[Senate Report 115-246]
[From the U.S. Government Publishing Office]
Calendar No. 410
115th Congress } { Report
SENATE
2d Session } { 115-246
======================================================================
SECURING ENERGY INFRASTRUCTURE ACT
_______
May 10, 2018.--Ordered to be printed
_______
Ms. Murkowski, from the Committee on Energy and Natural Resources,
submitted the following
R E P O R T
[To accompany S. 79]
[Including cost estimate of the Congressional Budget Office]
The Committee on Energy and Natural Resources, to which was
referred the bill (S. 79) to provide for the establishment of a
pilot program to identify security vulnerabilities of certain
entities in the energy sector, having considered the same,
reports favorably thereon with an amendment in the nature of a
substitute and recommends that the bill, as amended, do pass.
The amendment is as follows:
Strike out all after the enacting clause and insert the
following:
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Securing Energy Infrastructure
Act''.
SEC. 2. DEFINITIONS.
In this Act:
(1) Appropriate committee of congress.--The term
``appropriate committee of Congress''' means--
(A) the Select Committee on Intelligence, the
Committee on Homeland Security and Governmental
Affairs, and the Committee on Energy and Natural
Resources of the Senate; and
(B) the Permanent Select Committee on Intelligence,
the Committee on Homeland Security, and the Committee
on Energy and Commerce of the House of Representatives.
(2) Covered entity.--The term ``covered entity'' means an
entity identified pursuant to section 9(a) of Executive Order
13636 of February 12, 2013 (78 Fed. Reg. 11742), relating to
identification of critical infrastructure where a cybersecurity
incident could reasonably result in catastrophic regional or
national effects on public health or safety, economic security,
or national security.
(3) Exploit.--The term ``exploit'' means software tool
designed to take advantage of a security vulnerability.
(4) Industrial control system.--
(A) In general.--The term ``industrial control
system'' means an operational technology used to
measure, control, or manage industrial functions.
(B) Inclusions.--The term ``industrial control
system'' includes supervisory control and data
acquisition systems, distributed control systems, and
programmable logic or embedded controllers.
(5) National laboratory.--The term ``National Laboratory''
has the meaning given the term in section 2 of the Energy
Policy Act of 2005 (42 U.S.C. 15801).
(6) Program.--The term ``Program'' means the pilot program
established under section 3.
(7) Secretary.--The term ``Secretary'' means the Secretary of
Energy.
(8) Security vulnerability.--The term ``security
vulnerability'' means any attribute of hardware, software,
process, or procedure that could enable or facilitate the
defeat of a security control.
SEC. 3. PILOT PROGRAM FOR SECURING ENERGY INFRASTRUCTURE.
Not later than 180 days after the date of enactment of this Act,
the Secretary shall establish a 2-year control systems implementation
pilot program within the National Laboratories for the purposes of--
(1) partnering with covered entities in the energy sector
(including critical component manufacturers in the supply
chain) that voluntarily participate in the Program to identify
new classes of security vulnerabilities of the covered
entities; and
(2) evaluating technology and standards, in partnership with
covered entities, to isolate and defend industrial control
systems of covered entities from security vulnerabilities and
exploits in the most critical systems of the covered entities,
including
(A) analog and nondigital control systems;
(B) purpose-built control systems; and
(C) physical controls.
SEC. 4. WORKING GROUP TO EVALUATE PROGRAM STANDARDS AND DEVELOP
STRATEGY.
(a) Establishment.--The Secretary shall establish a working group--
(1) to evaluate the technology and standards used in the
Program under section 3(2); and
(2) to develop a national cyber-informed engineering strategy
to isolate and defend covered entities from security
vulnerabilities and exploits in the most critical systems of
the covered entities.
(b) Membership.--The working group established under subsection (a)
shall be composed of not fewer than members, to be appointed by the
Secretary, at least 1 member of which shall represent each of the
following:
(1) The Department of Energy.
(2) The energy industry, including electric utilities and
manufacturers recommended by the Energy Sector coordinating
councils.
(3)(A) The Department of Homeland Security; or
(B) the Industrial Control Systems Cyber Emergency Response
Team
(4) The North American Electric Reliability Corporation.
(5) The Nuclear Regulatory Commission.
(6)(A) The Office of the Director of National Intelligence;
or
(B) the intelligence community (as defined in section 3 of
the National Security Act of 1947 (50 U.S.C. 3003)).
(7)(A) The Department of Defense; or
(B) the Assistant Secretary of Defense for Homeland Security
and America's Security Affairs.
(8) A State or regional energy agency.
(9) A national research body or academic institution.
(10) The National Laboratories.
SEC. 5. REPORTS ON THE PROGRAM.
(a) Interim Report.--Not later than 180 days after the date on
which funds are first disbursed under the Program, the Secretary shall
submit to the appropriate committees of Congress an interim report
that--
(1) describes the results of the Program;
(2) includes an analysis of the feasibility of each method
studied under the Program; and
(3) describes the results of the evaluations conducted by the
working group established under section 4(a).
(b) Final Report.--Not later than 2 years after the date on which
funds are first disbursed under the Program, the Secretary shall submit
to the appropriate committees of Congress a final report that--
(1) describes the results of the Program;
(2) includes an analysis of the feasibility of each method
studied under the Program; and
(3) describes the results of the evaluations conducted by the
working group established under section 4(a).
SEC. 6. EXEMPTION FROM DISCLOSURE.
Information shared by or with the Federal Government or a State,
Tribal, or local government under this Act shall be--
(1) deemed to be voluntarily shared information;
(2) exempt from disclosure under section 552 of title 5,
United States Code, or any provision of any State, Tribal, or
local freedom of information law, open government law, open
meetings law, open records law, sunshine law, or similar law
requiring the disclosure of information or records; and
(3) withheld from the public, without discretion, under
section 552(b)(3) of title 5, United States Code, or any
provision of a State, Tribal, or local law requiring the
disclosure of information or records.
SEC. 7. PROTECTION FROM LIABILITY.
(a) In General.--A cause of action against a covered entity for
engaging in the voluntary activities authorized under section 3--
(1) shall not lie or be maintained in any court; and
(2) shall be promptly dismissed by the applicable court.
(b) Voluntary Activities.--Nothing in this Act subjects any covered
entity to liability for not engaging in the voluntary activities
authorized under section 3.
SEC. 8. NO NEW REGULATORY AUTHORITY FOR FEDERAL AGENCIES.
Nothing in this Act authorizes the Secretary or the head of any
other department or agency of the Federal Government to issue new
regulations.
SEC. 9. AUTHORIZATION OF APPROPRIATIONS.
(a) Pilot Program.--There is authorized to be appropriated
$10,000,000 to carry out section 3.
(b) Working Group and Report.--There is authorized to be
appropriated $1,500,000 to carry out sections 4 and 5.
(c) Availability.--Amounts made available under subsections (a) and
(b) shall remain available until expended.
PURPOSE
The purpose of S. 79 is to provide for the establishment of
a pilot program to identify security vulnerabilities of certain
entities in the energy sector.
BACKGROUND AND NEED
Critical infrastructures within the United States are
enticing targets to malicious actors. Notably, these include
industrial control systems, which are operational technologies
used to measure, control, or manage industrial functions (e.g.,
supervisory control and data acquisition systems). Industrial
control systems are used in oil and gas pipelines, in electric
power generation, transmission, and distribution, in the energy
sector, and across other sectors such as water management and
mass transit. Top officials within the intelligence, defense,
and power communities have warned that the United States
remains vulnerable to cyber attacks on these systems, which
could result in catastrophic damage to public health and
safety, economic security, and national security.
In December 2015, a cyber attack on Ukraine's power grid
that featured sophisticated cyber attack techniques, plunged
more than 225,000 people into darkness. According to the
Department of Homeland Security, that cyber attack was
coordinated to target the Ukrainian power grid's industrial
control systems. Those systems act as the intermediary between
computers and the switches that control the distribution of
electricity. The 2015 attack could well have been worse.
However, Ukraine still relies on manual technology to operate
its grid to a greater extent than most American utility
operators. The Ukraine event brought to even greater public
attention grid-related cybersecurity risks and highlighted a
need for prudent action to protect other critical
infrastructure as well. Experts have warned of the need to
understand security vulnerabilities, particularly as they
relate to industrial control systems. The Committee on Energy
and Natural Resources has held several hearings in which the
topic of the vulnerability of the energy sector to cyber
attack.
As it has become increasingly clear that industrial control
systems are vulnerable to attack, it has also become apparent
that there is insufficient information available to the
Department of Energy, the National Laboratories, electric
utilities, manufacturers of grid-related equipment, and other
interested entities about the security vulnerabilities of these
systems. Also lacking is a sufficient evaluation of technology
and standards to isolate and defend industrial control systems
from security vulnerabilities in the most critical systems.
Finally, as identifying cyber vulnerabilities and defending
against them is a responsibility shared by multiple government
agencies and private sector institutions including asset
owners, further opportunities for working-level collaboration
by these entities are necessary.
LEGISLATIVE HISTORY
On January 10, 2017, Senator Angus King, for himself and
Senators Risch, Heinrich, Collins, and Crapo, introduced, S.
79, the Securing Energy Infrastructure Act. The Subcommittee on
Energy held a hearing on S. 79 on March 28, 2017.
In the 114th Congress, Senators King, Risch, Collins, and
Heinrich introduced a similar bill, S. 3018. The Subcommittee
on Energy, held a hearing on S. 3018 on July 12, 2016.
The Committee on Energy and Natural Resources met in open
business session on March 8, 2018, and ordered S. 79 favorably
reported, as amended.
COMMITTEE RECOMMENDATION
The Senate Committee on Energy and Natural Resources, in
open business session on March 8, 2018, by a majority voice
vote of a quorum present, recommends that the Senate pass S.
79, if amended as described herein.
SECTION-BY-SECTION ANALYSIS
Section 1. Short title
Section 1 sets forth a short title.
Section 2. Definitions
Section 2 provides a list of definitions.
Section 3. Pilot program for securing energy infrastructure
Section 3 requires the Secretary to establish a two-year
pilot program within the National Laboratories for the purpose
of partnering with covered entities in the energy sector that
voluntarily participate in the program and evaluating
technology and standards to isolate and defend.
Section 4. Working group to evaluate program standards and develop
strategy
Section 4(a) requires the Secretary to establish a working
group to evaluate the technology and the standards to be used
in the program established under section 3 and to develop a
cyber-informed engineering strategy.
Subsection (b) sets forth requirements for membership to
the working group.
Section 5. Reports on the program
Section 5(a) requires the Secretary to submit an interim
report to appropriate committees of Congress not later than 180
days after funds are first disbursed for the program.
Subsection (b) requires the Secretary to submit a final
report to appropriate committees of Congress not later than 2
years after funds are first disbursed for the program.
Section 6. Exemption from disclosure
Section 6 exempts from disclosure under Federal or State
freedom of information laws information shared by or with the
Federal Government or a State, Tribal, or local government.
Section 7. Protection from liability
Section 7(a) protects covered entities from a cause of
action for engaging in voluntary activities authorized by this
Act.
Subsection (b) provides liability protections for covered
entities for engaging in voluntary activities authorized by
this Act.
Section 8. No new regulatory authority for federal agencies
Section 8 provides that nothing in the Act authorizes the
Secretary or the head of any other federal department or agency
to issue new regulations.
Section 9. Authorization for appropriations
Section 9(a) authorizes $10,000,000 to carry out section 3.
Subsection (b) authorizes $1,500,000 to carry out sections
4 and 5.
Subsection (c) makes the funds authorized under (a) and (b)
available until expended.
COST AND BUDGETARY CONSIDERATIONS
The following estimate of the costs of this measure has
been provided by the Congressional Budget Office:
S. 79 would authorize the appropriation of $10 million for
the Department of Energy (DOE) to carry out a pilot program to
identify security weaknesses in critical infrastructure (for
example, power generation, transmission, and distribution
systems) that could result in a debilitating effect on national
security, economic security, public health, or safety. DOE, in
partnership with participating owners and operators of such
infrastructure, would evaluate technologies and standards that
could be used to defend those assets.
The bill also would authorize the appropriation of $1.5
million for DOE to establish a working group to evaluate the
technologies and standards examined in the pilot program. The
working group also would be required to develop a national
engineering strategy to be used to defend the nation's critical
infrastructure from security vulnerabilities.
Based on historical spending patterns, CBO estimates that
implementing the bill would cost $11.5 million over the 2019-
2023 period, assuming appropriation of the specified amounts.
Enacting S. 79 would not affect direct spending or
revenues; therefore, pay-as-you-go procedures do not apply.
CBO estimates that enacting S. 79 would not increase net
direct spending or on-budget deficits in any of the four
consecutive 10-year periods beginning in 2029.
S. 79 would impose an intergovernmental mandate, as defined
in the Unfunded Mandates Reform Act (UMRA), on state, local,
and tribal governments. The bill would preempt state and local
laws that would otherwise require governmental agencies
participating in the pilot program to disclose information
about their activities, such as the sharing of cybersecurity
information. Although the preemption would limit the
application of state and local laws, CBO estimates that it
would impose no duty on state or local governments that would
result in additional spending or a loss of revenues. S. 79
contains no private-sector mandates as defined in UMRA.
On September 21, 2017, CBO transmitted a cost estimate for
S. 1761, the Intelligence Authorization Act for Fiscal Year
2018, as reported by the Senate Select Committee on
Intelligence on August 18, 2017. Title V of that bill is
similar to S. 79, and CBO's estimates of the cost of
implementing the two bills are the same.
REGULATORY IMPACT EVALUATION
In compliance with paragraph 11(b) of rule XXVI of the
Standing Rules of the Senate, the Committee makes the following
evaluation of the regulatory impact which would be incurred in
carrying out the bill.
The bill is not a regulatory measure in the sense of
imposing Government-established standards or significant
economic responsibilities on private individuals and
businesses.
No personal information would be collected in administering
the program. Therefore, there would be no impact on personal
privacy.
Little, if any, additional paperwork would result from
enactment of the bill, as ordered reported.
CONGRESSIONALLY DIRECTED SPENDING
S. 79, as ordered reported, does not contain any
congressionally directed spending items, limited tax benefits,
or limited tariff benefits as defined in rule XLIV of the
Standing Rules of the Senate.
EXECUTIVE COMMUNICATIONS
The testimony provided by the Department of Energy at the
March 28, 2017, hearing on S. 79 follows:
Written Testimony of Acting Assistant Secretary Patricia Hoffman,
Office of Electricity Delivery and Energy Reliability, Department of
Energy
Chairman Gardner and Ranking Member Manchin, and Members of
the Subcommittee, thank you for continuing to highlight the
importance of a resilient electric power grid and for the
opportunity to provide the initial views of the Department of
Energy (DOE) on S. 79, the Securing Energy Infrastructure Act.
DOE supports the goals of S. 79, which are consistent with the
Department's ongoing role in helping to ensure a resilient,
reliable, and flexible electricity system in an increasingly
challenging environment. DOE would like to work with the
sponsor and this Committee to offer additional input on the
bill as discussed later in this testimony.
Our economy, national security, and even the well-being of
our citizens depend on the reliable delivery of electricity. I
know the Secretary is personally engaged in the cybersecurity
issues facing the energy sector. Under his leadership, the
Department's role in cybersecurity is a very high priority. The
mission of the Office of Electricity Delivery and Energy
Reliability (DOE-OE) is to strengthen, transform, and improve
energy infrastructure to ensure access to reliable and secure
sources of energy. We are committed to working with our public
and private sector partners to protect the Nation's critical
energy infrastructure, including the electric power grid, from
physical security events, natural and man-made disasters, and
cybersecurity breaches.
Over the past decade, the Nation's energy infrastructure
has become a major target of cyberattacks. The frequency,
scale, and sophistication of cyber threats have increased and
attacks have become easier to launch. Cyber incidents have the
potential to interrupt energy services, damage highly
specialized equipment, and threaten human health and safety. As
a result, energy cybersecurity and resilience has emerged as
one of the Nation's most important security challenges and
fostering partnerships with public and private stakeholders
will be of utmost importance in this work.
importance of cybersecurity for energy systems
Initial thoughts of cybersecurity often turn to computer
servers and desktops, information technology (IT). Hackers
target computing technology and business applications to cause
disruptions--obtaining access to email accounts and personal
information, data exfiltration to be released to the world at
large. The energy sector is not immune to such attacks.
In the 2012 Shamoon attack, weaponized malware hit 15 state
bodies and private companies in Saudi Arabia, wiping more than
35,000 hard drives of Saudi Aramco, from which the company took
more than two weeks to recover. And again in January of this
year, Shamoon 2 hit three state agencies and four private
sector companies in Saudi Arabia, leaving them offline for at
least 48 hours.
These cyberattacks affect not only business systems, but
can also target the operating technology of energy delivery
systems and other critical infrastructure as well. Electric
utilities, oil and natural gas providers, hydro and nuclear
facilities, along with financial, water, communications,
transportation, and healthcare sectors are prime targets for
cyber-attacks. The disruption of any one of these is not only
inherently problematic, it also hampers the ability to respond
to any type of emergency event.
In December 2015, the first known successful cyber-attack
on a power grid took place in Ukraine. Over 225,000 residents
were left without power for several hours in the coordinated
attack, and a second attack occurred in December 2016 that left
portions of Kiev without electricity. Domestically, the 2013
cyber-attack on the Bowman Dam in Rye, New York illustrated the
multitude of targets available to and being surveilled by
hackers.
the ecosystem of resilience
To address these challenges, it is critical for us to be
proactive and cultivate what I call an ecosystem of resilience:
a network of producers, distributors, regulators, vendors, and
public partners, acting together to strengthen our ability to
prepare, respond, and recover. We continue to partner with
industry, Federal agencies, local governments, and other
stakeholders to quickly identify threats, develop in-depth
strategies to mitigate those threats, and rapidly respond to
any disruptions. The DOE National Laboratories have been the
keystone in many endeavors to address new and existing
cybersecurity concerns.
importance of partnerships
The U.S. Department of Energy has collaborated with the
energy sector for nearly two decades in voluntary public-
private partnerships that engage energy owners and operators at
all levels--technical, operational, and executive, along with
state and local governments--to identify and mitigate physical
and cyber risks to energy systems.
These partnerships are built on a foundation of earned
trust that promotes the mutual exchange of information and
resources to improve the security and resilience of critical
energy infrastructures. These relationships acknowledge the
special security challenges of energy delivery systems and
leverage the distinct technical expertise within industry and
government to develop solutions.
The security and integrity of energy infrastructure is both
a state and Federal government concern because energy underpins
the operations of every other type of critical infrastructure;
the economy; and public health and safety. The owners and
operators of energy infrastructure, however, have the primary
responsibility for the full spectrum of cybersecurity risk
management: identify assets, protect critical systems, detect
incidents, respond to incidents, and recover to normal
operations.
The first responder when the lights go out or gasoline
stops flowing in the pipelines is not immediately the state or
Federal Government; rather, it is industry. This is why public-
private partnerships regarding cybersecurity are paramount--
they recognize the distinct roles and capabilities of industry
and government in managing our critical energy infrastructure
risks.
Two of those partnerships are the Electricity Subsector
Coordinating Council and the Oil and Natural Gas Subsector
Coordinating Council, extremely strong partnerships in which
DOE-OE is engaged. Each serves as a primary conduit between
industry and the government to prepare for, and respond to,
national-level disasters or threats to critical infrastructure.
Through these relationships, cybersecurity issues can be
addressed more completely and with multiple stakeholder input.
doe authority in cybersecurity
DOE's role in energy sector cybersecurity is established in
statute and executive action. In 2015, through the Fixing
America's Surface Transportation Act (FAST Act), Congress
assigned DOE as the lead Sector-Specific Agency (SSA) for
cybersecurity for the energy sector, building upon previous
Presidential Policy Directives (PPD). PPD-41 issued in July
2016, further clarified the role of DOE as a SSA during a
significant cyber incident.
The FAST Act also gave the Secretary of Energy new
authority, upon declaration of a Grid Security Emergency by the
President, to issue emergency orders to protect or restore
critical electric infrastructure or defense critical electric
infrastructure. This authority allows DOE to respond as needed
to the threat of cyber and physical attacks on the grid. DOE is
developing a proposed rule of procedure regarding this new
authority.
While the private sector is responsible for all aspects of
cybersecurity risk management of their energy systems, DOE and
the Federal government play critical roles in supporting
industry functions in several ways: providing partnership
mechanisms that support collaboration and trust; developing
supportive policies that encourage voluntary cybersecurity in
the energy sector; developing tools and capabilities to conduct
risk analysis; leveraging government capabilities to gather
intelligence on threats and vulnerabilities, and share
actionable intelligence with energy owners and operators in a
timely manner; supporting energy sector incident coordination
and response; facilitating the development of cybersecurity
standards; and, promoting and supporting innovation and R&D for
next-generation physical-cyber systems.
doe's research and development activities in cybersecurity and
resilience through the national laboratories
Intentional, malicious challenges to our energy systems are
on the rise and we are seeing threats continually increase in
number and sophistication. This evolution has profound impacts
on the energy sector.
Cybersecurity for energy control systems is much different
than typical IT systems. Power systems must operate
continuously with high reliability and availability. Upgrades
and patches can be difficult and time consuming, with
components dispersed over wide geographic regions. Further,
many assets are in publicly accessible areas where they can be
subject to physical tampering. Real time operations are
imperative and latency is unacceptable for many applications.
Immediate emergency response capability is mandatory and active
scanning of the network can be difficult. As a result, our
National Laboratories conduct cybersecurity R&D taking into
account these systemic characteristics.
DOE-OE's Cybersecurity for Energy Delivery Systems (CEDS)
R&D program aligns activities with Federal and private sector
priorities, envisioning resilient energy delivery control
systems designed, installed, operated, and maintained to
survive a cyber incident while sustaining critical functions.
The CEDS R&D program is designed to assist the energy
sector asset owners by developing cybersecurity solutions for
energy delivery systems through a focused research and
development effort. DOE-OE co-funds projects with industry
partners to make advances in cybersecurity capabilities for
energy delivery systems. These research partnerships are
helping to detect, prevent, and mitigate the consequences of a
cyber-incident for our present and future energy delivery
systems.
Since 2010, DOE-OE has invested more than $210 million in
cybersecurity research, development, and demonstration projects
that are led by industry, universities, and the National
Laboratories. These investments have resulted in more than 35
new tools and technologies that are now being used to further
advance the resilience of the Nation's energy delivery systems.
Through all of these R&D efforts, our National Laboratories
have been--and continue to be--heavily engaged in their own
efforts and in partnerships with academia and industry
stakeholders. The following are examples of the types of
cybersecurity advancements currently pursued at our National
Laboratories, building off of successful cybersecurity tools
and technologies already developed:
Argonne National Laboratory is currently
working on a resilient self-healing cybersecurity
framework for the power grid that will leverage Wide-
Area Monitoring, Protection, and Control to prevent and
mitigate cyber-attacks. The project will develop tools
to prevent and mitigate cyber-attacks and enhance the
resilience of the bulk power system.
Argonne is also working on a cloud and
outsourcing security framework for power grid
applications as well as cybersecurity for distributed
energy resources (DER). This project will help ensure
that implementation of cloud-based architecture and DER
in the energy sector are deployed with security built-
in to maintain resilience during cyber-attacks.
An online tool being developed by Brookhaven
National Laboratory will help utilities to detect,
mitigate, and evaluate the potential impact of various
cyberattack scenarios to reduce the risk that malicious
compromise of essential forecasting data used for grid
scheduling and operation might result in disruption of
energy delivery.
The Validation and Measuring Automated
Response Project led by the Idaho National Laboratory
is providing a cyber-incident response comparison
capability and enabling industry to work towards an
automated response capability to a cyber-incident and
measuring the efficacy of automated response to drive
future improvements.
Lawrence Berkeley National Laboratory has an
effort underway utilizing real-time micro-synchrophasor
measurements and other telemetry in the distribution
system to enhance identification and detection of
current and future cybersecurity vulnerabilities in the
power distribution grid to provide a more reliable,
robust, scalable, and cost-effective means of detecting
cyber-attack scenarios compared to traditional
approaches.
Pacific Northwest National Laboratory is
developing visualizations that power system operators
and/or cybersecurity professionals can use to make
fast, accurate assessments of situations, enabling them
to maintain situation awareness during unfolding
events. The visualization tool will reduce the burden
on the operators and enable them to make faster
decisions and maintain cybersecurity situational
awareness.
Pacific Northwest National Laboratory is
also working on a project evaluating existing Live
Analysis monitoring and detection tools for energy
delivery systems use. The research seeks to develop a
tool that could provide evidence of anomalous cyber
behavior on a live energy delivery system without
interrupting energy delivery.
The Artificial Diversity and Defense
Security (ADDSec) project at Sandia National Laboratory
is developing defensive technologies that randomly and
automatically reconfigure energy delivery operational
network parameters moment-by-moment to impede
reconnaissance and cyber-attack planning. ADDSec will
increase the security of both legacy and modern energy
delivery systems by converting these traditionally
static systems into moving targets.
``Sophia'' is a tool researched and
developed by the Idaho National Laboratory (INL) that
enhances continuous situational awareness of energy
delivery control system communications and helps detect
potential cybersecurity concerns. The technology helps
strengthen the cybersecurity of our Nation's energy
infrastructure today and of note is the fact INL
successfully transitioned this technology to commercial
use through a licensing agreement.
Similarly, Oak Ridge National Laboratory
licensed the developed ``Hyperion'' software
technology. This software can quickly recognize
malicious code even if the specific program has not
been previously identified as a threat and before it
has a chance to execute.
Also in the process of transitioning to
commercialization is Sandia National Laboratory's
``CodeSeal.'' CodeSeal is a cryptographically secure
code obfuscation technology that prevents reverse
engineering, or malicious modification of energy
delivery system code, even if that code is executed on
a compromised system.
s. 79
The U.S. Department of Energy is tremendously proud of the
role our National Laboratories have played in the advancement
of cybersecurity technologies for our Nation's energy
infrastructure. We also appreciate the opportunity to provide
technical assistance on S. 79. It appears that the intent of
the legislation is to strengthen our cybersecurity posture by
directing the National Laboratories to undertake a study of the
systems most critical to national security and to the grid.
In considering the legislation, DOE notes that many energy
sector entities already conduct such assessments to comply with
mandatory Critical Infrastructure Protection standards set by
the Federal Energy Regulatory Commission and the North American
Electric Reliability Corporation or as part of their due
diligence in ensuring their system is reliable and capable of
providing uninterrupted service in the face of today's evolving
cyber threat landscape.
conclusion
Cyber threats to the energy sector continue to evolve, and
DOE is working diligently to stay ahead of the curve. The
solution is an ecosystem of resilience that works in
partnership with local, state, and industry stakeholders to
help provide the methods, strategies, and tools needed to help
protect the Nation's energy infrastructure through increased
resilience and flexibility.
One of the cornerstones to this ecosystem of resilience is
the DOE National Laboratories and the significant contributions
they provide through their cybersecurity technology
advancements. Building an ecosystem of resilience is--by
definition--a shared endeavor, and keeping a focus on
partnerships remains an imperative. DOE will continue its years
of work fostering these relationships and investing in
technologies to enhance resilience and security, ensuring the
electric power grid continues to be able to withstand and
recover quickly from disasters and attacks.
CHANGES IN EXISTING LAW
In compliance with paragraph 12 of rule XXVI of the
Standing Rules of the Senate, the Committee notes that no
changes in existing law are made by the bill S. 79 as ordered
reported.
[all]