[Senate Report 116-71]
[From the U.S. Government Publishing Office]


                                                      Calendar No. 173
116th Congress       }                                  {       Report
                                 SENATE
 1st Session         }                                  {       116-71

======================================================================



 
                   SECURING ENERGY INFRASTRUCTURE ACT

                                _______
                                

                August 16, 2019.--Ordered to be printed

  Filed, under authority of the order of the Senate of August 1, 2019

                                _______
                                

        Ms. Murkowski, from the Committee on Energy and Natural
                   Resources, submitted the following

                              R E P O R T

                         [To accompany S. 174]

      [Including cost estimate of the Congressional Budget Office]

    The Committee on Energy and Natural Resources, to which was 
referred the bill (S. 174) to provide for the establishment of 
a pilot program to identify security vulnerabilities of certain 
entities in the energy sector, having considered the same, 
reports favorably thereon with an amendment, and recommends 
that the bill, as amended, do pass.

                               AMENDMENT

    The amendment is as follows:
    On page 2, lines 13 and 14, strike ``entity identified 
pursuant to section 9(a)'' and insert ``owner or operator 
described in section 9(c)''.

                                PURPOSE

    The purpose of S. 174 is to provide for the establishment 
of a pilot program to identify security vulnerabilities of 
certain entities in the energy sector.

                          BACKGROUND AND NEED

    Critical infrastructures within the United States are 
enticing targets to malicious actors. Notably, these include 
industrial control systems, which are operational technologies 
used to measure, control, or manage industrial functions (e.g., 
supervisory control and data acquisition systems). Industrial 
control systems are used in oil and gas pipelines, in electric 
power generation, transmission, and distribution, in the energy 
sector, and across other sectors such as water management and 
mass transit. Top officials within the intelligence, defense, 
and power communities have warned that the United States 
remains vulnerable to cyber attacks on these systems, which 
could result in catastrophic damage to public health and 
safety, economic security, and national security.
    In December 2015, a cyber attack on Ukraine's power grid 
that featured sophisticated cyber attack techniques, plunged 
more than 225,000 people into darkness. According to the 
Department of Homeland Security, that cyber attack was 
coordinated to target the Ukrainian power grid's industrial 
control systems. Those systems act as the intermediary between 
computers and the switches that control the distribution of 
electricity. The 2015 attack could well have been worse. 
However, Ukraine still relies on manual technology to operate 
its grid to a greater extent than most American utility 
operators. The Ukraine event brought even greater public 
attention to grid-related cybersecurity risks and highlighted a 
need for prudent action to protect other critical 
infrastructure as well. Experts have warned of the need to 
understand security vulnerabilities, particularly as they 
relate to industrial control systems. The Committee has held 
several hearings regarding the vulnerability of the energy 
sector to cyber attack.
    As it has become increasingly clear that industrial control 
systems are vulnerable to attack, it has also become apparent 
that there is insufficient information available to the 
Department of Energy, the national laboratories, electric 
utilities, manufacturers of grid-related equipment, and other 
interested entities about the security vulnerabilities of these 
systems. Also lacking is a sufficient evaluation of technology 
and standards to isolate and defend industrial control systems 
from security vulnerabilities in the most critical systems. 
Finally, as identifying cyber vulnerabilities and defending 
against them is a responsibility shared by multiple government 
agencies and private sector institutions, including asset 
owners, further opportunities for working-level collaboration 
by these entities are necessary.

                          LEGISLATIVE HISTORY

    S. 174 was introduced by Senators King, Risch, Heinrich, 
Collins, and Crapo on January 17, 2019.
    Companion legislation, H.R. 680, was introduced in the 
House of Representatives by Representatives Ruppersberger and 
Carter, on January 17, 2019, and referred to the Committee on 
Science, Space, and Technology.
    In the 115th Congress, Senators King, Risch, Heinrich, 
Collins, and Crapo introduced similar legislation, S. 79, on 
January 10, 2017. The Subcommittee on Energy held a hearing on 
S. 79 on March 28, 2017 (S. Hrg. 115-262). The Committee on 
Energy and Natural Resources met in open business session on 
March 8, 2018, and ordered S. 79 favorably reported, as amended 
(S. Rept. 115-246). The Senate passed S. 79, with the committee 
amendment, on December 28, 2018, by voice vote.
    In the 114th Congress, Senators King, Risch, Collins, and 
Heinrich introduced similar legislation, S. 3018, on June, 6, 
2016. The Subcommittee on Energy, held a hearing on S. 3018 on 
July 12, 2016 (S. Hrg. 114-505).
    The Senate Committee on Energy and Natural Resources met in 
open business session on July 16, 2019, and ordered S. 174 
favorably reported, as amended.

                        COMMITTEE RECOMMENDATION

    The Senate Committee on Energy and Natural Resources, in 
open business session on July 16, 2019, by a majority voice 
vote of a quorum present, recommends that the Senate pass S. 
174, if amended as described herein.

                          COMMITTEE AMENDMENT

    During its consideration of S. 174, the Committee adopted 
an amendment. The amendment modifies the definition of a 
covered entity to mean owners and operators of critical 
infrastructure described in section 9(c) of Executive Order 
13636 issued on February 12, 2013 (78 Fed. Reg. 11742).

                      SECTION-BY-SECTION ANALYSIS

Section. 1. Short title

    Section 1 sets forth a short title.

Sec. 2. Definitions

    Section 2 defines key terms.

Sec. 3. Pilot program for securing energy infrastructure

    Section 3 requires the Secretary of Energy (Secretary) to 
establish a two-year pilot program within the national 
laboratories for the purpose of partnering with covered 
entities in the energy sector that voluntarily participate in 
the program and evaluating technology and standards to isolate 
and defend industrial control systems.

Sec. 4. Working group to evaluate program standards and develop 
        strategy

    Section 4(a) directs the Secretary to establish a working 
group to evaluate the technology and the standards to be used 
in the pilot program and to develop a cyber-informed 
engineering strategy.
    Subsection (b) sets forth requirements for membership to 
the working group.

Sec. 5. Reports on the program

    Section 5(a) requires the Secretary to submit an interim 
report to appropriate Congressional committees not later than 
180 days after funds are first disbursed for the program.
    Subsection (b) requires the Secretary to submit a final 
report to appropriate Congressional committees not later than 
two years after funds are first disbursed for the program.

Sec. 6. Exemption from disclosure

    Section 6 exempts information shared by or with the Federal 
Government or a State, Tribal, or local government from 
disclosure under Federal, State, Tribal, or local freedom of 
information laws.

Sec. 7. Protection from liability

    Section 7(a) protects covered entities from a cause of 
action for engaging in voluntary activities authorized by this 
measure.
    Subsection (b) provides liability protections for covered 
entities for engaging in voluntary activities authorized by 
this measure.

Sec. 8. No new regulatory authority for federal agencies

    Section 8 provides that nothing in the bill authorizes the 
Secretary or the head of any other Federal department or agency 
to issue new regulations.

Sec. 9. Authorization of appropriations

    Section 9(a) authorizes $10 million to carry out section 3.
    Subsection (b) authorizes $1.5 million to carry out 
sections 4 and 5.
    Subsection (c) makes the funds authorized under (a) and (b) 
available until expended.

                   COST AND BUDGETARY CONSIDERATIONS

    The following estimate of the costs of this measure has 
been provided by the Congressional Budget Office:

[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]


    S. 174 would authorize the appropriation of $10 million for 
the Department of Energy (DOE) to carry out a pilot program to 
identify security weaknesses in critical infrastructure (for 
example, power generation, transmission, and distribution 
systems) that could result in debilitating effects on national 
security, economic security, public health, or safety. DOE, in 
partnership with participating owners and operators of such 
infrastructure, would evaluate technologies and standards that 
could be used to defend those assets.
    The bill also would authorize the appropriation of $1.5 
million for DOE to establish a working group to evaluate the 
technologies and standards examined in the pilot program. The 
working group also would be required to develop a national 
engineering strategy to be used to protect the nation's 
critical infrastructure from security vulnerabilities.
    On the basis of historical spending patterns, CBO estimates 
that implementing the bill would cost $11.5 million over the 
2020-2024 period, subject to appropriation of the specified 
amounts.
    S. 174 would impose an intergovernmental mandate, as 
defined in the Unfunded Mandates Reform Act (UMRA), on state, 
local, and tribal governments. The bill would preempt state and 
local laws that would otherwise require governmental agencies 
participating in the pilot program to disclose information 
about their activities, such as sharing cybersecurity 
information. Although the preemption would limit the 
application of state and local laws, CBO estimates that it 
would impose no duty on state or local governments that would 
result in additional spending or a loss of revenues.
    S. 174 contains no private-sector mandates as defined in 
UMRA.
    The CBO staff contacts for this estimate are William Ma 
(for federal costs) and Brandon Lever (for mandates). The 
estimate was reviewed by Leo Lex, Deputy Assistant Director for 
Budget Analysis.

                      REGULATORY IMPACT EVALUATION

    In compliance with paragraph 11(b) of rule XXVI of the 
Standing Rules of the Senate, the Committee makes the following 
evaluation of the regulatory impact which would be incurred in 
carrying out S. 174. The bill is not a regulatory measure in 
the sense of imposing Government-established standards or 
significant economic responsibilities on private individuals 
and businesses.
    No personal information would be collected in administering 
the program. Therefore, there would be no impact on personal 
privacy.
    Little, if any, additional paperwork would result from the 
enactment of S. 174, as ordered reported.

                   CONGRESSIONALLY DIRECTED SPENDING

    S. 174, as ordered reported, does not contain any 
congressionally directed spending items, limited tax benefits, 
or limited tariff benefits as defined in rule XLIV of the 
Standing Rules of the Senate.

                        EXECUTIVE COMMUNICATIONS

    The testimony provided by the Department of Energy at the 
March 28, 2017, hearing on S. 79, similar legislation to S. 
174, follows:

   Written Testimony of Acting Assistant Secretary Patricia Hoffman, 
Office of Electricity Delivery and Energy Reliability, U.S. Department 
                               of Energy

    Chairman Gardner and Ranking Member Manchin, and Members of 
the Subcommittee, thank you for continuing to highlight the 
importance of a resilient electric power grid and for the 
opportunity to provide the initial views of the Department of 
Energy (DOE) on S. 79, the Securing Energy Infrastructure Act. 
DOE supports the goals of S. 79, which are consistent with the 
Department's ongoing role in helping to ensure a resilient, 
reliable, and flexible electricity system in an increasingly 
challenging environment. DOE would like to work with the 
sponsor and this Committee to offer additional input on the 
bill as discussed later in this testimony.
    Our economy, national security, and even the well-being of 
our citizens depend on the reliable delivery of electricity. I 
know the Secretary is personally engaged in the cybersecurity 
issues facing the energy sector. Under his leadership, the 
Department's role in cybersecurity is a very high priority. The 
mission of the Office of Electricity Delivery and Energy 
Reliability (DOE-OE) is to strengthen, transform, and improve 
energy infrastructure to ensure access to reliable and secure 
sources of energy. We are committed to working with our public 
and private sector partners to protect the Nation's critical 
energy infrastructure, including the electric power grid, from 
physical security events, natural and man-made disasters, and 
cybersecurity breaches.
    Over the past decade, the Nation's energy infrastructure 
has become a major target of cyberattacks. The frequency, 
scale, and sophistication of cyber threats have increased and 
attacks have become easier to launch. Cyber incidents have the 
potential to interrupt energy services, damage highly 
specialized equipment, and threaten human health and safety. As 
a result, energy cybersecurity and resilience has emerged as 
one of the Nation's most important security challenges and 
fostering partnerships with public and private stakeholders 
will be of utmost importance in this work.
Importance of cybersecurity for energy systems
    Initial thoughts of cybersecurity often turn to computer 
servers and desktops, information technology (IT). Hackers 
target computing technology and business applications to cause 
disruptions--obtaining access to email accounts and personal 
information, data exfiltration to be released to the world at 
large. The energy sector is not immune to such attacks.
    In the 2012 Shamoon attack, weaponized malware hit 15 state 
bodies and private companies in Saudi Arabia, wiping more than 
35,000 hard drives of Saudi Aramco, from which the company took 
more than two weeks to recover. And again in January of this 
year, Shamoon 2 hit three state agencies and four private 
sector companies in Saudi Arabia, leaving them offline for at 
least 48 hours.
    These cyberattacks affect not only business systems, but 
can also target the operating technology of energy delivery 
systems and other critical infrastructure as well. Electric 
utilities, oil and natural gas providers, hydro and nuclear 
facilities, along with financial, water, communications, 
transportation, and healthcare sectors are prime targets for 
cyber-attacks. The disruption of any one of these is not only 
inherently problematic, it also hampers the ability to respond 
to any type of emergency event.
    In December 2015, the first known successful cyber-attack 
on a power grid took place in Ukraine. Over 225,000 residents 
were left without power for several hours in the coordinated 
attack, and a second attack occurred in December 2016 that left 
portions of Kiev without electricity. Domestically, the 2013 
cyber-attack on the Bowman Dam in Rye, New York illustrated the 
multitude of targets available to and being surveilled by 
hackers.
The ecosystem of resilience
    To address these challenges, it is critical for us to be 
proactive and cultivate what I call an ecosystem of resilience: 
a network of producers, distributors, regulators, vendors, and 
public partners, acting together to strengthen our ability to 
prepare, respond, and recover. We continue to partner with 
industry, Federal agencies, local governments, and other 
stakeholders to quickly identify threats, develop in-depth 
strategies to mitigate those threats, and rapidly respond to 
any disruptions. The DOE National Laboratories have been the 
keystone in many endeavors to address new and existing 
cybersecurity concerns.
Importance of partnerships
    The U.S. Department of Energy has collaborated with the 
energy sector for nearly two decades in voluntary public-
private partnerships that engage energy owners and operators at 
all levels--technical, operational, and executive, along with 
state and local governments--to identify and mitigate physical 
and cyber risks to energy systems.
    These partnerships are built on a foundation of earned 
trust that promotes the mutual exchange of information and 
resources to improve the security and resilience of critical 
energy infrastructures. These relationships acknowledge the 
special security challenges of energy delivery systems and 
leverage the distinct technical expertise within industry and 
government to develop solutions.
    The security and integrity of energy infrastructure is both 
a state and Federal government concern because energy underpins 
the operations of every other type of critical infrastructure; 
the economy; and public health and safety. The owners and 
operators of energy infrastructure, however, have the primary 
responsibility for the full spectrum of cybersecurity risk 
management: identify assets, protect critical systems, detect 
incidents, respond to incidents, and recover to normal 
operations.
    The first responder when the lights go out or gasoline 
stops flowing in the pipelines is not immediately the state or 
Federal Government; rather, it is industry. This is why public-
private partnerships regarding cybersecurity are paramount--
they recognize the distinct roles and capabilities of industry 
and government in managing our critical energy infrastructure 
risks.
    Two of those partnerships are the Electricity Subsector 
Coordinating Council and the Oil and Natural Gas Subsector 
Coordinating Council, extremely strong partnerships in which 
DOE-OE is engaged. Each serves as a primary conduit between 
industry and the government to prepare for, and respond to, 
national-level disasters or threats to critical infrastructure. 
Through these relationships, cybersecurity issues can be 
addressed more completely and with multiple stakeholder input.
DOE authority in cybersecurity
    DOE's role in energy sector cybersecurity is established in 
statute and executive action. In 2015, through the Fixing 
America's Surface Transportation Act (FAST Act), Congress 
assigned DOE as the lead Sector-Specific Agency (SSA) for 
cybersecurity for the energy sector, building upon previous 
Presidential Policy Directives (PPD). PPD-41 issued in July 
2016, further clarified the role of DOE as a SSA during a 
significant cyber incident.
    The FAST Act also gave the Secretary of Energy new 
authority, upon declaration of a Grid Security Emergency by the 
President, to issue emergency orders to protect or restore 
critical electric infrastructure or defense critical electric 
infrastructure. This authority allows DOE to respond as needed 
to the threat of cyber and physical attacks on the grid. DOE is 
developing a proposed rule of procedure regarding this new 
authority.
    While the private sector is responsible for all aspects of 
cybersecurity risk management of their energy systems, DOE and 
the Federal government play critical roles in supporting 
industry functions in several ways: providing partnership 
mechanisms that support collaboration and trust; developing 
supportive policies that encourage voluntary cybersecurity in 
the energy sector; developing tools and capabilities to conduct 
risk analysis; leveraging government capabilities to gather 
intelligence on threats and vulnerabilities, and share 
actionable intelligence with energy owners and operators in a 
timely manner; supporting energy sector incident coordination 
and response; facilitating the development of cybersecurity 
standards; and, promoting and supporting innovation and R&D for 
next-generation physical-cyber systems.
DOE's research and development activities in cybersecurity and 
        resilience through the National Laboratories
    Intentional, malicious challenges to our energy systems are 
on the rise and we are seeing threats continually increase in 
number and sophistication. This evolution has profound impacts 
on the energy sector.
    Cybersecurity for energy control systems is much different 
than typical IT systems. Power systems must operate 
continuously with high reliability and availability. Upgrades 
and patches can be difficult and time consuming, with 
components dispersed over wide geographic regions. Further, 
many assets are in publicly accessible areas where they can be 
subject to physical tampering. Real time operations are 
imperative and latency is unacceptable for many applications. 
Immediate emergency response capability is mandatory and active 
scanning of the network can be difficult. As a result, our 
National Laboratories conduct cybersecurity R&D taking into 
account these systemic characteristics.
    DOE-OE's Cybersecurity for Energy Delivery Systems (CEDS) 
R&D program aligns activities with Federal and private sector 
priorities, envisioning resilient energy delivery control 
systems designed, installed, operated, and maintained to 
survive a cyber incident while sustaining critical functions.
    The CEDS R&D program is designed to assist the energy 
sector asset owners by developing cybersecurity solutions for 
energy delivery systems through a focused research and 
development effort. DOE-OE co-funds projects with industry 
partners to make advances in cybersecurity capabilities for 
energy delivery systems. These research partnerships are 
helping to detect, prevent, and mitigate the consequences of a 
cyber-incident for our present and future energy delivery 
systems.
    Since 2010, DOE-OE has invested more than $210 million in 
cybersecurity research, development, and demonstration projects 
that are led by industry, universities, and the National 
Laboratories. These investments have resulted in more than 35 
new tools and technologies that are now being used to further 
advance the resilience of the Nation's energy delivery systems.
    Through all of these R&D efforts, our National Laboratories 
have been--and continue to be--heavily engaged in their own 
efforts and in partnerships with academia and industry 
stakeholders. The following are examples of the types of 
cybersecurity advancements currently pursued at our National 
Laboratories, building off of successful cybersecurity tools 
and technologies already developed:
     Argonne National Laboratory is currently working 
on a resilient self-healing cybersecurity framework for the 
power grid that will leverage Wide-Area Monitoring, Protection, 
and Control to prevent and mitigate cyber-attacks. The project 
will develop tools to prevent and mitigate cyber-attacks and 
enhance the resilience of the bulk power system.
     Argonne is also working on a cloud and outsourcing 
security framework for power grid applications as well as 
cybersecurity for distributed energy resources (DER). This 
project will help ensure that implementation of cloud-based 
architecture and DER in the energy sector are deployed with 
security built-in to maintain resilience during cyber-attacks.
     An online tool being developed by Brookhaven 
National Laboratory will help utilities to detect, mitigate, 
and evaluate the potential impact of various cyberattack 
scenarios to reduce the risk that malicious compromise of 
essential forecasting data used for grid scheduling and 
operation might result in disruption of energy delivery.
     The Validation and Measuring Automated Response 
Project led by the Idaho National Laboratory is providing a 
cyber-incident response comparison capability and enabling 
industry to work towards an automated response capability to a 
cyber-incident and measuring the efficacy of automated response 
to drive future improvements.
     Lawrence Berkeley National Laboratory has an 
effort underway utilizing real-time micro-synchrophasor 
measurements and other telemetry in the distribution system to 
enhance identification and detection of current and future 
cybersecurity vulnerabilities in the power distribution grid to 
provide a more reliable, robust, scalable, and cost-effective 
means of detecting cyber-attack scenarios compared to 
traditional approaches.
     Pacific Northwest National Laboratory is 
developing visualizations that power system operators and/or 
cybersecurity professionals can use to make fast, accurate 
assessments of situations, enabling them to maintain situation 
awareness during unfolding events. The visualization tool will 
reduce the burden on the operators and enable them to make 
faster decisions and maintain cybersecurity situational 
awareness.
     Pacific Northwest National Laboratory is also 
working on a project evaluating existing Live Analysis 
monitoring and detection tools for energy delivery systems use. 
The research seeks to develop a tool that could provide 
evidence of anomalous cyber behavior on a live energy delivery 
system without interrupting energy delivery.
     The Artificial Diversity and Defense Security 
(ADDSec) project at Sandia National Laboratory is developing 
defensive technologies that randomly and automatically 
reconfigure energy delivery operational network parameters 
moment-by-moment to impede reconnaissance and cyber-attack 
planning. ADDSec will increase the security of both legacy and 
modern energy delivery systems by converting these 
traditionally static systems into moving targets.
     ``Sophia'' is a tool researched and developed by 
the Idaho National Laboratory (INL) that enhances continuous 
situational awareness of energy delivery control system 
communications and helps detect potential cybersecurity 
concerns. The technology helps strengthen the cybersecurity of 
our Nation's energy infrastructure today and of note is the 
fact INL successfully transitioned this technology to 
commercial use through a licensing agreement.
     Similarly, Oak Ridge National Laboratory licensed 
the developed ``Hyperion'' software technology. This software 
can quickly recognize malicious code even if the specific 
program has not been previously identified as a threat and 
before it has a chance to execute.
     Also in the process of transitioning to 
commercialization is Sandia National Laboratory's ``CodeSeal.'' 
CodeSeal is a cryptographically secure code obfuscation 
technology that prevents reverse engineering, or malicious 
modification of energy delivery system code, even if that code 
is executed on a compromised system.
S. 79
    The U.S. Department of Energy is tremendously proud of the 
role our National Laboratories have played in the advancement 
of cybersecurity technologies for our Nation's energy 
infrastructure. We also appreciate the opportunity to provide 
technical assistance on S. 79. It appears that the intent of 
the legislation is to strengthen our cybersecurity posture by 
directing the National Laboratories to undertake a study of the 
systems most critical to national security and to the grid.
    In considering the legislation, DOE notes that many energy 
sector entities already conduct such assessments to comply with 
mandatory Critical Infrastructure Protection standards set by 
the Federal Energy Regulatory Commission and the North American 
Electric Reliability Corporation or as part of their due 
diligence in ensuring their system is reliable and capable of 
providing uninterrupted service in the face of today's evolving 
cyber threat landscape.
Conclusion
    Cyber threats to the energy sector continue to evolve, and 
DOE is working diligently to stay ahead of the curve. The 
solution is an ecosystem of resilience that works in 
partnership with local, state, and industry stakeholders to 
help provide the methods, strategies, and tools needed to help 
protect the Nation's energy infrastructure through increased 
resilience and flexibility.
    One of the cornerstones to this ecosystem of resilience is 
the DOE National Laboratories and the significant contributions 
they provide through their cybersecurity technology 
advancements. Building an ecosystem of resilience is--by 
definition--a shared endeavor, and keeping a focus on 
partnerships remains an imperative. DOE will continue its years 
of work fostering these relationships and investing in 
technologies to enhance resilience and security, ensuring the 
electric power grid continues to be able to withstand and 
recover quickly from disasters and attacks.

                        CHANGES IN EXISTING LAW

    In compliance with paragraph 12 of rule XXVI of the 
Standing Rules of the Senate, the Committee notes that no 
changes in existing law are made by the bill as ordered 
reported.

                                  [all]