[Senate Report 115-246]
[From the U.S. Government Publishing Office]


                                                       Calendar No. 410
115th Congress           }                    {                Report
                                 SENATE
 2d Session              }                    {                115-246

======================================================================



 
                   SECURING ENERGY INFRASTRUCTURE ACT

                                _______
                                

                  May 10, 2018.--Ordered to be printed

                                _______
                                

  Ms. Murkowski, from the Committee on Energy and Natural Resources, 
                        submitted the following

                              R E P O R T

                          [To accompany S. 79]

      [Including cost estimate of the Congressional Budget Office]

    The Committee on Energy and Natural Resources, to which was 
referred the bill (S. 79) to provide for the establishment of a 
pilot program to identify security vulnerabilities of certain 
entities in the energy sector, having considered the same, 
reports favorably thereon with an amendment in the nature of a 
substitute and recommends that the bill, as amended, do pass.
    The amendment is as follows:
    Strike out all after the enacting clause and insert the 
following:

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Securing Energy Infrastructure 
Act''.

SEC. 2. DEFINITIONS.

    In this Act:
          (1) Appropriate committee of congress.--The term 
        ``appropriate committee of Congress''' means--
                  (A) the Select Committee on Intelligence, the 
                Committee on Homeland Security and Governmental 
                Affairs, and the Committee on Energy and Natural 
                Resources of the Senate; and
                  (B) the Permanent Select Committee on Intelligence, 
                the Committee on Homeland Security, and the Committee 
                on Energy and Commerce of the House of Representatives.
          (2) Covered entity.--The term ``covered entity'' means an 
        entity identified pursuant to section 9(a) of Executive Order 
        13636 of February 12, 2013 (78 Fed. Reg. 11742), relating to 
        identification of critical infrastructure where a cybersecurity 
        incident could reasonably result in catastrophic regional or 
        national effects on public health or safety, economic security, 
        or national security.
          (3) Exploit.--The term ``exploit'' means software tool 
        designed to take advantage of a security vulnerability.
          (4) Industrial control system.--
                  (A) In general.--The term ``industrial control 
                system'' means an operational technology used to 
                measure, control, or manage industrial functions.
                  (B) Inclusions.--The term ``industrial control 
                system'' includes supervisory control and data 
                acquisition systems, distributed control systems, and 
                programmable logic or embedded controllers.
          (5) National laboratory.--The term ``National Laboratory'' 
        has the meaning given the term in section 2 of the Energy 
        Policy Act of 2005 (42 U.S.C. 15801).
          (6) Program.--The term ``Program'' means the pilot program 
        established under section 3.
          (7) Secretary.--The term ``Secretary'' means the Secretary of 
        Energy.
          (8) Security vulnerability.--The term ``security 
        vulnerability'' means any attribute of hardware, software, 
        process, or procedure that could enable or facilitate the 
        defeat of a security control.

SEC. 3. PILOT PROGRAM FOR SECURING ENERGY INFRASTRUCTURE.

    Not later than 180 days after the date of enactment of this Act, 
the Secretary shall establish a 2-year control systems implementation 
pilot program within the National Laboratories for the purposes of--
          (1) partnering with covered entities in the energy sector 
        (including critical component manufacturers in the supply 
        chain) that voluntarily participate in the Program to identify 
        new classes of security vulnerabilities of the covered 
        entities; and
          (2) evaluating technology and standards, in partnership with 
        covered entities, to isolate and defend industrial control 
        systems of covered entities from security vulnerabilities and 
        exploits in the most critical systems of the covered entities, 
        including
                  (A) analog and nondigital control systems;
                  (B) purpose-built control systems; and
                  (C) physical controls.

SEC. 4. WORKING GROUP TO EVALUATE PROGRAM STANDARDS AND DEVELOP 
                    STRATEGY.

    (a) Establishment.--The Secretary shall establish a working group--
          (1) to evaluate the technology and standards used in the 
        Program under section 3(2); and
          (2) to develop a national cyber-informed engineering strategy 
        to isolate and defend covered entities from security 
        vulnerabilities and exploits in the most critical systems of 
        the covered entities.
    (b) Membership.--The working group established under subsection (a) 
shall be composed of not fewer than members, to be appointed by the 
Secretary, at least 1 member of which shall represent each of the 
following:
          (1) The Department of Energy.
          (2) The energy industry, including electric utilities and 
        manufacturers recommended by the Energy Sector coordinating 
        councils.
          (3)(A) The Department of Homeland Security; or
          (B) the Industrial Control Systems Cyber Emergency Response 
        Team
          (4) The North American Electric Reliability Corporation.
          (5) The Nuclear Regulatory Commission.
          (6)(A) The Office of the Director of National Intelligence; 
        or
          (B) the intelligence community (as defined in section 3 of 
        the National Security Act of 1947 (50 U.S.C. 3003)).
          (7)(A) The Department of Defense; or
          (B) the Assistant Secretary of Defense for Homeland Security 
        and America's Security Affairs.
          (8) A State or regional energy agency.
          (9) A national research body or academic institution.
          (10) The National Laboratories.

SEC. 5. REPORTS ON THE PROGRAM.

    (a) Interim Report.--Not later than 180 days after the date on 
which funds are first disbursed under the Program, the Secretary shall 
submit to the appropriate committees of Congress an interim report 
that--
          (1) describes the results of the Program;
          (2) includes an analysis of the feasibility of each method 
        studied under the Program; and
          (3) describes the results of the evaluations conducted by the 
        working group established under section 4(a).
    (b) Final Report.--Not later than 2 years after the date on which 
funds are first disbursed under the Program, the Secretary shall submit 
to the appropriate committees of Congress a final report that--
          (1) describes the results of the Program;
          (2) includes an analysis of the feasibility of each method 
        studied under the Program; and
          (3) describes the results of the evaluations conducted by the 
        working group established under section 4(a).

SEC. 6. EXEMPTION FROM DISCLOSURE.

    Information shared by or with the Federal Government or a State, 
Tribal, or local government under this Act shall be--
          (1) deemed to be voluntarily shared information;
          (2) exempt from disclosure under section 552 of title 5, 
        United States Code, or any provision of any State, Tribal, or 
        local freedom of information law, open government law, open 
        meetings law, open records law, sunshine law, or similar law 
        requiring the disclosure of information or records; and
          (3) withheld from the public, without discretion, under 
        section 552(b)(3) of title 5, United States Code, or any 
        provision of a State, Tribal, or local law requiring the 
        disclosure of information or records.

SEC. 7. PROTECTION FROM LIABILITY.

    (a) In General.--A cause of action against a covered entity for 
engaging in the voluntary activities authorized under section 3--
          (1) shall not lie or be maintained in any court; and
          (2) shall be promptly dismissed by the applicable court.
    (b) Voluntary Activities.--Nothing in this Act subjects any covered 
entity to liability for not engaging in the voluntary activities 
authorized under section 3.

SEC. 8. NO NEW REGULATORY AUTHORITY FOR FEDERAL AGENCIES.

    Nothing in this Act authorizes the Secretary or the head of any 
other department or agency of the Federal Government to issue new 
regulations.

SEC. 9. AUTHORIZATION OF APPROPRIATIONS.

    (a) Pilot Program.--There is authorized to be appropriated 
$10,000,000 to carry out section 3.
    (b) Working Group and Report.--There is authorized to be 
appropriated $1,500,000 to carry out sections 4 and 5.
    (c) Availability.--Amounts made available under subsections (a) and 
(b) shall remain available until expended.

                                PURPOSE

    The purpose of S. 79 is to provide for the establishment of 
a pilot program to identify security vulnerabilities of certain 
entities in the energy sector.

                          BACKGROUND AND NEED

    Critical infrastructures within the United States are 
enticing targets to malicious actors. Notably, these include 
industrial control systems, which are operational technologies 
used to measure, control, or manage industrial functions (e.g., 
supervisory control and data acquisition systems). Industrial 
control systems are used in oil and gas pipelines, in electric 
power generation, transmission, and distribution, in the energy 
sector, and across other sectors such as water management and 
mass transit. Top officials within the intelligence, defense, 
and power communities have warned that the United States 
remains vulnerable to cyber attacks on these systems, which 
could result in catastrophic damage to public health and 
safety, economic security, and national security.
    In December 2015, a cyber attack on Ukraine's power grid 
that featured sophisticated cyber attack techniques, plunged 
more than 225,000 people into darkness. According to the 
Department of Homeland Security, that cyber attack was 
coordinated to target the Ukrainian power grid's industrial 
control systems. Those systems act as the intermediary between 
computers and the switches that control the distribution of 
electricity. The 2015 attack could well have been worse. 
However, Ukraine still relies on manual technology to operate 
its grid to a greater extent than most American utility 
operators. The Ukraine event brought to even greater public 
attention grid-related cybersecurity risks and highlighted a 
need for prudent action to protect other critical 
infrastructure as well. Experts have warned of the need to 
understand security vulnerabilities, particularly as they 
relate to industrial control systems. The Committee on Energy 
and Natural Resources has held several hearings in which the 
topic of the vulnerability of the energy sector to cyber 
attack.
    As it has become increasingly clear that industrial control 
systems are vulnerable to attack, it has also become apparent 
that there is insufficient information available to the 
Department of Energy, the National Laboratories, electric 
utilities, manufacturers of grid-related equipment, and other 
interested entities about the security vulnerabilities of these 
systems. Also lacking is a sufficient evaluation of technology 
and standards to isolate and defend industrial control systems 
from security vulnerabilities in the most critical systems. 
Finally, as identifying cyber vulnerabilities and defending 
against them is a responsibility shared by multiple government 
agencies and private sector institutions including asset 
owners, further opportunities for working-level collaboration 
by these entities are necessary.

                          LEGISLATIVE HISTORY

    On January 10, 2017, Senator Angus King, for himself and 
Senators Risch, Heinrich, Collins, and Crapo, introduced, S. 
79, the Securing Energy Infrastructure Act. The Subcommittee on 
Energy held a hearing on S. 79 on March 28, 2017.
    In the 114th Congress, Senators King, Risch, Collins, and 
Heinrich introduced a similar bill, S. 3018. The Subcommittee 
on Energy, held a hearing on S. 3018 on July 12, 2016.
    The Committee on Energy and Natural Resources met in open 
business session on March 8, 2018, and ordered S. 79 favorably 
reported, as amended.

                        COMMITTEE RECOMMENDATION

    The Senate Committee on Energy and Natural Resources, in 
open business session on March 8, 2018, by a majority voice 
vote of a quorum present, recommends that the Senate pass S. 
79, if amended as described herein.

                      SECTION-BY-SECTION ANALYSIS

Section 1. Short title

    Section 1 sets forth a short title.

Section 2. Definitions

    Section 2 provides a list of definitions.

Section 3. Pilot program for securing energy infrastructure

    Section 3 requires the Secretary to establish a two-year 
pilot program within the National Laboratories for the purpose 
of partnering with covered entities in the energy sector that 
voluntarily participate in the program and evaluating 
technology and standards to isolate and defend.

Section 4. Working group to evaluate program standards and develop 
        strategy

    Section 4(a) requires the Secretary to establish a working 
group to evaluate the technology and the standards to be used 
in the program established under section 3 and to develop a 
cyber-informed engineering strategy.
    Subsection (b) sets forth requirements for membership to 
the working group.

Section 5. Reports on the program

    Section 5(a) requires the Secretary to submit an interim 
report to appropriate committees of Congress not later than 180 
days after funds are first disbursed for the program.
    Subsection (b) requires the Secretary to submit a final 
report to appropriate committees of Congress not later than 2 
years after funds are first disbursed for the program.

Section 6. Exemption from disclosure

    Section 6 exempts from disclosure under Federal or State 
freedom of information laws information shared by or with the 
Federal Government or a State, Tribal, or local government.

Section 7. Protection from liability

    Section 7(a) protects covered entities from a cause of 
action for engaging in voluntary activities authorized by this 
Act.
    Subsection (b) provides liability protections for covered 
entities for engaging in voluntary activities authorized by 
this Act.

Section 8. No new regulatory authority for federal agencies

    Section 8 provides that nothing in the Act authorizes the 
Secretary or the head of any other federal department or agency 
to issue new regulations.

Section 9. Authorization for appropriations

    Section 9(a) authorizes $10,000,000 to carry out section 3.
    Subsection (b) authorizes $1,500,000 to carry out sections 
4 and 5.
    Subsection (c) makes the funds authorized under (a) and (b) 
available until expended.

                   COST AND BUDGETARY CONSIDERATIONS

    The following estimate of the costs of this measure has 
been provided by the Congressional Budget Office:
    S. 79 would authorize the appropriation of $10 million for 
the Department of Energy (DOE) to carry out a pilot program to 
identify security weaknesses in critical infrastructure (for 
example, power generation, transmission, and distribution 
systems) that could result in a debilitating effect on national 
security, economic security, public health, or safety. DOE, in 
partnership with participating owners and operators of such 
infrastructure, would evaluate technologies and standards that 
could be used to defend those assets.
    The bill also would authorize the appropriation of $1.5 
million for DOE to establish a working group to evaluate the 
technologies and standards examined in the pilot program. The 
working group also would be required to develop a national 
engineering strategy to be used to defend the nation's critical 
infrastructure from security vulnerabilities.
    Based on historical spending patterns, CBO estimates that 
implementing the bill would cost $11.5 million over the 2019-
2023 period, assuming appropriation of the specified amounts.
    Enacting S. 79 would not affect direct spending or 
revenues; therefore, pay-as-you-go procedures do not apply.
    CBO estimates that enacting S. 79 would not increase net 
direct spending or on-budget deficits in any of the four 
consecutive 10-year periods beginning in 2029.
    S. 79 would impose an intergovernmental mandate, as defined 
in the Unfunded Mandates Reform Act (UMRA), on state, local, 
and tribal governments. The bill would preempt state and local 
laws that would otherwise require governmental agencies 
participating in the pilot program to disclose information 
about their activities, such as the sharing of cybersecurity 
information. Although the preemption would limit the 
application of state and local laws, CBO estimates that it 
would impose no duty on state or local governments that would 
result in additional spending or a loss of revenues. S. 79 
contains no private-sector mandates as defined in UMRA.
    On September 21, 2017, CBO transmitted a cost estimate for 
S. 1761, the Intelligence Authorization Act for Fiscal Year 
2018, as reported by the Senate Select Committee on 
Intelligence on August 18, 2017. Title V of that bill is 
similar to S. 79, and CBO's estimates of the cost of 
implementing the two bills are the same.

                      REGULATORY IMPACT EVALUATION

    In compliance with paragraph 11(b) of rule XXVI of the 
Standing Rules of the Senate, the Committee makes the following 
evaluation of the regulatory impact which would be incurred in 
carrying out the bill.
    The bill is not a regulatory measure in the sense of 
imposing Government-established standards or significant 
economic responsibilities on private individuals and 
businesses.
    No personal information would be collected in administering 
the program. Therefore, there would be no impact on personal 
privacy.
    Little, if any, additional paperwork would result from 
enactment of the bill, as ordered reported.

                   CONGRESSIONALLY DIRECTED SPENDING

    S. 79, as ordered reported, does not contain any 
congressionally directed spending items, limited tax benefits, 
or limited tariff benefits as defined in rule XLIV of the 
Standing Rules of the Senate.

                        EXECUTIVE COMMUNICATIONS

    The testimony provided by the Department of Energy at the 
March 28, 2017, hearing on S. 79 follows:

   Written Testimony of Acting Assistant Secretary Patricia Hoffman, 
 Office of Electricity Delivery and Energy Reliability, Department of 
                                 Energy

    Chairman Gardner and Ranking Member Manchin, and Members of 
the Subcommittee, thank you for continuing to highlight the 
importance of a resilient electric power grid and for the 
opportunity to provide the initial views of the Department of 
Energy (DOE) on S. 79, the Securing Energy Infrastructure Act. 
DOE supports the goals of S. 79, which are consistent with the 
Department's ongoing role in helping to ensure a resilient, 
reliable, and flexible electricity system in an increasingly 
challenging environment. DOE would like to work with the 
sponsor and this Committee to offer additional input on the 
bill as discussed later in this testimony.
    Our economy, national security, and even the well-being of 
our citizens depend on the reliable delivery of electricity. I 
know the Secretary is personally engaged in the cybersecurity 
issues facing the energy sector. Under his leadership, the 
Department's role in cybersecurity is a very high priority. The 
mission of the Office of Electricity Delivery and Energy 
Reliability (DOE-OE) is to strengthen, transform, and improve 
energy infrastructure to ensure access to reliable and secure 
sources of energy. We are committed to working with our public 
and private sector partners to protect the Nation's critical 
energy infrastructure, including the electric power grid, from 
physical security events, natural and man-made disasters, and 
cybersecurity breaches.
    Over the past decade, the Nation's energy infrastructure 
has become a major target of cyberattacks. The frequency, 
scale, and sophistication of cyber threats have increased and 
attacks have become easier to launch. Cyber incidents have the 
potential to interrupt energy services, damage highly 
specialized equipment, and threaten human health and safety. As 
a result, energy cybersecurity and resilience has emerged as 
one of the Nation's most important security challenges and 
fostering partnerships with public and private stakeholders 
will be of utmost importance in this work.


             importance of cybersecurity for energy systems


    Initial thoughts of cybersecurity often turn to computer 
servers and desktops, information technology (IT). Hackers 
target computing technology and business applications to cause 
disruptions--obtaining access to email accounts and personal 
information, data exfiltration to be released to the world at 
large. The energy sector is not immune to such attacks.
    In the 2012 Shamoon attack, weaponized malware hit 15 state 
bodies and private companies in Saudi Arabia, wiping more than 
35,000 hard drives of Saudi Aramco, from which the company took 
more than two weeks to recover. And again in January of this 
year, Shamoon 2 hit three state agencies and four private 
sector companies in Saudi Arabia, leaving them offline for at 
least 48 hours.
    These cyberattacks affect not only business systems, but 
can also target the operating technology of energy delivery 
systems and other critical infrastructure as well. Electric 
utilities, oil and natural gas providers, hydro and nuclear 
facilities, along with financial, water, communications, 
transportation, and healthcare sectors are prime targets for 
cyber-attacks. The disruption of any one of these is not only 
inherently problematic, it also hampers the ability to respond 
to any type of emergency event.
    In December 2015, the first known successful cyber-attack 
on a power grid took place in Ukraine. Over 225,000 residents 
were left without power for several hours in the coordinated 
attack, and a second attack occurred in December 2016 that left 
portions of Kiev without electricity. Domestically, the 2013 
cyber-attack on the Bowman Dam in Rye, New York illustrated the 
multitude of targets available to and being surveilled by 
hackers.


                      the ecosystem of resilience


    To address these challenges, it is critical for us to be 
proactive and cultivate what I call an ecosystem of resilience: 
a network of producers, distributors, regulators, vendors, and 
public partners, acting together to strengthen our ability to 
prepare, respond, and recover. We continue to partner with 
industry, Federal agencies, local governments, and other 
stakeholders to quickly identify threats, develop in-depth 
strategies to mitigate those threats, and rapidly respond to 
any disruptions. The DOE National Laboratories have been the 
keystone in many endeavors to address new and existing 
cybersecurity concerns.


                       importance of partnerships


    The U.S. Department of Energy has collaborated with the 
energy sector for nearly two decades in voluntary public-
private partnerships that engage energy owners and operators at 
all levels--technical, operational, and executive, along with 
state and local governments--to identify and mitigate physical 
and cyber risks to energy systems.
    These partnerships are built on a foundation of earned 
trust that promotes the mutual exchange of information and 
resources to improve the security and resilience of critical 
energy infrastructures. These relationships acknowledge the 
special security challenges of energy delivery systems and 
leverage the distinct technical expertise within industry and 
government to develop solutions.
    The security and integrity of energy infrastructure is both 
a state and Federal government concern because energy underpins 
the operations of every other type of critical infrastructure; 
the economy; and public health and safety. The owners and 
operators of energy infrastructure, however, have the primary 
responsibility for the full spectrum of cybersecurity risk 
management: identify assets, protect critical systems, detect 
incidents, respond to incidents, and recover to normal 
operations.
    The first responder when the lights go out or gasoline 
stops flowing in the pipelines is not immediately the state or 
Federal Government; rather, it is industry. This is why public-
private partnerships regarding cybersecurity are paramount--
they recognize the distinct roles and capabilities of industry 
and government in managing our critical energy infrastructure 
risks.
    Two of those partnerships are the Electricity Subsector 
Coordinating Council and the Oil and Natural Gas Subsector 
Coordinating Council, extremely strong partnerships in which 
DOE-OE is engaged. Each serves as a primary conduit between 
industry and the government to prepare for, and respond to, 
national-level disasters or threats to critical infrastructure. 
Through these relationships, cybersecurity issues can be 
addressed more completely and with multiple stakeholder input.


                     doe authority in cybersecurity


    DOE's role in energy sector cybersecurity is established in 
statute and executive action. In 2015, through the Fixing 
America's Surface Transportation Act (FAST Act), Congress 
assigned DOE as the lead Sector-Specific Agency (SSA) for 
cybersecurity for the energy sector, building upon previous 
Presidential Policy Directives (PPD). PPD-41 issued in July 
2016, further clarified the role of DOE as a SSA during a 
significant cyber incident.
    The FAST Act also gave the Secretary of Energy new 
authority, upon declaration of a Grid Security Emergency by the 
President, to issue emergency orders to protect or restore 
critical electric infrastructure or defense critical electric 
infrastructure. This authority allows DOE to respond as needed 
to the threat of cyber and physical attacks on the grid. DOE is 
developing a proposed rule of procedure regarding this new 
authority.
    While the private sector is responsible for all aspects of 
cybersecurity risk management of their energy systems, DOE and 
the Federal government play critical roles in supporting 
industry functions in several ways: providing partnership 
mechanisms that support collaboration and trust; developing 
supportive policies that encourage voluntary cybersecurity in 
the energy sector; developing tools and capabilities to conduct 
risk analysis; leveraging government capabilities to gather 
intelligence on threats and vulnerabilities, and share 
actionable intelligence with energy owners and operators in a 
timely manner; supporting energy sector incident coordination 
and response; facilitating the development of cybersecurity 
standards; and, promoting and supporting innovation and R&D for 
next-generation physical-cyber systems.


    doe's research and development activities in cybersecurity and 
              resilience through the national laboratories


    Intentional, malicious challenges to our energy systems are 
on the rise and we are seeing threats continually increase in 
number and sophistication. This evolution has profound impacts 
on the energy sector.
    Cybersecurity for energy control systems is much different 
than typical IT systems. Power systems must operate 
continuously with high reliability and availability. Upgrades 
and patches can be difficult and time consuming, with 
components dispersed over wide geographic regions. Further, 
many assets are in publicly accessible areas where they can be 
subject to physical tampering. Real time operations are 
imperative and latency is unacceptable for many applications. 
Immediate emergency response capability is mandatory and active 
scanning of the network can be difficult. As a result, our 
National Laboratories conduct cybersecurity R&D taking into 
account these systemic characteristics.
    DOE-OE's Cybersecurity for Energy Delivery Systems (CEDS) 
R&D program aligns activities with Federal and private sector 
priorities, envisioning resilient energy delivery control 
systems designed, installed, operated, and maintained to 
survive a cyber incident while sustaining critical functions.
    The CEDS R&D program is designed to assist the energy 
sector asset owners by developing cybersecurity solutions for 
energy delivery systems through a focused research and 
development effort. DOE-OE co-funds projects with industry 
partners to make advances in cybersecurity capabilities for 
energy delivery systems. These research partnerships are 
helping to detect, prevent, and mitigate the consequences of a 
cyber-incident for our present and future energy delivery 
systems.
    Since 2010, DOE-OE has invested more than $210 million in 
cybersecurity research, development, and demonstration projects 
that are led by industry, universities, and the National 
Laboratories. These investments have resulted in more than 35 
new tools and technologies that are now being used to further 
advance the resilience of the Nation's energy delivery systems.
    Through all of these R&D efforts, our National Laboratories 
have been--and continue to be--heavily engaged in their own 
efforts and in partnerships with academia and industry 
stakeholders. The following are examples of the types of 
cybersecurity advancements currently pursued at our National 
Laboratories, building off of successful cybersecurity tools 
and technologies already developed:
           Argonne National Laboratory is currently 
        working on a resilient self-healing cybersecurity 
        framework for the power grid that will leverage Wide-
        Area Monitoring, Protection, and Control to prevent and 
        mitigate cyber-attacks. The project will develop tools 
        to prevent and mitigate cyber-attacks and enhance the 
        resilience of the bulk power system.
           Argonne is also working on a cloud and 
        outsourcing security framework for power grid 
        applications as well as cybersecurity for distributed 
        energy resources (DER). This project will help ensure 
        that implementation of cloud-based architecture and DER 
        in the energy sector are deployed with security built-
        in to maintain resilience during cyber-attacks.
           An online tool being developed by Brookhaven 
        National Laboratory will help utilities to detect, 
        mitigate, and evaluate the potential impact of various 
        cyberattack scenarios to reduce the risk that malicious 
        compromise of essential forecasting data used for grid 
        scheduling and operation might result in disruption of 
        energy delivery.
           The Validation and Measuring Automated 
        Response Project led by the Idaho National Laboratory 
        is providing a cyber-incident response comparison 
        capability and enabling industry to work towards an 
        automated response capability to a cyber-incident and 
        measuring the efficacy of automated response to drive 
        future improvements.
           Lawrence Berkeley National Laboratory has an 
        effort underway utilizing real-time micro-synchrophasor 
        measurements and other telemetry in the distribution 
        system to enhance identification and detection of 
        current and future cybersecurity vulnerabilities in the 
        power distribution grid to provide a more reliable, 
        robust, scalable, and cost-effective means of detecting 
        cyber-attack scenarios compared to traditional 
        approaches.
           Pacific Northwest National Laboratory is 
        developing visualizations that power system operators 
        and/or cybersecurity professionals can use to make 
        fast, accurate assessments of situations, enabling them 
        to maintain situation awareness during unfolding 
        events. The visualization tool will reduce the burden 
        on the operators and enable them to make faster 
        decisions and maintain cybersecurity situational 
        awareness.
           Pacific Northwest National Laboratory is 
        also working on a project evaluating existing Live 
        Analysis monitoring and detection tools for energy 
        delivery systems use. The research seeks to develop a 
        tool that could provide evidence of anomalous cyber 
        behavior on a live energy delivery system without 
        interrupting energy delivery.
           The Artificial Diversity and Defense 
        Security (ADDSec) project at Sandia National Laboratory 
        is developing defensive technologies that randomly and 
        automatically reconfigure energy delivery operational 
        network parameters moment-by-moment to impede 
        reconnaissance and cyber-attack planning. ADDSec will 
        increase the security of both legacy and modern energy 
        delivery systems by converting these traditionally 
        static systems into moving targets.
           ``Sophia'' is a tool researched and 
        developed by the Idaho National Laboratory (INL) that 
        enhances continuous situational awareness of energy 
        delivery control system communications and helps detect 
        potential cybersecurity concerns. The technology helps 
        strengthen the cybersecurity of our Nation's energy 
        infrastructure today and of note is the fact INL 
        successfully transitioned this technology to commercial 
        use through a licensing agreement.
           Similarly, Oak Ridge National Laboratory 
        licensed the developed ``Hyperion'' software 
        technology. This software can quickly recognize 
        malicious code even if the specific program has not 
        been previously identified as a threat and before it 
        has a chance to execute.
           Also in the process of transitioning to 
        commercialization is Sandia National Laboratory's 
        ``CodeSeal.'' CodeSeal is a cryptographically secure 
        code obfuscation technology that prevents reverse 
        engineering, or malicious modification of energy 
        delivery system code, even if that code is executed on 
        a compromised system.


                                 s. 79


    The U.S. Department of Energy is tremendously proud of the 
role our National Laboratories have played in the advancement 
of cybersecurity technologies for our Nation's energy 
infrastructure. We also appreciate the opportunity to provide 
technical assistance on S. 79. It appears that the intent of 
the legislation is to strengthen our cybersecurity posture by 
directing the National Laboratories to undertake a study of the 
systems most critical to national security and to the grid.
    In considering the legislation, DOE notes that many energy 
sector entities already conduct such assessments to comply with 
mandatory Critical Infrastructure Protection standards set by 
the Federal Energy Regulatory Commission and the North American 
Electric Reliability Corporation or as part of their due 
diligence in ensuring their system is reliable and capable of 
providing uninterrupted service in the face of today's evolving 
cyber threat landscape.


                               conclusion


    Cyber threats to the energy sector continue to evolve, and 
DOE is working diligently to stay ahead of the curve. The 
solution is an ecosystem of resilience that works in 
partnership with local, state, and industry stakeholders to 
help provide the methods, strategies, and tools needed to help 
protect the Nation's energy infrastructure through increased 
resilience and flexibility.
    One of the cornerstones to this ecosystem of resilience is 
the DOE National Laboratories and the significant contributions 
they provide through their cybersecurity technology 
advancements. Building an ecosystem of resilience is--by 
definition--a shared endeavor, and keeping a focus on 
partnerships remains an imperative. DOE will continue its years 
of work fostering these relationships and investing in 
technologies to enhance resilience and security, ensuring the 
electric power grid continues to be able to withstand and 
recover quickly from disasters and attacks.

                        CHANGES IN EXISTING LAW

    In compliance with paragraph 12 of rule XXVI of the 
Standing Rules of the Senate, the Committee notes that no 
changes in existing law are made by the bill S. 79 as ordered 
reported.

                                  [all]