[Senate Report 116-71]
[From the U.S. Government Publishing Office]
Calendar No. 173
116th Congress } { Report
SENATE
1st Session } { 116-71
======================================================================
SECURING ENERGY INFRASTRUCTURE ACT
_______
August 16, 2019.--Ordered to be printed
Filed, under authority of the order of the Senate of August 1, 2019
_______
Ms. Murkowski, from the Committee on Energy and Natural
Resources, submitted the following
R E P O R T
[To accompany S. 174]
[Including cost estimate of the Congressional Budget Office]
The Committee on Energy and Natural Resources, to which was
referred the bill (S. 174) to provide for the establishment of
a pilot program to identify security vulnerabilities of certain
entities in the energy sector, having considered the same,
reports favorably thereon with an amendment, and recommends
that the bill, as amended, do pass.
AMENDMENT
The amendment is as follows:
On page 2, lines 13 and 14, strike ``entity identified
pursuant to section 9(a)'' and insert ``owner or operator
described in section 9(c)''.
PURPOSE
The purpose of S. 174 is to provide for the establishment
of a pilot program to identify security vulnerabilities of
certain entities in the energy sector.
BACKGROUND AND NEED
Critical infrastructures within the United States are
enticing targets to malicious actors. Notably, these include
industrial control systems, which are operational technologies
used to measure, control, or manage industrial functions (e.g.,
supervisory control and data acquisition systems). Industrial
control systems are used in oil and gas pipelines, in electric
power generation, transmission, and distribution, in the energy
sector, and across other sectors such as water management and
mass transit. Top officials within the intelligence, defense,
and power communities have warned that the United States
remains vulnerable to cyber attacks on these systems, which
could result in catastrophic damage to public health and
safety, economic security, and national security.
In December 2015, a cyber attack on Ukraine's power grid
that featured sophisticated cyber attack techniques, plunged
more than 225,000 people into darkness. According to the
Department of Homeland Security, that cyber attack was
coordinated to target the Ukrainian power grid's industrial
control systems. Those systems act as the intermediary between
computers and the switches that control the distribution of
electricity. The 2015 attack could well have been worse.
However, Ukraine still relies on manual technology to operate
its grid to a greater extent than most American utility
operators. The Ukraine event brought even greater public
attention to grid-related cybersecurity risks and highlighted a
need for prudent action to protect other critical
infrastructure as well. Experts have warned of the need to
understand security vulnerabilities, particularly as they
relate to industrial control systems. The Committee has held
several hearings regarding the vulnerability of the energy
sector to cyber attack.
As it has become increasingly clear that industrial control
systems are vulnerable to attack, it has also become apparent
that there is insufficient information available to the
Department of Energy, the national laboratories, electric
utilities, manufacturers of grid-related equipment, and other
interested entities about the security vulnerabilities of these
systems. Also lacking is a sufficient evaluation of technology
and standards to isolate and defend industrial control systems
from security vulnerabilities in the most critical systems.
Finally, as identifying cyber vulnerabilities and defending
against them is a responsibility shared by multiple government
agencies and private sector institutions, including asset
owners, further opportunities for working-level collaboration
by these entities are necessary.
LEGISLATIVE HISTORY
S. 174 was introduced by Senators King, Risch, Heinrich,
Collins, and Crapo on January 17, 2019.
Companion legislation, H.R. 680, was introduced in the
House of Representatives by Representatives Ruppersberger and
Carter, on January 17, 2019, and referred to the Committee on
Science, Space, and Technology.
In the 115th Congress, Senators King, Risch, Heinrich,
Collins, and Crapo introduced similar legislation, S. 79, on
January 10, 2017. The Subcommittee on Energy held a hearing on
S. 79 on March 28, 2017 (S. Hrg. 115-262). The Committee on
Energy and Natural Resources met in open business session on
March 8, 2018, and ordered S. 79 favorably reported, as amended
(S. Rept. 115-246). The Senate passed S. 79, with the committee
amendment, on December 28, 2018, by voice vote.
In the 114th Congress, Senators King, Risch, Collins, and
Heinrich introduced similar legislation, S. 3018, on June, 6,
2016. The Subcommittee on Energy, held a hearing on S. 3018 on
July 12, 2016 (S. Hrg. 114-505).
The Senate Committee on Energy and Natural Resources met in
open business session on July 16, 2019, and ordered S. 174
favorably reported, as amended.
COMMITTEE RECOMMENDATION
The Senate Committee on Energy and Natural Resources, in
open business session on July 16, 2019, by a majority voice
vote of a quorum present, recommends that the Senate pass S.
174, if amended as described herein.
COMMITTEE AMENDMENT
During its consideration of S. 174, the Committee adopted
an amendment. The amendment modifies the definition of a
covered entity to mean owners and operators of critical
infrastructure described in section 9(c) of Executive Order
13636 issued on February 12, 2013 (78 Fed. Reg. 11742).
SECTION-BY-SECTION ANALYSIS
Section. 1. Short title
Section 1 sets forth a short title.
Sec. 2. Definitions
Section 2 defines key terms.
Sec. 3. Pilot program for securing energy infrastructure
Section 3 requires the Secretary of Energy (Secretary) to
establish a two-year pilot program within the national
laboratories for the purpose of partnering with covered
entities in the energy sector that voluntarily participate in
the program and evaluating technology and standards to isolate
and defend industrial control systems.
Sec. 4. Working group to evaluate program standards and develop
strategy
Section 4(a) directs the Secretary to establish a working
group to evaluate the technology and the standards to be used
in the pilot program and to develop a cyber-informed
engineering strategy.
Subsection (b) sets forth requirements for membership to
the working group.
Sec. 5. Reports on the program
Section 5(a) requires the Secretary to submit an interim
report to appropriate Congressional committees not later than
180 days after funds are first disbursed for the program.
Subsection (b) requires the Secretary to submit a final
report to appropriate Congressional committees not later than
two years after funds are first disbursed for the program.
Sec. 6. Exemption from disclosure
Section 6 exempts information shared by or with the Federal
Government or a State, Tribal, or local government from
disclosure under Federal, State, Tribal, or local freedom of
information laws.
Sec. 7. Protection from liability
Section 7(a) protects covered entities from a cause of
action for engaging in voluntary activities authorized by this
measure.
Subsection (b) provides liability protections for covered
entities for engaging in voluntary activities authorized by
this measure.
Sec. 8. No new regulatory authority for federal agencies
Section 8 provides that nothing in the bill authorizes the
Secretary or the head of any other Federal department or agency
to issue new regulations.
Sec. 9. Authorization of appropriations
Section 9(a) authorizes $10 million to carry out section 3.
Subsection (b) authorizes $1.5 million to carry out
sections 4 and 5.
Subsection (c) makes the funds authorized under (a) and (b)
available until expended.
COST AND BUDGETARY CONSIDERATIONS
The following estimate of the costs of this measure has
been provided by the Congressional Budget Office:
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
S. 174 would authorize the appropriation of $10 million for
the Department of Energy (DOE) to carry out a pilot program to
identify security weaknesses in critical infrastructure (for
example, power generation, transmission, and distribution
systems) that could result in debilitating effects on national
security, economic security, public health, or safety. DOE, in
partnership with participating owners and operators of such
infrastructure, would evaluate technologies and standards that
could be used to defend those assets.
The bill also would authorize the appropriation of $1.5
million for DOE to establish a working group to evaluate the
technologies and standards examined in the pilot program. The
working group also would be required to develop a national
engineering strategy to be used to protect the nation's
critical infrastructure from security vulnerabilities.
On the basis of historical spending patterns, CBO estimates
that implementing the bill would cost $11.5 million over the
2020-2024 period, subject to appropriation of the specified
amounts.
S. 174 would impose an intergovernmental mandate, as
defined in the Unfunded Mandates Reform Act (UMRA), on state,
local, and tribal governments. The bill would preempt state and
local laws that would otherwise require governmental agencies
participating in the pilot program to disclose information
about their activities, such as sharing cybersecurity
information. Although the preemption would limit the
application of state and local laws, CBO estimates that it
would impose no duty on state or local governments that would
result in additional spending or a loss of revenues.
S. 174 contains no private-sector mandates as defined in
UMRA.
The CBO staff contacts for this estimate are William Ma
(for federal costs) and Brandon Lever (for mandates). The
estimate was reviewed by Leo Lex, Deputy Assistant Director for
Budget Analysis.
REGULATORY IMPACT EVALUATION
In compliance with paragraph 11(b) of rule XXVI of the
Standing Rules of the Senate, the Committee makes the following
evaluation of the regulatory impact which would be incurred in
carrying out S. 174. The bill is not a regulatory measure in
the sense of imposing Government-established standards or
significant economic responsibilities on private individuals
and businesses.
No personal information would be collected in administering
the program. Therefore, there would be no impact on personal
privacy.
Little, if any, additional paperwork would result from the
enactment of S. 174, as ordered reported.
CONGRESSIONALLY DIRECTED SPENDING
S. 174, as ordered reported, does not contain any
congressionally directed spending items, limited tax benefits,
or limited tariff benefits as defined in rule XLIV of the
Standing Rules of the Senate.
EXECUTIVE COMMUNICATIONS
The testimony provided by the Department of Energy at the
March 28, 2017, hearing on S. 79, similar legislation to S.
174, follows:
Written Testimony of Acting Assistant Secretary Patricia Hoffman,
Office of Electricity Delivery and Energy Reliability, U.S. Department
of Energy
Chairman Gardner and Ranking Member Manchin, and Members of
the Subcommittee, thank you for continuing to highlight the
importance of a resilient electric power grid and for the
opportunity to provide the initial views of the Department of
Energy (DOE) on S. 79, the Securing Energy Infrastructure Act.
DOE supports the goals of S. 79, which are consistent with the
Department's ongoing role in helping to ensure a resilient,
reliable, and flexible electricity system in an increasingly
challenging environment. DOE would like to work with the
sponsor and this Committee to offer additional input on the
bill as discussed later in this testimony.
Our economy, national security, and even the well-being of
our citizens depend on the reliable delivery of electricity. I
know the Secretary is personally engaged in the cybersecurity
issues facing the energy sector. Under his leadership, the
Department's role in cybersecurity is a very high priority. The
mission of the Office of Electricity Delivery and Energy
Reliability (DOE-OE) is to strengthen, transform, and improve
energy infrastructure to ensure access to reliable and secure
sources of energy. We are committed to working with our public
and private sector partners to protect the Nation's critical
energy infrastructure, including the electric power grid, from
physical security events, natural and man-made disasters, and
cybersecurity breaches.
Over the past decade, the Nation's energy infrastructure
has become a major target of cyberattacks. The frequency,
scale, and sophistication of cyber threats have increased and
attacks have become easier to launch. Cyber incidents have the
potential to interrupt energy services, damage highly
specialized equipment, and threaten human health and safety. As
a result, energy cybersecurity and resilience has emerged as
one of the Nation's most important security challenges and
fostering partnerships with public and private stakeholders
will be of utmost importance in this work.
Importance of cybersecurity for energy systems
Initial thoughts of cybersecurity often turn to computer
servers and desktops, information technology (IT). Hackers
target computing technology and business applications to cause
disruptions--obtaining access to email accounts and personal
information, data exfiltration to be released to the world at
large. The energy sector is not immune to such attacks.
In the 2012 Shamoon attack, weaponized malware hit 15 state
bodies and private companies in Saudi Arabia, wiping more than
35,000 hard drives of Saudi Aramco, from which the company took
more than two weeks to recover. And again in January of this
year, Shamoon 2 hit three state agencies and four private
sector companies in Saudi Arabia, leaving them offline for at
least 48 hours.
These cyberattacks affect not only business systems, but
can also target the operating technology of energy delivery
systems and other critical infrastructure as well. Electric
utilities, oil and natural gas providers, hydro and nuclear
facilities, along with financial, water, communications,
transportation, and healthcare sectors are prime targets for
cyber-attacks. The disruption of any one of these is not only
inherently problematic, it also hampers the ability to respond
to any type of emergency event.
In December 2015, the first known successful cyber-attack
on a power grid took place in Ukraine. Over 225,000 residents
were left without power for several hours in the coordinated
attack, and a second attack occurred in December 2016 that left
portions of Kiev without electricity. Domestically, the 2013
cyber-attack on the Bowman Dam in Rye, New York illustrated the
multitude of targets available to and being surveilled by
hackers.
The ecosystem of resilience
To address these challenges, it is critical for us to be
proactive and cultivate what I call an ecosystem of resilience:
a network of producers, distributors, regulators, vendors, and
public partners, acting together to strengthen our ability to
prepare, respond, and recover. We continue to partner with
industry, Federal agencies, local governments, and other
stakeholders to quickly identify threats, develop in-depth
strategies to mitigate those threats, and rapidly respond to
any disruptions. The DOE National Laboratories have been the
keystone in many endeavors to address new and existing
cybersecurity concerns.
Importance of partnerships
The U.S. Department of Energy has collaborated with the
energy sector for nearly two decades in voluntary public-
private partnerships that engage energy owners and operators at
all levels--technical, operational, and executive, along with
state and local governments--to identify and mitigate physical
and cyber risks to energy systems.
These partnerships are built on a foundation of earned
trust that promotes the mutual exchange of information and
resources to improve the security and resilience of critical
energy infrastructures. These relationships acknowledge the
special security challenges of energy delivery systems and
leverage the distinct technical expertise within industry and
government to develop solutions.
The security and integrity of energy infrastructure is both
a state and Federal government concern because energy underpins
the operations of every other type of critical infrastructure;
the economy; and public health and safety. The owners and
operators of energy infrastructure, however, have the primary
responsibility for the full spectrum of cybersecurity risk
management: identify assets, protect critical systems, detect
incidents, respond to incidents, and recover to normal
operations.
The first responder when the lights go out or gasoline
stops flowing in the pipelines is not immediately the state or
Federal Government; rather, it is industry. This is why public-
private partnerships regarding cybersecurity are paramount--
they recognize the distinct roles and capabilities of industry
and government in managing our critical energy infrastructure
risks.
Two of those partnerships are the Electricity Subsector
Coordinating Council and the Oil and Natural Gas Subsector
Coordinating Council, extremely strong partnerships in which
DOE-OE is engaged. Each serves as a primary conduit between
industry and the government to prepare for, and respond to,
national-level disasters or threats to critical infrastructure.
Through these relationships, cybersecurity issues can be
addressed more completely and with multiple stakeholder input.
DOE authority in cybersecurity
DOE's role in energy sector cybersecurity is established in
statute and executive action. In 2015, through the Fixing
America's Surface Transportation Act (FAST Act), Congress
assigned DOE as the lead Sector-Specific Agency (SSA) for
cybersecurity for the energy sector, building upon previous
Presidential Policy Directives (PPD). PPD-41 issued in July
2016, further clarified the role of DOE as a SSA during a
significant cyber incident.
The FAST Act also gave the Secretary of Energy new
authority, upon declaration of a Grid Security Emergency by the
President, to issue emergency orders to protect or restore
critical electric infrastructure or defense critical electric
infrastructure. This authority allows DOE to respond as needed
to the threat of cyber and physical attacks on the grid. DOE is
developing a proposed rule of procedure regarding this new
authority.
While the private sector is responsible for all aspects of
cybersecurity risk management of their energy systems, DOE and
the Federal government play critical roles in supporting
industry functions in several ways: providing partnership
mechanisms that support collaboration and trust; developing
supportive policies that encourage voluntary cybersecurity in
the energy sector; developing tools and capabilities to conduct
risk analysis; leveraging government capabilities to gather
intelligence on threats and vulnerabilities, and share
actionable intelligence with energy owners and operators in a
timely manner; supporting energy sector incident coordination
and response; facilitating the development of cybersecurity
standards; and, promoting and supporting innovation and R&D for
next-generation physical-cyber systems.
DOE's research and development activities in cybersecurity and
resilience through the National Laboratories
Intentional, malicious challenges to our energy systems are
on the rise and we are seeing threats continually increase in
number and sophistication. This evolution has profound impacts
on the energy sector.
Cybersecurity for energy control systems is much different
than typical IT systems. Power systems must operate
continuously with high reliability and availability. Upgrades
and patches can be difficult and time consuming, with
components dispersed over wide geographic regions. Further,
many assets are in publicly accessible areas where they can be
subject to physical tampering. Real time operations are
imperative and latency is unacceptable for many applications.
Immediate emergency response capability is mandatory and active
scanning of the network can be difficult. As a result, our
National Laboratories conduct cybersecurity R&D taking into
account these systemic characteristics.
DOE-OE's Cybersecurity for Energy Delivery Systems (CEDS)
R&D program aligns activities with Federal and private sector
priorities, envisioning resilient energy delivery control
systems designed, installed, operated, and maintained to
survive a cyber incident while sustaining critical functions.
The CEDS R&D program is designed to assist the energy
sector asset owners by developing cybersecurity solutions for
energy delivery systems through a focused research and
development effort. DOE-OE co-funds projects with industry
partners to make advances in cybersecurity capabilities for
energy delivery systems. These research partnerships are
helping to detect, prevent, and mitigate the consequences of a
cyber-incident for our present and future energy delivery
systems.
Since 2010, DOE-OE has invested more than $210 million in
cybersecurity research, development, and demonstration projects
that are led by industry, universities, and the National
Laboratories. These investments have resulted in more than 35
new tools and technologies that are now being used to further
advance the resilience of the Nation's energy delivery systems.
Through all of these R&D efforts, our National Laboratories
have been--and continue to be--heavily engaged in their own
efforts and in partnerships with academia and industry
stakeholders. The following are examples of the types of
cybersecurity advancements currently pursued at our National
Laboratories, building off of successful cybersecurity tools
and technologies already developed:
Argonne National Laboratory is currently working
on a resilient self-healing cybersecurity framework for the
power grid that will leverage Wide-Area Monitoring, Protection,
and Control to prevent and mitigate cyber-attacks. The project
will develop tools to prevent and mitigate cyber-attacks and
enhance the resilience of the bulk power system.
Argonne is also working on a cloud and outsourcing
security framework for power grid applications as well as
cybersecurity for distributed energy resources (DER). This
project will help ensure that implementation of cloud-based
architecture and DER in the energy sector are deployed with
security built-in to maintain resilience during cyber-attacks.
An online tool being developed by Brookhaven
National Laboratory will help utilities to detect, mitigate,
and evaluate the potential impact of various cyberattack
scenarios to reduce the risk that malicious compromise of
essential forecasting data used for grid scheduling and
operation might result in disruption of energy delivery.
The Validation and Measuring Automated Response
Project led by the Idaho National Laboratory is providing a
cyber-incident response comparison capability and enabling
industry to work towards an automated response capability to a
cyber-incident and measuring the efficacy of automated response
to drive future improvements.
Lawrence Berkeley National Laboratory has an
effort underway utilizing real-time micro-synchrophasor
measurements and other telemetry in the distribution system to
enhance identification and detection of current and future
cybersecurity vulnerabilities in the power distribution grid to
provide a more reliable, robust, scalable, and cost-effective
means of detecting cyber-attack scenarios compared to
traditional approaches.
Pacific Northwest National Laboratory is
developing visualizations that power system operators and/or
cybersecurity professionals can use to make fast, accurate
assessments of situations, enabling them to maintain situation
awareness during unfolding events. The visualization tool will
reduce the burden on the operators and enable them to make
faster decisions and maintain cybersecurity situational
awareness.
Pacific Northwest National Laboratory is also
working on a project evaluating existing Live Analysis
monitoring and detection tools for energy delivery systems use.
The research seeks to develop a tool that could provide
evidence of anomalous cyber behavior on a live energy delivery
system without interrupting energy delivery.
The Artificial Diversity and Defense Security
(ADDSec) project at Sandia National Laboratory is developing
defensive technologies that randomly and automatically
reconfigure energy delivery operational network parameters
moment-by-moment to impede reconnaissance and cyber-attack
planning. ADDSec will increase the security of both legacy and
modern energy delivery systems by converting these
traditionally static systems into moving targets.
``Sophia'' is a tool researched and developed by
the Idaho National Laboratory (INL) that enhances continuous
situational awareness of energy delivery control system
communications and helps detect potential cybersecurity
concerns. The technology helps strengthen the cybersecurity of
our Nation's energy infrastructure today and of note is the
fact INL successfully transitioned this technology to
commercial use through a licensing agreement.
Similarly, Oak Ridge National Laboratory licensed
the developed ``Hyperion'' software technology. This software
can quickly recognize malicious code even if the specific
program has not been previously identified as a threat and
before it has a chance to execute.
Also in the process of transitioning to
commercialization is Sandia National Laboratory's ``CodeSeal.''
CodeSeal is a cryptographically secure code obfuscation
technology that prevents reverse engineering, or malicious
modification of energy delivery system code, even if that code
is executed on a compromised system.
S. 79
The U.S. Department of Energy is tremendously proud of the
role our National Laboratories have played in the advancement
of cybersecurity technologies for our Nation's energy
infrastructure. We also appreciate the opportunity to provide
technical assistance on S. 79. It appears that the intent of
the legislation is to strengthen our cybersecurity posture by
directing the National Laboratories to undertake a study of the
systems most critical to national security and to the grid.
In considering the legislation, DOE notes that many energy
sector entities already conduct such assessments to comply with
mandatory Critical Infrastructure Protection standards set by
the Federal Energy Regulatory Commission and the North American
Electric Reliability Corporation or as part of their due
diligence in ensuring their system is reliable and capable of
providing uninterrupted service in the face of today's evolving
cyber threat landscape.
Conclusion
Cyber threats to the energy sector continue to evolve, and
DOE is working diligently to stay ahead of the curve. The
solution is an ecosystem of resilience that works in
partnership with local, state, and industry stakeholders to
help provide the methods, strategies, and tools needed to help
protect the Nation's energy infrastructure through increased
resilience and flexibility.
One of the cornerstones to this ecosystem of resilience is
the DOE National Laboratories and the significant contributions
they provide through their cybersecurity technology
advancements. Building an ecosystem of resilience is--by
definition--a shared endeavor, and keeping a focus on
partnerships remains an imperative. DOE will continue its years
of work fostering these relationships and investing in
technologies to enhance resilience and security, ensuring the
electric power grid continues to be able to withstand and
recover quickly from disasters and attacks.
CHANGES IN EXISTING LAW
In compliance with paragraph 12 of rule XXVI of the
Standing Rules of the Senate, the Committee notes that no
changes in existing law are made by the bill as ordered
reported.
[all]