U.S. Senate bill will enforce security testing of technologies used in bulk power systems

A group of bipartisan senators introduced this week new legislation that would require the Secretary of Energy to establish a voluntary Cyber Sense program to test the cybersecurity of products and technologies intended for use in bulk power systems. This move comes in response to enhanced cybersecurity threats faced by the electric grid infrastructure. The bipartisan introduction in the Senate suggests that the legislation will clear the Senate quite quickly, amidst the heightened cybersecurity concerns. 

The bill titled, ‘S.2199 – A bill to require the Secretary of Energy to establish a voluntary Cyber Sense program to test the cybersecurity of products and technologies intended for use in the bulk-power system, and for other purposes’ also seeks to establish a testing process for the products along with a reporting process of cybersecurity vulnerabilities. It calls for the Secretary of Energy to keep a related database on the products, which will aid electric utilities that are evaluating products and their potential to cause harm to the electric grid.

The Cyber Sense Act also directs the Department of Energy (DOE) to provide technical assistance to manufacturers and electric utilities to address cybersecurity risks, and establish a process for reporting vulnerabilities of products intended for use in bulk power systems. It also directs the Secretary of Energy to consider incentives to encourage the use of analysis and results of testing in the design of products and technologies for use in bulk power systems. 

Identical companion legislation was introduced in the U.S. House of Representatives earlier this year by Representatives Bob Latta, a Republican from Ohio and Jerry McNerney, a Democrat from California. The bill passed the House Energy and Commerce Committee this month.

The new Cyber Sense Act was introduced by U.S. Senator Jacky Rosen, Democrat from Nevada and a member of the Senate Committee on Commerce, Science, and Transportation and the Senate Committee on Homeland Security & Governmental Affairs (HSGAC), along with Senator John Hoeven, a Republican from North Dakota. Senators James Risch, a Republican from Idaho, Angus King, an Independent from Maine, and Thom Tillis, a Republican from North Carolina are cosponsors of the bill.

“As our world becomes more digitized, the need for a strong defense of our nation’s electric infrastructure has never been more clear. And with the recent pandemic forcing us to rely more heavily on technology, it’s no surprise that we are seeing a surge in cyberattacks,” Senator Rosen said in a press statement on Thursday. 

“If we don’t act to address and mitigate cybersecurity risks, our nation will remain vulnerable. I’m proud to introduce this bipartisan bill to provide much-needed training and technical assistance to electric utilities to address cybersecurity risks and strengthen our national security. I will continue to support legislation that equips our workforce and organizations with the skills needed to improve our nation’s grid resiliency.”

“By utilizing technology to identify and minimize cybersecurity risks, we’re protecting our nation’s critical infrastructure that powers our homes and our economy,” Senator Hoeven said in a press statement. “Events of the past year have revealed increasing vulnerabilities within our energy infrastructure, and our bipartisan legislation supports efforts to secure our nation’s electric grid.” 

U.S. President Joe Biden and a bipartisan group of senators announced on Thursday agreement on the framework for an infrastructure improvement package, of which US$73 billion has been allotted for power, $65 billion for broadband and $55 billion for water. 

“We face the need to enhance our power grid, making it more resilient against all forms of extreme weather. Additionally, the ransomware attack on Colonial Pipeline underscores the urgent need for greater investment in cybersecurity across all critical infrastructure sectors,” Dr. Kathleen Hogan, Acting Under Secretary Office of Under Secretary for Science and Energy said in her testimony on Thursday at a Senate Energy and Natural Resources hearing. 

“We have engaged the private sector on strategies for hardening our critical infrastructure against these evolving threats as well as strengthening our energy security through a multiagency effort to bolster domestic supply chains for key components of our energy system such as the lithium batteries we need for both energy storage and electric vehicles,” Hogan added. 

Another piece of legislation pending clearance in the Senate is a bill titled, S. 1400, ‘Protecting Resources On The Electric Grid with Cybersecurity Technology’ (PROTECT) Act that aims at boosting America’s electric grid security and supporting cyber technology. Introduced last month, the bill seeks to incentivize electric utilities to make investments in cybersecurity, and establish a DOE grant and technical assistance program for the deployment of advanced cybersecurity technology for utilities that are not regulated by the Federal Energy Regulatory Commission (FERC).

Vital to the nation’s energy security, the electric power system supports national defense, emergency services, critical infrastructure, and the economy. Together, these functions make it essential for bulk power systems to ensure the availability and reliability of their systems and equipment. These bulk power systems implement security solutions that are capable of properly assessing existing cyber and/or supply chain risks, identifying vulnerabilities for each, and providing additional information to construct and execute remediation plans.

Alex Bagwell, Tripwire’s vice president for industrial sales recently said that the changing nature of electric entities’ environments has made security a challenge, especially since many critical national infrastructure (CNI) organizations are now undergoing digital transformations. 

“This means they are oftentimes connecting their operational technology (OT) assets to their information technology (IT) assets for the purpose of maximizing industrial operations,” Bagwell wrote in a company blog post. “The problem is that many of those OT assets are older, legacy systems that lack the necessary security measures to stand up to today’s IT security threats. As a result, digital attackers can leverage successful attacks against bulk power organizations’ IT environments to then pivot to their OT environments.”

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.