[Senate Report 115-246] [From the U.S. Government Publishing Office] Calendar No. 410 115th Congress } { Report SENATE 2d Session } { 115-246 ====================================================================== SECURING ENERGY INFRASTRUCTURE ACT _______ May 10, 2018.--Ordered to be printed _______ Ms. Murkowski, from the Committee on Energy and Natural Resources, submitted the following R E P O R T [To accompany S. 79] [Including cost estimate of the Congressional Budget Office] The Committee on Energy and Natural Resources, to which was referred the bill (S. 79) to provide for the establishment of a pilot program to identify security vulnerabilities of certain entities in the energy sector, having considered the same, reports favorably thereon with an amendment in the nature of a substitute and recommends that the bill, as amended, do pass. The amendment is as follows: Strike out all after the enacting clause and insert the following: SECTION 1. SHORT TITLE. This Act may be cited as the ``Securing Energy Infrastructure Act''. SEC. 2. DEFINITIONS. In this Act: (1) Appropriate committee of congress.--The term ``appropriate committee of Congress''' means-- (A) the Select Committee on Intelligence, the Committee on Homeland Security and Governmental Affairs, and the Committee on Energy and Natural Resources of the Senate; and (B) the Permanent Select Committee on Intelligence, the Committee on Homeland Security, and the Committee on Energy and Commerce of the House of Representatives. (2) Covered entity.--The term ``covered entity'' means an entity identified pursuant to section 9(a) of Executive Order 13636 of February 12, 2013 (78 Fed. Reg. 11742), relating to identification of critical infrastructure where a cybersecurity incident could reasonably result in catastrophic regional or national effects on public health or safety, economic security, or national security. (3) Exploit.--The term ``exploit'' means software tool designed to take advantage of a security vulnerability. (4) Industrial control system.-- (A) In general.--The term ``industrial control system'' means an operational technology used to measure, control, or manage industrial functions. (B) Inclusions.--The term ``industrial control system'' includes supervisory control and data acquisition systems, distributed control systems, and programmable logic or embedded controllers. (5) National laboratory.--The term ``National Laboratory'' has the meaning given the term in section 2 of the Energy Policy Act of 2005 (42 U.S.C. 15801). (6) Program.--The term ``Program'' means the pilot program established under section 3. (7) Secretary.--The term ``Secretary'' means the Secretary of Energy. (8) Security vulnerability.--The term ``security vulnerability'' means any attribute of hardware, software, process, or procedure that could enable or facilitate the defeat of a security control. SEC. 3. PILOT PROGRAM FOR SECURING ENERGY INFRASTRUCTURE. Not later than 180 days after the date of enactment of this Act, the Secretary shall establish a 2-year control systems implementation pilot program within the National Laboratories for the purposes of-- (1) partnering with covered entities in the energy sector (including critical component manufacturers in the supply chain) that voluntarily participate in the Program to identify new classes of security vulnerabilities of the covered entities; and (2) evaluating technology and standards, in partnership with covered entities, to isolate and defend industrial control systems of covered entities from security vulnerabilities and exploits in the most critical systems of the covered entities, including (A) analog and nondigital control systems; (B) purpose-built control systems; and (C) physical controls. SEC. 4. WORKING GROUP TO EVALUATE PROGRAM STANDARDS AND DEVELOP STRATEGY. (a) Establishment.--The Secretary shall establish a working group-- (1) to evaluate the technology and standards used in the Program under section 3(2); and (2) to develop a national cyber-informed engineering strategy to isolate and defend covered entities from security vulnerabilities and exploits in the most critical systems of the covered entities. (b) Membership.--The working group established under subsection (a) shall be composed of not fewer than members, to be appointed by the Secretary, at least 1 member of which shall represent each of the following: (1) The Department of Energy. (2) The energy industry, including electric utilities and manufacturers recommended by the Energy Sector coordinating councils. (3)(A) The Department of Homeland Security; or (B) the Industrial Control Systems Cyber Emergency Response Team (4) The North American Electric Reliability Corporation. (5) The Nuclear Regulatory Commission. (6)(A) The Office of the Director of National Intelligence; or (B) the intelligence community (as defined in section 3 of the National Security Act of 1947 (50 U.S.C. 3003)). (7)(A) The Department of Defense; or (B) the Assistant Secretary of Defense for Homeland Security and America's Security Affairs. (8) A State or regional energy agency. (9) A national research body or academic institution. (10) The National Laboratories. SEC. 5. REPORTS ON THE PROGRAM. (a) Interim Report.--Not later than 180 days after the date on which funds are first disbursed under the Program, the Secretary shall submit to the appropriate committees of Congress an interim report that-- (1) describes the results of the Program; (2) includes an analysis of the feasibility of each method studied under the Program; and (3) describes the results of the evaluations conducted by the working group established under section 4(a). (b) Final Report.--Not later than 2 years after the date on which funds are first disbursed under the Program, the Secretary shall submit to the appropriate committees of Congress a final report that-- (1) describes the results of the Program; (2) includes an analysis of the feasibility of each method studied under the Program; and (3) describes the results of the evaluations conducted by the working group established under section 4(a). SEC. 6. EXEMPTION FROM DISCLOSURE. Information shared by or with the Federal Government or a State, Tribal, or local government under this Act shall be-- (1) deemed to be voluntarily shared information; (2) exempt from disclosure under section 552 of title 5, United States Code, or any provision of any State, Tribal, or local freedom of information law, open government law, open meetings law, open records law, sunshine law, or similar law requiring the disclosure of information or records; and (3) withheld from the public, without discretion, under section 552(b)(3) of title 5, United States Code, or any provision of a State, Tribal, or local law requiring the disclosure of information or records. SEC. 7. PROTECTION FROM LIABILITY. (a) In General.--A cause of action against a covered entity for engaging in the voluntary activities authorized under section 3-- (1) shall not lie or be maintained in any court; and (2) shall be promptly dismissed by the applicable court. (b) Voluntary Activities.--Nothing in this Act subjects any covered entity to liability for not engaging in the voluntary activities authorized under section 3. SEC. 8. NO NEW REGULATORY AUTHORITY FOR FEDERAL AGENCIES. Nothing in this Act authorizes the Secretary or the head of any other department or agency of the Federal Government to issue new regulations. SEC. 9. AUTHORIZATION OF APPROPRIATIONS. (a) Pilot Program.--There is authorized to be appropriated $10,000,000 to carry out section 3. (b) Working Group and Report.--There is authorized to be appropriated $1,500,000 to carry out sections 4 and 5. (c) Availability.--Amounts made available under subsections (a) and (b) shall remain available until expended. PURPOSE The purpose of S. 79 is to provide for the establishment of a pilot program to identify security vulnerabilities of certain entities in the energy sector. BACKGROUND AND NEED Critical infrastructures within the United States are enticing targets to malicious actors. Notably, these include industrial control systems, which are operational technologies used to measure, control, or manage industrial functions (e.g., supervisory control and data acquisition systems). Industrial control systems are used in oil and gas pipelines, in electric power generation, transmission, and distribution, in the energy sector, and across other sectors such as water management and mass transit. Top officials within the intelligence, defense, and power communities have warned that the United States remains vulnerable to cyber attacks on these systems, which could result in catastrophic damage to public health and safety, economic security, and national security. In December 2015, a cyber attack on Ukraine's power grid that featured sophisticated cyber attack techniques, plunged more than 225,000 people into darkness. According to the Department of Homeland Security, that cyber attack was coordinated to target the Ukrainian power grid's industrial control systems. Those systems act as the intermediary between computers and the switches that control the distribution of electricity. The 2015 attack could well have been worse. However, Ukraine still relies on manual technology to operate its grid to a greater extent than most American utility operators. The Ukraine event brought to even greater public attention grid-related cybersecurity risks and highlighted a need for prudent action to protect other critical infrastructure as well. Experts have warned of the need to understand security vulnerabilities, particularly as they relate to industrial control systems. The Committee on Energy and Natural Resources has held several hearings in which the topic of the vulnerability of the energy sector to cyber attack. As it has become increasingly clear that industrial control systems are vulnerable to attack, it has also become apparent that there is insufficient information available to the Department of Energy, the National Laboratories, electric utilities, manufacturers of grid-related equipment, and other interested entities about the security vulnerabilities of these systems. Also lacking is a sufficient evaluation of technology and standards to isolate and defend industrial control systems from security vulnerabilities in the most critical systems. Finally, as identifying cyber vulnerabilities and defending against them is a responsibility shared by multiple government agencies and private sector institutions including asset owners, further opportunities for working-level collaboration by these entities are necessary. LEGISLATIVE HISTORY On January 10, 2017, Senator Angus King, for himself and Senators Risch, Heinrich, Collins, and Crapo, introduced, S. 79, the Securing Energy Infrastructure Act. The Subcommittee on Energy held a hearing on S. 79 on March 28, 2017. In the 114th Congress, Senators King, Risch, Collins, and Heinrich introduced a similar bill, S. 3018. The Subcommittee on Energy, held a hearing on S. 3018 on July 12, 2016. The Committee on Energy and Natural Resources met in open business session on March 8, 2018, and ordered S. 79 favorably reported, as amended. COMMITTEE RECOMMENDATION The Senate Committee on Energy and Natural Resources, in open business session on March 8, 2018, by a majority voice vote of a quorum present, recommends that the Senate pass S. 79, if amended as described herein. SECTION-BY-SECTION ANALYSIS Section 1. Short title Section 1 sets forth a short title. Section 2. Definitions Section 2 provides a list of definitions. Section 3. Pilot program for securing energy infrastructure Section 3 requires the Secretary to establish a two-year pilot program within the National Laboratories for the purpose of partnering with covered entities in the energy sector that voluntarily participate in the program and evaluating technology and standards to isolate and defend. Section 4. Working group to evaluate program standards and develop strategy Section 4(a) requires the Secretary to establish a working group to evaluate the technology and the standards to be used in the program established under section 3 and to develop a cyber-informed engineering strategy. Subsection (b) sets forth requirements for membership to the working group. Section 5. Reports on the program Section 5(a) requires the Secretary to submit an interim report to appropriate committees of Congress not later than 180 days after funds are first disbursed for the program. Subsection (b) requires the Secretary to submit a final report to appropriate committees of Congress not later than 2 years after funds are first disbursed for the program. Section 6. Exemption from disclosure Section 6 exempts from disclosure under Federal or State freedom of information laws information shared by or with the Federal Government or a State, Tribal, or local government. Section 7. Protection from liability Section 7(a) protects covered entities from a cause of action for engaging in voluntary activities authorized by this Act. Subsection (b) provides liability protections for covered entities for engaging in voluntary activities authorized by this Act. Section 8. No new regulatory authority for federal agencies Section 8 provides that nothing in the Act authorizes the Secretary or the head of any other federal department or agency to issue new regulations. Section 9. Authorization for appropriations Section 9(a) authorizes $10,000,000 to carry out section 3. Subsection (b) authorizes $1,500,000 to carry out sections 4 and 5. Subsection (c) makes the funds authorized under (a) and (b) available until expended. COST AND BUDGETARY CONSIDERATIONS The following estimate of the costs of this measure has been provided by the Congressional Budget Office: S. 79 would authorize the appropriation of $10 million for the Department of Energy (DOE) to carry out a pilot program to identify security weaknesses in critical infrastructure (for example, power generation, transmission, and distribution systems) that could result in a debilitating effect on national security, economic security, public health, or safety. DOE, in partnership with participating owners and operators of such infrastructure, would evaluate technologies and standards that could be used to defend those assets. The bill also would authorize the appropriation of $1.5 million for DOE to establish a working group to evaluate the technologies and standards examined in the pilot program. The working group also would be required to develop a national engineering strategy to be used to defend the nation's critical infrastructure from security vulnerabilities. Based on historical spending patterns, CBO estimates that implementing the bill would cost $11.5 million over the 2019- 2023 period, assuming appropriation of the specified amounts. Enacting S. 79 would not affect direct spending or revenues; therefore, pay-as-you-go procedures do not apply. CBO estimates that enacting S. 79 would not increase net direct spending or on-budget deficits in any of the four consecutive 10-year periods beginning in 2029. S. 79 would impose an intergovernmental mandate, as defined in the Unfunded Mandates Reform Act (UMRA), on state, local, and tribal governments. The bill would preempt state and local laws that would otherwise require governmental agencies participating in the pilot program to disclose information about their activities, such as the sharing of cybersecurity information. Although the preemption would limit the application of state and local laws, CBO estimates that it would impose no duty on state or local governments that would result in additional spending or a loss of revenues. S. 79 contains no private-sector mandates as defined in UMRA. On September 21, 2017, CBO transmitted a cost estimate for S. 1761, the Intelligence Authorization Act for Fiscal Year 2018, as reported by the Senate Select Committee on Intelligence on August 18, 2017. Title V of that bill is similar to S. 79, and CBO's estimates of the cost of implementing the two bills are the same. REGULATORY IMPACT EVALUATION In compliance with paragraph 11(b) of rule XXVI of the Standing Rules of the Senate, the Committee makes the following evaluation of the regulatory impact which would be incurred in carrying out the bill. The bill is not a regulatory measure in the sense of imposing Government-established standards or significant economic responsibilities on private individuals and businesses. No personal information would be collected in administering the program. Therefore, there would be no impact on personal privacy. Little, if any, additional paperwork would result from enactment of the bill, as ordered reported. CONGRESSIONALLY DIRECTED SPENDING S. 79, as ordered reported, does not contain any congressionally directed spending items, limited tax benefits, or limited tariff benefits as defined in rule XLIV of the Standing Rules of the Senate. EXECUTIVE COMMUNICATIONS The testimony provided by the Department of Energy at the March 28, 2017, hearing on S. 79 follows: Written Testimony of Acting Assistant Secretary Patricia Hoffman, Office of Electricity Delivery and Energy Reliability, Department of Energy Chairman Gardner and Ranking Member Manchin, and Members of the Subcommittee, thank you for continuing to highlight the importance of a resilient electric power grid and for the opportunity to provide the initial views of the Department of Energy (DOE) on S. 79, the Securing Energy Infrastructure Act. DOE supports the goals of S. 79, which are consistent with the Department's ongoing role in helping to ensure a resilient, reliable, and flexible electricity system in an increasingly challenging environment. DOE would like to work with the sponsor and this Committee to offer additional input on the bill as discussed later in this testimony. Our economy, national security, and even the well-being of our citizens depend on the reliable delivery of electricity. I know the Secretary is personally engaged in the cybersecurity issues facing the energy sector. Under his leadership, the Department's role in cybersecurity is a very high priority. The mission of the Office of Electricity Delivery and Energy Reliability (DOE-OE) is to strengthen, transform, and improve energy infrastructure to ensure access to reliable and secure sources of energy. We are committed to working with our public and private sector partners to protect the Nation's critical energy infrastructure, including the electric power grid, from physical security events, natural and man-made disasters, and cybersecurity breaches. Over the past decade, the Nation's energy infrastructure has become a major target of cyberattacks. The frequency, scale, and sophistication of cyber threats have increased and attacks have become easier to launch. Cyber incidents have the potential to interrupt energy services, damage highly specialized equipment, and threaten human health and safety. As a result, energy cybersecurity and resilience has emerged as one of the Nation's most important security challenges and fostering partnerships with public and private stakeholders will be of utmost importance in this work. importance of cybersecurity for energy systems Initial thoughts of cybersecurity often turn to computer servers and desktops, information technology (IT). Hackers target computing technology and business applications to cause disruptions--obtaining access to email accounts and personal information, data exfiltration to be released to the world at large. The energy sector is not immune to such attacks. In the 2012 Shamoon attack, weaponized malware hit 15 state bodies and private companies in Saudi Arabia, wiping more than 35,000 hard drives of Saudi Aramco, from which the company took more than two weeks to recover. And again in January of this year, Shamoon 2 hit three state agencies and four private sector companies in Saudi Arabia, leaving them offline for at least 48 hours. These cyberattacks affect not only business systems, but can also target the operating technology of energy delivery systems and other critical infrastructure as well. Electric utilities, oil and natural gas providers, hydro and nuclear facilities, along with financial, water, communications, transportation, and healthcare sectors are prime targets for cyber-attacks. The disruption of any one of these is not only inherently problematic, it also hampers the ability to respond to any type of emergency event. In December 2015, the first known successful cyber-attack on a power grid took place in Ukraine. Over 225,000 residents were left without power for several hours in the coordinated attack, and a second attack occurred in December 2016 that left portions of Kiev without electricity. Domestically, the 2013 cyber-attack on the Bowman Dam in Rye, New York illustrated the multitude of targets available to and being surveilled by hackers. the ecosystem of resilience To address these challenges, it is critical for us to be proactive and cultivate what I call an ecosystem of resilience: a network of producers, distributors, regulators, vendors, and public partners, acting together to strengthen our ability to prepare, respond, and recover. We continue to partner with industry, Federal agencies, local governments, and other stakeholders to quickly identify threats, develop in-depth strategies to mitigate those threats, and rapidly respond to any disruptions. The DOE National Laboratories have been the keystone in many endeavors to address new and existing cybersecurity concerns. importance of partnerships The U.S. Department of Energy has collaborated with the energy sector for nearly two decades in voluntary public- private partnerships that engage energy owners and operators at all levels--technical, operational, and executive, along with state and local governments--to identify and mitigate physical and cyber risks to energy systems. These partnerships are built on a foundation of earned trust that promotes the mutual exchange of information and resources to improve the security and resilience of critical energy infrastructures. These relationships acknowledge the special security challenges of energy delivery systems and leverage the distinct technical expertise within industry and government to develop solutions. The security and integrity of energy infrastructure is both a state and Federal government concern because energy underpins the operations of every other type of critical infrastructure; the economy; and public health and safety. The owners and operators of energy infrastructure, however, have the primary responsibility for the full spectrum of cybersecurity risk management: identify assets, protect critical systems, detect incidents, respond to incidents, and recover to normal operations. The first responder when the lights go out or gasoline stops flowing in the pipelines is not immediately the state or Federal Government; rather, it is industry. This is why public- private partnerships regarding cybersecurity are paramount-- they recognize the distinct roles and capabilities of industry and government in managing our critical energy infrastructure risks. Two of those partnerships are the Electricity Subsector Coordinating Council and the Oil and Natural Gas Subsector Coordinating Council, extremely strong partnerships in which DOE-OE is engaged. Each serves as a primary conduit between industry and the government to prepare for, and respond to, national-level disasters or threats to critical infrastructure. Through these relationships, cybersecurity issues can be addressed more completely and with multiple stakeholder input. doe authority in cybersecurity DOE's role in energy sector cybersecurity is established in statute and executive action. In 2015, through the Fixing America's Surface Transportation Act (FAST Act), Congress assigned DOE as the lead Sector-Specific Agency (SSA) for cybersecurity for the energy sector, building upon previous Presidential Policy Directives (PPD). PPD-41 issued in July 2016, further clarified the role of DOE as a SSA during a significant cyber incident. The FAST Act also gave the Secretary of Energy new authority, upon declaration of a Grid Security Emergency by the President, to issue emergency orders to protect or restore critical electric infrastructure or defense critical electric infrastructure. This authority allows DOE to respond as needed to the threat of cyber and physical attacks on the grid. DOE is developing a proposed rule of procedure regarding this new authority. While the private sector is responsible for all aspects of cybersecurity risk management of their energy systems, DOE and the Federal government play critical roles in supporting industry functions in several ways: providing partnership mechanisms that support collaboration and trust; developing supportive policies that encourage voluntary cybersecurity in the energy sector; developing tools and capabilities to conduct risk analysis; leveraging government capabilities to gather intelligence on threats and vulnerabilities, and share actionable intelligence with energy owners and operators in a timely manner; supporting energy sector incident coordination and response; facilitating the development of cybersecurity standards; and, promoting and supporting innovation and R&D for next-generation physical-cyber systems. doe's research and development activities in cybersecurity and resilience through the national laboratories Intentional, malicious challenges to our energy systems are on the rise and we are seeing threats continually increase in number and sophistication. This evolution has profound impacts on the energy sector. Cybersecurity for energy control systems is much different than typical IT systems. Power systems must operate continuously with high reliability and availability. Upgrades and patches can be difficult and time consuming, with components dispersed over wide geographic regions. Further, many assets are in publicly accessible areas where they can be subject to physical tampering. Real time operations are imperative and latency is unacceptable for many applications. Immediate emergency response capability is mandatory and active scanning of the network can be difficult. As a result, our National Laboratories conduct cybersecurity R&D taking into account these systemic characteristics. DOE-OE's Cybersecurity for Energy Delivery Systems (CEDS) R&D program aligns activities with Federal and private sector priorities, envisioning resilient energy delivery control systems designed, installed, operated, and maintained to survive a cyber incident while sustaining critical functions. The CEDS R&D program is designed to assist the energy sector asset owners by developing cybersecurity solutions for energy delivery systems through a focused research and development effort. DOE-OE co-funds projects with industry partners to make advances in cybersecurity capabilities for energy delivery systems. These research partnerships are helping to detect, prevent, and mitigate the consequences of a cyber-incident for our present and future energy delivery systems. Since 2010, DOE-OE has invested more than $210 million in cybersecurity research, development, and demonstration projects that are led by industry, universities, and the National Laboratories. These investments have resulted in more than 35 new tools and technologies that are now being used to further advance the resilience of the Nation's energy delivery systems. Through all of these R&D efforts, our National Laboratories have been--and continue to be--heavily engaged in their own efforts and in partnerships with academia and industry stakeholders. The following are examples of the types of cybersecurity advancements currently pursued at our National Laboratories, building off of successful cybersecurity tools and technologies already developed:Argonne National Laboratory is currently working on a resilient self-healing cybersecurity framework for the power grid that will leverage Wide- Area Monitoring, Protection, and Control to prevent and mitigate cyber-attacks. The project will develop tools to prevent and mitigate cyber-attacks and enhance the resilience of the bulk power system. Argonne is also working on a cloud and outsourcing security framework for power grid applications as well as cybersecurity for distributed energy resources (DER). This project will help ensure that implementation of cloud-based architecture and DER in the energy sector are deployed with security built- in to maintain resilience during cyber-attacks. An online tool being developed by Brookhaven National Laboratory will help utilities to detect, mitigate, and evaluate the potential impact of various cyberattack scenarios to reduce the risk that malicious compromise of essential forecasting data used for grid scheduling and operation might result in disruption of energy delivery. The Validation and Measuring Automated Response Project led by the Idaho National Laboratory is providing a cyber-incident response comparison capability and enabling industry to work towards an automated response capability to a cyber-incident and measuring the efficacy of automated response to drive future improvements. Lawrence Berkeley National Laboratory has an effort underway utilizing real-time micro-synchrophasor measurements and other telemetry in the distribution system to enhance identification and detection of current and future cybersecurity vulnerabilities in the power distribution grid to provide a more reliable, robust, scalable, and cost-effective means of detecting cyber-attack scenarios compared to traditional approaches. Pacific Northwest National Laboratory is developing visualizations that power system operators and/or cybersecurity professionals can use to make fast, accurate assessments of situations, enabling them to maintain situation awareness during unfolding events. The visualization tool will reduce the burden on the operators and enable them to make faster decisions and maintain cybersecurity situational awareness. Pacific Northwest National Laboratory is also working on a project evaluating existing Live Analysis monitoring and detection tools for energy delivery systems use. The research seeks to develop a tool that could provide evidence of anomalous cyber behavior on a live energy delivery system without interrupting energy delivery. The Artificial Diversity and Defense Security (ADDSec) project at Sandia National Laboratory is developing defensive technologies that randomly and automatically reconfigure energy delivery operational network parameters moment-by-moment to impede reconnaissance and cyber-attack planning. ADDSec will increase the security of both legacy and modern energy delivery systems by converting these traditionally static systems into moving targets. ``Sophia'' is a tool researched and developed by the Idaho National Laboratory (INL) that enhances continuous situational awareness of energy delivery control system communications and helps detect potential cybersecurity concerns. The technology helps strengthen the cybersecurity of our Nation's energy infrastructure today and of note is the fact INL successfully transitioned this technology to commercial use through a licensing agreement. Similarly, Oak Ridge National Laboratory licensed the developed ``Hyperion'' software technology. This software can quickly recognize malicious code even if the specific program has not been previously identified as a threat and before it has a chance to execute. Also in the process of transitioning to commercialization is Sandia National Laboratory's ``CodeSeal.'' CodeSeal is a cryptographically secure code obfuscation technology that prevents reverse engineering, or malicious modification of energy delivery system code, even if that code is executed on a compromised system. s. 79 The U.S. Department of Energy is tremendously proud of the role our National Laboratories have played in the advancement of cybersecurity technologies for our Nation's energy infrastructure. We also appreciate the opportunity to provide technical assistance on S. 79. It appears that the intent of the legislation is to strengthen our cybersecurity posture by directing the National Laboratories to undertake a study of the systems most critical to national security and to the grid. In considering the legislation, DOE notes that many energy sector entities already conduct such assessments to comply with mandatory Critical Infrastructure Protection standards set by the Federal Energy Regulatory Commission and the North American Electric Reliability Corporation or as part of their due diligence in ensuring their system is reliable and capable of providing uninterrupted service in the face of today's evolving cyber threat landscape. conclusion Cyber threats to the energy sector continue to evolve, and DOE is working diligently to stay ahead of the curve. The solution is an ecosystem of resilience that works in partnership with local, state, and industry stakeholders to help provide the methods, strategies, and tools needed to help protect the Nation's energy infrastructure through increased resilience and flexibility. One of the cornerstones to this ecosystem of resilience is the DOE National Laboratories and the significant contributions they provide through their cybersecurity technology advancements. Building an ecosystem of resilience is--by definition--a shared endeavor, and keeping a focus on partnerships remains an imperative. DOE will continue its years of work fostering these relationships and investing in technologies to enhance resilience and security, ensuring the electric power grid continues to be able to withstand and recover quickly from disasters and attacks. CHANGES IN EXISTING LAW In compliance with paragraph 12 of rule XXVI of the Standing Rules of the Senate, the Committee notes that no changes in existing law are made by the bill S. 79 as ordered reported. [all]