to the purpose described in subsection (b), such as--
            ``(1) development of technologies to use distributed energy 
        resources, such as solar photovoltaics, energy storage systems, 
        electric vehicles, and microgrids, to improve grid and critical 
        end-user resilience;
            ``(2) analysis of non-technical barriers to greater 
        integration and use of technologies on the distribution grid;
            ``(3) analysis of past large-area, long-duration 
        electricity interruptions to identify common elements and best 
        practices for electricity restoration, mitigation, and 
        prevention of future disruptions;
            ``(4) development of--
                    ``(A) advanced monitoring, analytics, operation, 
                and controls of electric grid systems to improve 
                electric grid resilience; and
                    ``(B) independent verification and validation 
                methodologies, in coordination with the National 
                Institute of Standards and Technology, to address the 
                potential cybersecurity vulnerabilities of the 
                technologies identified in subparagraph (A) of this 
                paragraph;
            ``(5) analysis of technologies, methods, and concepts that 
        can improve community resilience and survivability of frequent 
        or long-duration power outages;
            ``(6) development of methodologies to maintain 
        cybersecurity during restoration of energy sector 
        infrastructure and operation;
            ``(7) development of advanced power flow control systems 
        and components to improve electric grid resilience; and
            ``(8) any other relevant activities determined by the 
        Secretary.
    ``(f) Technical Assistance.--
            ``(1) In general.--The Secretary shall provide technical 
        assistance to eligible entities for the commercial application 
        of technologies to improve the resilience of the electric grid 
        and commercial application of technologies to help entities 
        develop plans for preventing and recovering from various power 
        outage scenarios at the local, regional, and State level.
            ``(2) Technical assistance program.--The commercial 
        application technical assistance program established in 
        paragraph (1) shall include assistance to eligible entities 
        for--
                    ``(A) the commercial application of technologies 
                developed from the grant program established in 
                subsection (b), including cooperative utilities and 
                utilities owned by a political subdivision of a State, 
                such as municipally owned electric utilities;
                    ``(B) the development of methods to strengthen or 
                otherwise mitigate adverse impacts on electric grid 
                infrastructure against natural hazards;
                    ``(C) the use of Department data and modeling tools 
                for various purposes;
                    ``(D) a resource assessment and analysis of future 
                demand and distribution requirements, including 
                development of advanced grid architectures and risk 
                analysis;
                    ``(E) the development of tools and technologies to 
                coordinate data across relevant entities to promote 
                resilience and wildfire prevention in the planning, 
                design, construction, operation, and maintenance of 
                transmission infrastructure;
                    ``(F) analysis to predict the likelihood of extreme 
                weather events to inform the planning, design, 
                construction, operation, and maintenance of 
                transmission infrastructure in consultation with the 
                National Oceanic and Atmospheric Administration; and
                    ``(G) the commercial application of relevant 
                technologies, such as distributed energy resources, 
                microgrids, or other energy technologies, to establish 
                backup power for users or facilities affected by 
                emergency power shutoffs.
            ``(3) Eligible entities.--The entities eligible to receive 
        technical assistance for commercial application of technologies 
        under this subsection include--
                    ``(A) representatives of all sectors of the 
                electric power industry, including electric utilities, 
                trade organizations, and transmission and distribution 
                system organizations, owners, and operators;
                    ``(B) State and local governments and regulatory 
                authorities, including public utility commissions;
                    ``(C) tribal and Alaska Native governmental 
                entities;
                    ``(D) partnerships among entities under 
                subparagraphs (A) through (C);
                    ``(E) regional partnerships; and
                    ``(F) any other entities the Secretary deems 
                appropriate.
            ``(4) Authority.--Nothing in this subsection shall 
        authorize the Secretary to require any entity to adopt any 
        model, tool, technology, plan, analysis, or assessment.

``SEC. 8015. BEST PRACTICES AND GUIDANCE DOCUMENTS FOR ENERGY SECTOR 
              CYBERSECURITY RESEARCH.

    ``(a) In General.--The Secretary, in coordination with appropriate 
Federal agencies, the Electricity Subsector Coordinating Council, 
standards development organizations, State, tribal, local, and 
territorial governments, the private sector, public utility 
commissions, and other relevant stakeholders, shall coordinate the 
development of guidance documents for research, development, and 
demonstration activities to improve the cybersecurity capabilities of 
the energy sector through participating agencies. As part of these 
activities, the Secretary, in consultation with relevant Federal 
agencies, shall--
            ``(1) facilitate stakeholder involvement to update--
                    ``(A) the Roadmap to Achieve Energy Delivery 
                Systems Cybersecurity;
                    ``(B) the Cybersecurity Procurement Language for 
                Energy Delivery Systems, including developing guidance 
                for--
                            ``(i) contracting with third parties to 
                        conduct vulnerability testing for information 
                        systems used across the energy production, 
                        delivery, storage, and end use systems;
                            ``(ii) contracting with third parties that 
                        utilize transient devices to access information 
                        systems; and
                            ``(iii) managing supply chain risks; and
                    ``(C) the Electricity Subsector Cybersecurity 
                Capability Maturity Model, including the development of 
                metrics to measure changes in cybersecurity readiness; 
                and
            ``(2) develop voluntary guidance to improve digital 
        forensic analysis capabilities, including--
                    ``(A) developing standardized terminology and 
                monitoring processes; and
                    ``(B) utilizing human factors research to develop 
                more effective procedures for logging incident events; 
                and
            ``(3) work with the National Science Foundation, Department 
        of Homeland Security, and stakeholders to develop a mechanism 
        to anonymize, aggregate, and share the testing results from 
        cybersecurity test beds to facilitate technology improvements 
        by public and private sector researchers.
    ``(b) Best Practices.--The Secretary, in collaboration with the 
Director of the National Institute of Standards and Technology, the 
Director of the Cybersecurity and Infrastructure Security Agency, and 
other appropriate Federal agencies, shall convene relevant stakeholders 
and facilitate the development of--
            ``(1) consensus-based best practices to improve 
        cybersecurity for--
                    ``(A) emerging energy technologies;
                    ``(B) distributed generation and storage 
                technologies, and other distributed energy resources;
                    ``(C) electric vehicles and electric vehicle 
                charging stations; and
                    ``(D) other technologies and devices that connect 
                to the electric grid;
            ``(2) recommended cybersecurity designs and technical 
        requirements that can be used by the private sector to design 
        and build interoperable cybersecurity features into 
        technologies that connect to the electric grid, including 
        networked devices and components on distribution systems; and
            ``(3) technical analysis that can be used by the private 
        sector in developing best practices for test beds and test bed 
        methodologies that will enable reproducible testing of 
        cybersecurity protections for information systems, electronic 
        devices, and other relevant components, software, and hardware 
        across test beds.
    ``(c) Regulatory Authority.--None of the activities authorized in 
this section shall be construed to authorize regulatory actions. 
Additionally, the voluntary standards developed under this section 
shall not duplicate or conflict with mandatory reliability standards.

``SEC. 8016. VULNERABILITY TESTING AND TECHNICAL ASSISTANCE TO IMPROVE 
              CYBERSECURITY.

    ``The Secretary shall--
            ``(1) coordinate with appropriate Federal agencies and 
        energy sector asset owners and operators, leveraging the 
        research facilities and expertise of the National Laboratories, 
        to assist entities in developing testing capabilities by--
                    ``(A) utilizing a range of methods to identify 
                vulnerabilities in physical and cyber systems;
                    ``(B) developing cybersecurity risk assessment 
                tools and providing analyses and recommendations to 
                participating stakeholders; and
                    ``(C) working with appropriate Federal agencies and 
                stakeholders to develop methods to share anonymized and 
                aggregated test results to assist relevant stakeholders 
                in the energy sector, researchers, and the private 
                sector to advance cybersecurity efforts, technologies, 
                and tools;
            ``(2) collaborate with relevant stakeholders, including 
        public utility commissions, to--
                    ``(A) identify information, research, staff 
                training, and analytical tools needed to evaluate 
                cybersecurity issues and challenges in the energy 
                sector; and
                    ``(B) facilitate the sharing of information and the 
                development of tools identified under subparagraph (A);
            ``(3) coordinate with tribal governments to identify 
        information, research, and analysis tools needed by tribal 
        governments to increase the cybersecurity of energy assets 
        within their jurisdiction.

``SEC. 8017. CYBERSECURITY EDUCATION AND WORKFORCE TRAINING RESEARCH 
              AND STANDARDS.

    ``(a) In General.--The Secretary shall support the development of a 
cybersecurity workforce through a program that--
            ``(1) facilitates collaboration between undergraduate and 
        graduate students, researchers at the National Laboratories, 
        and the private sector;
            ``(2) prioritizes science and technology in areas relevant 
        to the mission of the Department of Energy through the design 
        and application of cybersecurity technologies for the energy 
        sector;
            ``(3) develops, or facilitates private sector development 
        of, voluntary cybersecurity training and retraining standards, 
        lessons, and recommendations for the energy sector that 
        minimize duplication of cybersecurity compliance training 
        programs; and
            ``(4) maintains a public database of energy sector 
        cybersecurity education, training, and certification programs.
    ``(b) Grid Resilience Technology Training.--The Secretary shall 
support the development of the grid workforce through a training 
program that prioritizes activities that enhance the resilience of the 
electric grid and energy sector infrastructure, including training on 
the use of tools, technologies, and methods developed under the grant 
program established in section 1311(b).
    ``(c) Collaboration.--In carrying out the program authorized in 
subsection (a) and (b), the Secretary shall coordinate with appropriate 
Federal agencies and leverage programs and activities carried out 
across the Department of Energy, other relevant Federal agencies, 
institutions of higher education, and other appropriate entities best 
suited to provide national leadership on cybersecurity and grid 
resilience-related issues.

``SEC. 8018. INTERAGENCY COORDINATION AND STRATEGIC PLAN FOR ENERGY 
              SECTOR CYBERSECURITY RESEARCH.

    ``(a) Duties.--The Secretary, in coordination with appropriate 
Federal agencies and the Energy Sector Government Coordinating Council, 
shall--
            ``(1) review the most recent versions of the Roadmap to 
        Achieve Energy Delivery Systems Cybersecurity and the Multi-
        Year Program Plan for Energy Sector Cybersecurity to identify 
        crosscutting energy sector cybersecurity research needs and 
        opportunities for collaboration among Federal agencies and 
        other relevant stakeholders;
            ``(2) identify interdisciplinary research, technology, and 
        tools that can be applied to cybersecurity challenges in the 
        energy sector;
            ``(3) identify technology transfer opportunities to 
        accelerate the development and commercial application of novel 
        cybersecurity technologies, systems, and processes in the 
        energy sector; and
            ``(4) develop a coordinated Interagency Strategic Plan for 
        research to advance cybersecurity capabilities used in the 
        energy sector that builds on the Roadmap to Achieve Energy 
        Delivery Systems in Cybersecurity and the Multi-Year Program 
        Plan for Energy Sector Cybersecurity.
    ``(b) Interagency Strategic Plan.--
            ``(1) Submittal.--The Interagency Strategic Plan developed 
        under subsection (a)(4) shall be submitted to Congress and made 
        public within 12 months after the date of enactment of the Grid 
        Security Research and Development Act.
            ``(2) Contents.--The Interagency Strategic Plan shall 
        include--
                    ``(A) an analysis of how existing cybersecurity 
                research efforts across the Federal Government are 
                advancing the goals of the Roadmap to Achieve Energy 
                Delivery Systems Cybersecurity and the Multi-Year 
                Program Plan for Energy Sector Cybersecurity;
                    ``(B) recommendations for research areas that may 
                advance the cybersecurity of the energy sector;
                    ``(C) an overview of existing and proposed public 
                and private sector research efforts that address the 
                topics outlined in paragraph (3); and
                    ``(D) an overview of needed support for workforce 
                training in cybersecurity for the energy sector.
            ``(3) Considerations.--In developing the Interagency 
        Strategic Plan, the Secretary, in coordination with appropriate 
        Federal agencies and the Energy Sector Government Coordinating 
        Council, shall consider--
                    ``(A) opportunities for human factors research to 
                improve the design and effectiveness of cybersecurity 
                devices, technologies, tools, processes, and training 
                programs;
                    ``(B) contributions of other disciplines to the 
                development of innovative cybersecurity procedures, 
                devices, components, technologies, and tools;
                    ``(C) opportunities for technology transfer 
                programs to facilitate private sector development of 
                cybersecurity procedures, devices, components, 
                technologies, and tools for the energy sector;
                    ``(D) broader applications of the work done by 
                relevant Federal agencies to advance the cybersecurity 
                of information systems and data analytics systems for 
                the energy sector; and
                    ``(E) activities called for in the Federal 
                cybersecurity research and development strategic plan 
                required by section 201(a)(1) of the Cybersecurity 
                Enhancement Act of 2014 (15 U.S.C. 7431(a)(1)).
    ``(c) Participation.--For the purposes of carrying out this 
section, the Energy Sector Government Coordinating Council shall 
include representatives from Federal agencies with expertise in the 
energy sector, information systems, data analytics, cyber and physical 
systems, engineering, human factors research, human-machine interfaces, 
high performance computing, big data and data analytics, or other 
disciplines considered appropriate by the Council Chair.

``SEC. 8019. REPORT TO CONGRESS.

    ``(a) Study.--The Secretary, in collaboration with the National 
Institute of Standards and Technology, other Federal agencies, and 
energy sector stakeholders, in order to provide recommendations for 
additional research, development, demonstration, and commercial 
application activities, shall--
            ``(1) analyze physical and cyber attacks on energy sector 
        infrastructure and information systems and identify cost-
        effective opportunities to improve physical and cybersecurity; 
        and
            ``(2) examine the risks associated with increasing 
        penetration of digital technologies in grid networks, 
        particularly on the distribution grid.
    ``(b) Content.--The study shall--
            ``(1) analyze processes, operational procedures, and other 
        factors common among cyber attacks;
            ``(2) identify areas where human behavior plays a critical 
        role in maintaining or compromising the security of a system;
            ``(3) recommend--
                    ``(A) changes to the design of devices, human-
                machine interfaces, technologies, tools, processes, or 
                procedures to optimize security that do not require a 
                change in human behavior; and
                    ``(B) training techniques to increase the capacity 
                of employees to actively identify, prevent, or 
                neutralize the impact of cyber attacks;
            ``(4) evaluate existing engineering and technical design 
        criteria and guidelines that incorporate human factors research 
        findings, and recommend criteria and guidelines for 
        cybersecurity tools that can be used to develop display systems 
        for cybersecurity monitoring, such as alarms, user-friendly 
        displays, and layouts;
            ``(5) evaluate the cybersecurity risks and benefits of 
        various design and architecture options for energy sector 
        systems, networked grid systems and components, and automation 
        systems, including consideration of--
                    ``(A) designs that include both digital and analog 
                control devices and technologies;
                    ``(B) different communication technologies used to 
                transfer information and data between control system 
                devices, technologies, and system operators;
                    ``(C) automated and human-in-the-loop devices and 
                technologies;
                    ``(D) programmable versus nonprogrammable devices 
                and technologies;
                    ``(E) increased redundancy using dissimilar 
                cybersecurity technologies; and
                    ``(F) grid architectures that use autonomous 
                functions to limit control vulnerabilities; and
            ``(6) recommend methods or metrics to document changes in 
        risks associated with system designs and architectures.
    ``(c) Consultation.--In conducting the study, the Secretary shall 
consult with energy sector stakeholders, academic researchers, the 
private sector, and other relevant stakeholders.
    ``(d) Report.--Not later than 24 months after the date of enactment 
of the Grid Security Research and Development Act, the Secretary shall 
submit the study to the Committee on Science, Space, and Technology of 
the House of Representatives and the Committee on Energy and Natural 
Resources of the Senate.

``SEC. 8020. CRITICAL INFRASTRUCTURE RESEARCH AND CONSTRUCTION.

    ``(a) In General.--The Secretary shall carry out a program of 
research, development, and demonstration of technologies and tools to 
help ensure the resilience and security of critical integrated grid 
infrastructures.
    ``(b) Critical Infrastructure Defined.--In this section, the term 
`critical infrastructure' means infrastructure that the Secretary 
determines to be vital to socioeconomic activities such that, if 
destroyed or damaged, such destruction or damage could cause 
substantial disruption to such socioeconomic activities.
    ``(c) Coordination.--In carrying out the program under subsection 
(a), the Secretary shall leverage expertise and resources of and 
facilitate collaboration and coordination between--
            ``(1) relevant programs and activities across the 
        Department;
            ``(2) the Department of Defense; and
            ``(3) the Department of Homeland Security.
    ``(d) Energy Sector Critical Infrastructure Test Facility.--In 
carrying out the program under subsection (a), the Secretary, in 
consultation with other appropriate Federal agencies, shall establish 
and operate an Energy Sector Critical Infrastructure Test Facility 
(referred to in this section as the `Test Facility') that allows for 
scalable physical and cyber performance testing to be conducted on 
industry-scale energy sector critical infrastructure systems. This 
facility shall include a focus on--
            ``(1) cybersecurity test beds; and
            ``(2) electric grid test beds.
    ``(e) Selection.--The Secretary shall select the Test Facility 
under this section on a competitive, merit-reviewed basis. The 
Secretary shall consider applications from National Laboratories, 
institutions of higher education, multi-institutional collaborations, 
and other appropriate entities.
    ``(f) Duration.--The Test Facility established under this section 
shall receive support for a period of not more than 5 years, subject to 
the availability of appropriations.
    ``(g) Renewal.--Upon the expiration of any period of support of the 
Test Facility, the Secretary may renew support for the Test Facility, 
on a merit-reviewed basis, for a period of not more than 5 years.
    ``(h) Termination.--Consistent with the existing authorities of the 
Department, the Secretary may terminate the Test Facility for cause 
during the performance period.

``SEC. 8021. DEFINITIONS.

    ``In this title:
            ``(1) Big data.--The term `big data' means datasets that 
        require advanced analytical methods for their transformation 
        into useful information.
            ``(2) Cybersecurity.--The term `cybersecurity' means 
        protecting an information system or information that is stored 
        on, processed by, or transiting an information system from a 
        cybersecurity threat or security vulnerability.
            ``(3) Cybersecurity threat.--The term `cybersecurity 
        threat' has the meaning given the term in section 102 of the 
        Cybersecurity Information Sharing Act of (6 U.S.C. 1501).
            ``(4) Department.--The term `Department' means the 
        Department Of Energy.
            ``(5) Electricity subsector coordinating council.--The term 
        `Electricity Subsector Coordinating Council' means the self-
        organized, self-governed council consisting of senior industry 
        representatives to serve as the principal liaison between the 
        Federal Government and the electric power sector and to carry 
        out the role of the Sector Coordinating Council as established 
        in the National Infrastructure Protection Plan for the 
        electricity subsector.
            ``(6) Energy sector government coordinating council.--The 
        term `Energy Sector Government Coordinating Council' means the 
        council consisting of representatives from relevant Federal 
        Government agencies to provide effective coordination of energy 
        sector efforts to ensure a secure, reliable, and resilient 
        energy infrastructure and to carry out the role of the 
        Government Coordinating Council as established in the National 
        Infrastructure Protection Plan for the energy sector.
            ``(7) Historically black college or university.--The term 
        `historically Black college or university' has the meaning 
        given the term `part B institution' in section 322(2) of the 
        Higher Education Act of 1965 (29 U.S.C. 106(2)).
            ``(8) Human factors research.--The term `human factors 
        research' means research on human performance in social and 
        physical environments, and on the integration and interaction 
        of humans with physical systems and computer hardware and 
        software.
            ``(9) Human-machine interfaces.--The term `human-machine 
        interfaces' means technologies that present information to an 
        operator or user about the state of a process or system, or 
        accept human instructions to implement an action, including 
        visualization displays such as a graphical user interface.
            ``(10) Information system.--The term `information system'--
                    ``(A) has the meaning given the term in section 102 
                of the Cybersecurity Information Sharing Act of 2015 (6 
                U.S.C. 1501); and
                    ``(B) includes operational technology, information 
                technology, and communications.
            ``(11) Minority-serving institution.--The term `minority-
        serving institution' means an eligible institution under 
        section 371(a) of the Higher Education Act of 1965 (20 U.S.C. 
        1067q(a)).
            ``(12) National laboratory.--The term `national laboratory' 
        has the meaning given the term in section 2 of the Energy 
        Policy Act of 2005 (42 U.S.C. 15801).
            ``(13) Secretary.--The term `Secretary' means the Secretary 
        of Energy.
            ``(14) Security vulnerability.--The term `security 
        vulnerability' has the meaning given the term in section 102 of 
        the Cybersecurity Information Sharing Act of 2015 (6 U.S.C. 
        1501).
            ``(15) Transient devices.--The term `transient devices' 
        means removable media, including floppy disks, compact disks, 
        USB flash drives, external hard drives, mobile devices, and 
        other devices that utilize wireless connections.''.

SEC. 4. AUTHORIZATION OF APPROPRIATIONS.

    Section 8012 of division Z of the Consolidated Appropriations Act, 
2021 (Public Law 116-260) is amended by striking subsection (b)(1) and 
inserting the following:
            ``(1) to carry out sections 8006, 8013, 8014, 8015, 8016, 
        8017, 8018, 8019, 8020 and the amendments made by sections 
        8001, 8002, and 8005 of this title--
                    ``(A) $371,000,000 for fiscal year 2022;
                    ``(B) $385,550,000 for fiscal year 2023;
                    ``(C) $400,577,500 for fiscal year 2024;
                    ``(D) $420,606,375 for fiscal year 2025; and
                    ``(E) $441,636,694 for fiscal year 2026.''.

SEC. 5. CONFORMING AMENDMENTS.

    (a) Section 101(b) of the division Z of the Consolidated 
Appropriations Act, 2021 (Public Law 116-260) is amended in the table 
of contents--
            (1) in the matter relating to 8013, by striking ``8013'' 
        and inserting ``8022'';
            (2) in the matter relating to 8014, by striking ``8014'' 
        and inserting ``8023'';
            (3) in the matter relating to 8015, by striking ``8015'' 
        and inserting ``8024'';
            (4) by adding after the matter relating to section 8012 the 
        following:

``Sec. 8013. Energy sector security research, development, and 
                            demonstration program.
``Sec. 8014. Grid resilience and emergency response.
``Sec. 8015. Best practices and guidance documents for energy sector 
                            cybersecurity research.
``Sec. 8016. Vulnerability testing and technical assistance to improve 
                            cybersecurity.
``Sec. 8017. Cybersecurity education and workforce training research 
                            and standards.
``Sec. 8018. Interagency coordination and strategic plan for energy 
                            sector cybersecurity research.
``Sec. 8019. Report to Congress.
``Sec. 8020. Critical infrastructure research and construction.
``Sec. 8021. Definitions.''.
    (b) Sections 8013 through 8015 of division Z of the Consolidated 
Appropriations Act, 2021 (Public Law 116-260) are redesignated as 
sections 8022 through 8024, respectively.
                                 <all>