Aiming to identify, enhance, and test supply chain vulnerabilities in the energy sector and cybersecurity response capabilities between public and private sectors, the U.S. Senate Committee on Energy & Natural Resources approved legislation that directs the Department of Energy (DoE) to create several new programs towards the development of “advanced cybersecurity applications and technologies” for the sector.[1] The Energy Cybersecurity Act of 2019 (the Act) directs DoE to establish programs that identify supply chain vulnerabilities and expand Federal cooperation and coordination for responses to cyber threats.
If passed, the Act will require the DoE to:
- Establish a program to enhance advanced energy sector cybersecurity technologies and applications by leveraging electric grid architecture to assess potential risks to critical infrastructure and security preparedness. The DoE is instructed to advance the security of field devices and third-party control systems, evaluate whether the systems are implicated in the generation, transmission, and distribution of energy and determine best practices for forensic analysis of infected systems and secure communications.
- Establish a program to test and identify potential vulnerabilities to the energy sector, including supply chain components, which would allow DoE to oversee third-party testing of the energy sector’s cybersecurity measures and directs the agency to develop procurement guidelines for supply chain components.
- Establish a program that provides operational support to the energy sector for cybersecurity resilience. The Act notes that the program should enhance and test emergency response capabilities, expand cooperation between DoE and the intelligence community, enhance existing tools such as the Electricity Information Sharing and Analysis Center (E-ISAC), and provide technical assistance to small stakeholders to assess their cybersecurity.
- Develop an advanced energy security program that (1) identifies vulnerabilities and provides modeling to predict potential impacts to the energy sector; (2) develops physical and cybersecurity models; (3) conducts exercise to mitigate vulnerabilities; (4) researches electrical grid components that may be susceptible to cybersecurity threats; and (5) provides technical assistance to States and other entities that will promote the development of industry-wide standards and risk analyses. This program should evaluate how applications and technologies will mitigate vulnerabilities; for example, DoE should consider potential dependencies on other critical infrastructure and impacts from weather and fuel supply interruptions.
- In consultation with the Federal Energy Regulatory Commission (FERC), develop and conduct a study within 180 days of the bill’s enactment to evaluate management structures and funding mechanisms that will encourage industry stakeholders to participate in E-ISAC.
The Act authorizes appropriations for DoE to implement these programs.
Although the bill has been passed out of committee, it is unclear if and when the bill will be brought to the floor for a vote. If passed, the Act would take effect 90 days after enactment.
[1] S. 2333, Energy Cybersecurity Act of 2019, available at https://www.congress.gov/bill/116th-congress/senate-bill/2333.