H. R. 4120
IN THE HOUSE OF REPRESENTATIVES
October 25, 2017
Mr. Bera (for himself, Ms. Eddie Bernice Johnson of Texas, Mr. Lipinski, Ms. Bonamici, and Ms. Rosen) introduced the following bill; which was referred to the Committee on Science, Space, and Technology, and in addition to the Committees on Homeland Security, and Energy and Commerce, for a period to be subsequently determined by the Speaker, in each case for consideration of such provisions as fall within the jurisdiction of the committee concerned
To provide for a comprehensive interdisciplinary research and development initiative to strengthen the capacity of the electricity sector to neutralize cyber attacks.
This Act may be cited as the
Grid Cybersecurity Research and Development Act.
Congress finds the following:
The Nation, and every other critical infrastructure sector, depends on reliable electricity.
Industrial control systems used in the electricity sector are essential to maintain reliable operations of the electric grid.
The cybersecurity threat landscape is constantly changing and attacker capabilities are advancing rapidly, requiring ongoing modifications, advancements, and investments in technologies and procedures to maintain security.
There are substantial and important differences between cybersecurity approaches needed to protect information technology systems and industrial control systems.
It is in the national interest for Federal agencies to invest in industrial control system cybersecurity research that facilitates private sector investment and the ability of the private sector to develop cybersecurity tools and products for control systems.
The number of elements connecting to the electric grid is increasing, and designing cybersecurity into communication, data, and control systems when they are built is more effective than modifying products after installation to meet cybersecurity goals.
An understanding of human factors can be leveraged to understand the behavior of cyber threat actors, develop strategies to counter threat actors, improve industrial control system cybersecurity training programs, optimize the design of human-machine interfaces and cybersecurity tools, and increase the capacity of the electrical sector workforce to prevent attacks from gaining entry to industrial control systems.
In this Act:
Critical electric infrastructure information
The term critical electric infrastructure information has the meaning given that term in section 215A(a)(3) of the Federal Power Act (16 U.S.C. 824a–1(a)(3)).
The term cybersecurity means a set of preventative measures to protect information from a digital device or system, including a device or system used to manage the electric grid, from being stolen, compromised, or used to carry out an attack.
Electricity Subsector Coordinating Council
The term Electricity Subsector Coordinating Council means the self-organized, self-governed council consisting of senior industry representatives to serve as the principal liaison between the Federal Government and the electric power sector and to carry out the role of the Sector Coordinating Council as established in the National Infrastructure Protection Plan for the electricity subsector.
Energy Sector Government Coordinating Council
The term Energy Sector Government Coordinating Council means the council consisting of representatives from relevant Federal Government agencies to provide effective coordination of energy sector efforts to ensure a secure, reliable, and resilient energy infrastructure and to carry out the role of the Government Coordinating Council as established in the National Infrastructure Protection Plan for the energy sector.
Human factors research
The term human factors research means research on human performance in social and physical environments, and on the integration of humans with physical systems and computer hardware and software.
The term human-machine interfaces means technologies that present information to an operator about the state of a process or system, or accept human instructions to implement an action, including visualization displays such as a graphical user interface.
The term Secretary means the Secretary of Energy.
The term transient devices means removable media, including floppy disks, compact disks, USB flash drives, external hard drives, mobile devices, and other devices that utilize wireless connections for limited periods of time.
Electricity sector cybersecurity research, development, and demonstration program
The Secretary, in coordination with appropriate Federal agencies, the Electricity Subsector Coordinating Council, State, tribal, local, and territorial governments, private sector vendors, and other relevant stakeholders, shall carry out a research, development, and demonstration initiative to harden and mitigate the electric grid from the consequences of cyber attacks by increasing the cybersecurity capabilities of the electricity sector and accelerating the development of cybersecurity technologies and tools.
Department of Energy
As part of the initiative described in subsection (a), the Secretary shall carry out activities to—
identify cybersecurity risks to the communication and control systems within, and impacting, the electricity sector;
develop methods and tools to rapidly detect cyber intruders and cyber incidents, including the use of data analytics techniques to validate and verify system behavior using multiple data streams reflecting the state of the system;
assess emerging energy technology cybersecurity capabilities, and integrate cybersecurity features and protocols into the design, development, and deployment of emerging technologies, including renewable energy technologies;
develop secure industrial control system protocols and identify vulnerabilities in existing protocols;
work with manufacturers to build or retrofit security features and protocols into—
communication and network systems and management processes;
industrial control and energy management system devices, components, software, firmware, and hardware, including distributed control and management systems and building management systems;
data storage systems and data management and analysis processes;
generation, transmission, distribution, and energy storage technologies;
automated and manually controlled devices and equipment for monitoring or managing frequency, voltage, and current;
technologies used to synchronize time and develop guidance for operational contingency plans when time synchronization technologies are compromised;
end user elements that connect to the grid, including—
meters, synchrophasors, and other sensors;
distribution automation technologies, smart inverters, and other grid control technologies;
distributed generation and energy storage technologies;
demand response technologies;
home and building energy control systems;
electric and plug-in hybrid vehicles; and
other relevant devices, software, firmware, hardware, and distributed energy technologies; and
the supply chain of electric grid management system components;
improve the physical security of communication technologies and industrial control systems, including remote assets;
integrate human factors research into the design and development of advanced tools and processes for dynamic monitoring, detection, protection, mitigation, and response;
advance the capabilities and use of relevant interdisciplinary mathematical and computer simulation modeling and analysis methods;
evaluate and understand the potential consequences of practices used to maintain the cybersecurity of information technology systems on the cybersecurity of industrial control systems;
increase access to and the capabilities of existing cybersecurity test beds to simulate impacts of cyber attacks on industrial control system devices, components, software, and hardware; and
reduce the cost of implementing effective cybersecurity technologies and tools in the electricity sector.
National Science Foundation
The National Science Foundation shall—
support fundamental research to advance cybersecurity applications, technologies, and tools for industrial control systems, including incorporating interdisciplinary research in—
evolutionary systems, theories, mathematics, and models;
economic and financial theories, mathematics, and models; and
big data analytical methods, mathematics, computer coding, and algorithms; and
support education and training for the industrial control system cybersecurity workforce, including through the Advanced Technological Education program, graduate research fellowships, and other appropriate programs.
Department of Homeland Security Science and Technology Directorate
The Science and Technology Directorate of the Department of Homeland Security, in collaboration with the Department of Energy, experts in the private sector with the necessary clearances, and other relevant stakeholders, shall assess existing cybersecurity technologies and tools used in the defense industry and—
identify technologies and tools that could be applied to meeting evolving civilian energy sector cybersecurity needs;
develop a research strategy that incorporates human factors research findings to guide the modification of defense industry cybersecurity tools for use in the civilian sector;
develop a strategy to accelerate efforts to bring modified defense industry cybersecurity tools to the civilian market; and
carry out other activities the Secretary of Homeland Security considers appropriate to meet the goals of this subsection.
Technical standards and guidance documents for electricity sector cybersecurity research
The Secretary, in coordination with appropriate Federal agencies, the Electricity Subsector Coordinating Council, standards development organizations, State, tribal, local, and territorial governments, private sector vendors, and other relevant stakeholders, shall coordinate the development of guidance documents for research and demonstration activities to improve the cybersecurity capabilities of the electricity sector through participating agencies. As part of these activities, the Secretary shall—
facilitate stakeholder involvement to update—
the Roadmap to Achieve Energy Delivery Systems Cybersecurity (published in September 2011);
the Cybersecurity Procurement Language for Energy Delivery Systems (published by the Energy Sector Control Systems Working Group in April 2014), including developing guidance for—
contracting with third parties to conduct vulnerability testing for industrial control systems;
contracting with third parties that will utilize transient devices to access industrial control or information technology systems; and
managing supply chain risks; and
the Electricity Subsector Cybersecurity Capability Maturity Model (published by the Department of Energy in February 2014), including the development of—
metrics to measure changes in cybersecurity capabilities and assess the potential for metrics to drive unexpected behavioral changes that would reduce security; and
an analysis of incentive mechanisms and their potential to increase investments in cybersecurity;
develop voluntary guidance to improve forensic analyses capabilities, including—
developing standardized terminology and monitoring processes;
identifying minimum data needed; and
utilizing human factors research to develop more effective procedures for logging incident events; and
work with the National Science Foundation, Department of Homeland Security, National Institute of Standards and Technology, and stakeholders to develop a mechanism to anonymize, aggregate, and share the testing results from cybersecurity industrial control system test beds to facilitate technology improvements by public and private sector researchers.
Critical electric infrastructure information
Information provided to Federal agencies for the purposes of carrying out subsection (a) shall be considered critical electric infrastructure information and provided the protections established in section 10.
The Secretary, in collaboration with the Director of the National Institute of Standards and Technology and other appropriate Federal agencies, shall convene relevant stakeholders and facilitate the development of—
voluntary, consensus-based technical standards to improve cybersecurity for—
emerging energy technologies;
distributed generation and storage technologies, and other distributed energy resources;
electric vehicles; and
other technologies and devices that connect to the electric grid that can affect voltage stability;
recommended cybersecurity features and requirements that can be used by the private sector to design and build interoperable cybersecurity features into—
devices and components;
software and hardware; and
other technologies that connect to the electric grid; and
voluntary standards for test beds and test bed methodologies that will enable reproducible testing of industrial control system devices, components, software, and hardware across test beds.
Subsection (c) shall not be construed to authorize regulatory actions that would duplicate or conflict with regulatory requirements, mandatory standards, or related processes under any other provision of Federal law.
Vulnerability testing and technical assistance to increase cyberresilience
The Secretary shall—
collaborate with electricity sector asset owners and operators in the private sector, leveraging the research facilities and expertise of the National Laboratories, to—
utilize a range of methods, including voluntary vulnerability testing and red team-blue team exercises, to identify vulnerabilities in physical and cyber systems;
develop cybersecurity risk assessment tools and provide confidential analyses and recommendations to participating stakeholders;
work with stakeholders to develop methods to share anonymized and aggregated results in a format that enables the electricity sector, researchers, and the private sector to advance cybersecurity efforts, technologies, and tools; and
leverage the unique strengths and expertise of the National Laboratories and Federal agencies;
collaborate with relevant stakeholders to—
identify information, research, staff training, and analysis tools needed to evaluate industrial control system cybersecurity issues and challenges in the electricity sector; and
facilitate the sharing of information and the development of tools identified under subparagraph (A);
collaborate with and support electricity sector trade organizations and their research agencies to improve the cybersecurity of industrial control systems used by members and stakeholders; and
collaborate with tribal governments to—
identify information, research, and analysis tools needed by tribal governments to increase the industrial control system cybersecurity of electricity assets within their jurisdiction; and
facilitate the sharing of information and the development of tools needed to ensure the cybersecurity of tribal electricity assets and systems.
Critical electric infrastructure information
Information provided to Federal agencies for the purposes of carrying out subsection (a)(1)(C) shall be considered critical electric infrastructure information and provided the protections established in section 10.
Education and workforce training research and standards
Department of Energy
The Secretary shall—
utilize human factors research and other methods to identify core skills used by electricity sector industrial control systems cybersecurity professionals; and
develop assessment methods and tools to identify existing personnel that show competence in the core skills identified under paragraph (1).
National Institute of Standards and Technology
The Director of the National Institute of Standards and Technology shall—
develop voluntary, innovative industrial control systems cybersecurity training and retraining standards, lessons, and recommendations for the electricity sector that minimize duplication of cybersecurity compliance training programs; and
maintain a public database of industrial control systems cybersecurity education, training, and certification programs.
Interagency coordination and Strategic Plan for electricity sector cybersecurity research
The Energy Sector Government Coordinating Council shall—
review the most recent version of the Roadmap to Achieve Energy Delivery Systems Cybersecurity and identify crosscutting energy grid cybersecurity research needs and opportunities for collaboration among Federal agencies and between Federal agencies and other relevant stakeholders;
identify interdisciplinary research, technology, and tools that can be applied to industrial control system cybersecurity challenges in the electricity sector;
identify technology transfer opportunities to accelerate the development and commercial application of novel industrial control system cybersecurity technologies, systems, and processes; and
develop a coordinated Interagency Strategic Plan to advance cybersecurity capabilities for industrial control systems used in the electricity sector that builds on the Roadmap to Achieve Energy Delivery Systems in Cybersecurity.
The Interagency Strategic Plan developed under subsection (a)(4) shall be submitted to Congress within 12 months after the date of enactment of this Act.
The Interagency Strategic Plan shall include—
an analysis of how existing cybersecurity research efforts conducted by member agencies are coordinated and can complement and advance the goals of the Roadmap to Achieve Energy Delivery Systems Cybersecurity;
recommendations for prioritized research efforts that could contribute to advancing the cybersecurity of electricity sector industrial control systems;
a description of how existing and proposed public and private sector research efforts address the topics described in paragraph (3); and
a description of needed support for workforce training in this area.
In developing the Interagency Strategic Plan, the Energy Sector Government Coordinating Council shall consider—
opportunities for human factors research to improve the design and effectiveness of cybersecurity devices, technologies, tools, processes, and training programs;
contributions of other disciplines to the development of innovative cybersecurity protocols, devices, components, technologies, and tools;
opportunities for Small Business Innovation Research (SBIR) and other technology transfer programs to facilitate private sector development of industrial control system cybersecurity protocols, devices, components, technologies, and tools;
broader applications of the work done by relevant Federal agencies to advance the cybersecurity of industrial control systems used by other sectors; and
activities called for in the Federal cybersecurity research and development strategic plan required by section 201(a)(1) of the Cybersecurity Enhancement Act of 2014 (15 U.S.C. 7431(a)(1)).
For the purposes of carrying out this section, the Energy Sector Government Coordinating Council shall include representatives from Federal agencies with expertise in industrial control systems cybersecurity, information technology cybersecurity, cyber physical systems, engineering, human factors research, human-machine interfaces, high performance computing, big data and data analytics, or other disciplines considered appropriate by the Council Chair. The Chair shall consider including at least one employee designated by the head of each of the following agencies:
In the Department of Energy—
the Office of Electricity Delivery and Energy Reliability;
the Office of Science’s Advanced Scientific Computing Research program;
the Office of Small Business Innovation Research/Small Business Technology Transfer programs;
the Office of Technology Transitions; and
other offices considered appropriate by the Secretary.
The National Science Foundation.
The Department of Homeland Security’s Science and Technology Directorate.
The National Institute of Standards and Technology.
The National Aeronautics and Space Administration’s Human Research Program.
The Office of Science and Technology Policy.
The Federal Energy Regulatory Commission.
Reports to Congress
Identification of common factors in cyber attacks
The Secretary, in collaboration with the Secretary of Homeland Security, other appropriate Federal agencies, and energy sector stakeholders, shall conduct a study to analyze cyber attacks on electricity sector industrial control systems and identify cost-effective opportunities to improve cybersecurity.
Critical electric infrastructure information
Incident data provided to Federal agencies for the purposes of carrying out this subsection shall be considered critical electric infrastructure information and provided the protections established in section 10.
The study shall—
summarize cyber incident data provided to the Secretary by relevant Federal agencies and energy sector stakeholders;
analyze processes, operational procedures, and other factors common among cyber attacks;
identify the points where human behavior played a critical role in maintaining or compromising the security of the system;
changes to the design of devices, human-machine interfaces, technologies, and tools to optimize security that do not require a change in human behavior;
changes to processes or operational procedures that do not require a change in human behavior; and
training techniques to increase the capacity of employees to actively identify, prevent, or neutralize the impact of cyber attacks; and
evaluate existing engineering and technical design criteria and guidelines that incorporate human factors research findings, and recommend criteria and guidelines for industrial control system cybersecurity tools that can be used to develop procurement guidance, including guidance for alarms, displays, and layouts.
In conducting the study, the Secretary shall consult with electricity sector stakeholders, professionals with expertise in human factors research, private sector industrial control system vendors, and other relevant parties.
Not later than 24 months after the date of enactment of this Act, the Secretary shall submit to the Committee on Science, Space, and Technology of the House of Representatives and the Committee on Energy and Natural Resources of the Senate a report on the results of the study, including the findings of the Secretary on each of the items described in paragraph (3).
Balancing risks, security, and modernization of industrial systems
The Secretary, in collaboration with the National Institute of Standards and Technology, other Federal agencies, and electricity sector stakeholders, shall examine the risks associated with increasing penetration of digital technologies in operational networks.
The study shall—
evaluate the relative qualitative risks and benefits of various design and architecture options for electricity sector industrial control systems, including consideration of—
designs that include both digital and analog control devices and technologies;
different communication technologies used to move information and data between control system devices, technologies, and system operators;
automated and human-in-the-loop devices and technologies;
programmable versus nonprogrammable devices and technologies; and
increased redundancy using dissimilar cybersecurity technologies;
recommend methods or metrics to document changes in risks associated with system designs and architectures;
provide recommendations for research, development, demonstration, and commercial application activities to address issues raised in subparagraphs (A) and (B); and
recommend guidance to minimize overall system risks.
In conducting the study, the Secretary shall consult with electricity sector stakeholders, academic and private sector researchers, private sector industrial control system vendors, and other relevant parties.
Not later than 24 months after the date of enactment of this Act, the Secretary shall submit to the Committee on Science, Space, and Technology of the House of Representatives and the Committee on Energy and Natural Resources of the Senate a report on the results of the study, including the findings of the Secretary on each of the items described in paragraph (2).
Protection of critical electric infrastructure information
Any Federal agency that produces information or has information made available to it in the course of carrying out this Act shall determine whether to designate any such information as critical electric infrastructure information. Critical electric infrastructure information—
shall be exempt from disclosure under section 552(b)(3) of title 5, United States Code; and
shall not be made available by any Federal, State, political subdivision, or tribal authority pursuant to any Federal, State, political subdivision, or tribal law requiring public disclosure of information or records.
Authorization of appropriations
There are authorized to be appropriated to the Secretary to carry out this Act—
$65,000,000 for fiscal year 2018;
$68,250,000 for fiscal year 2019;
$71,662,500 for fiscal year 2020;
$75,245,625 for fiscal year 2021; and
$79,007,906 for fiscal year 2022.