[Senate Report 116-144] [From the U.S. Government Publishing Office] Calendar No. 264 116th Congress } { Report SENATE 1st Session } { 116-144 ====================================================================== ENERGY CYBERSECURITY ACT OF 2019 _______ October 23, 2019.--Ordered to be printed _______ Ms. Murkowski, from the Committee on Energy and Natural Resources, submitted the following R E P O R T [To accompany S. 2333] The Committee on Energy and Natural Resources, to which was referred the bill (S. 2333) to provide for enhanced energy grid security, having considered the same, reports favorably thereon without amendment and recommends that the bill do pass. PURPOSE The purpose of S. 2333 is to provide for enhanced energy grid security. BACKGROUND AND NEED The United States' electric grid is comprised of a vast network of transmission and distribution systems that deliver electricity from producers to consumer homes and businesses. Many sectors of our economy, including healthcare and manufacturing, simply cannot operate without a reliable supply of electricity. As advances in digital and information technology continue to electrify our daily lives, we increase our exposure to a potentially devastating cyber or physical attack on the grid. A number of federal agencies are responsible for protecting our electric grid from physical and cyber threats, including DOE and the Federal Energy Regulatory Commission (FERC). DOE works closely with electric sector owners and operators to detect and mitigate risks to critical electric infrastructure, and to develop tools and other resources to assist the sector in evaluating and improving their security preparedness. Also, with the enactment of the Fixing America's Surface Transportation Act (Public Law 114-94) in 2015, Congress codified DOE as the Sector-Specific Agency for cybersecurity for the energy sector. With respect to FERC, the Energy Policy Act of 2005 (Public Law 109-58) created the Electric Reliability Organization (ERO) to develop mandatory reliability standards for the electric transmission system, including physical and cybersecurity standards. The law tasked FERC with approving and enforcing these mandatory standards--violations of which that can result in penalties of up to $1 million per violation per day. S. 2333 would establish a program at DOE to develop advanced energy cybersecurity technologies, secure control system vulnerabilities, and develop workforce curricula for energy sector cybersecurity. The bill would also establish a program to identify and address supply chain vulnerabilities and expand the cooperation of the Federal government with industry to coordinate responses to cyber threats. LEGISLATIVE HISTORY S. 2333 was introduced by Senators Cantwell and Heinrich on July 30, 2019. In the 115th Congress, a similar measure was included as section 2002 in S. 1460, the Energy and Natural Resources Act of 2017. S. 1460 was introduced by Senators Murkowski and Cantwell on June 28, 2017, and placed directly on the Legislative Calendar (Cal. 162). In the 114th Congress, a similar measure was included as section 2002 in S. 2012, the Energy Policy Modernization Act of 2016. An original bill, S. 2012 was reported by the Committee on Energy and Natural Resources on July 30, 2015, and passed by the Senate, as amended, on April 26, 2016, by a vote of 85-12. The Senate Committee on Energy and Natural Resources met in open business session on September 25, 2019, and ordered S. 2333 favorably reported. COMMITTEE RECOMMENDATION The Senate Committee on Energy and Natural Resources, in open business session on September 25, 2019, by a majority voice vote of a quorum present, recommends that the Senate pass S. 2333. Senators Barrasso and Lee asked to be recorded as voting no. SECTION-BY-SECTION ANALYSIS Section 1. Short title Section 1 sets forth the short title of the bill. Sec. 2. Definitions Section 2 provides key definitions. Sec. 3. Enhanced grid security Section 3(a) directs the Secretary of Energy (Secretary) to carry out a program to develop advanced energy sector cybersecurity technologies and applications, and to leverage electric grid architecture to assess risks to the energy sector. It further authorizes $65 million for each of fiscal years (FYs) 2020 through 2028 to carry out subsection (a). Subsection (b) requires the Secretary to carry out a program on cybertesting and mitigation to identify vulnerabilities of energy sector supply chain products; oversee third-party cybertesting; and develop procurement guidelines for energy section supply chain components. It further authorizes $15 million for each of FYs 2020 through 2028 to carry out subsection (b). Subsection (c) authorizes the Secretary to carry out a program on energy sector operational support for cyberresilience with the following objectives: to enhance and periodically test the emergency response capabilities of the Department and coordination with the Department, the National Laboratories, and private industry; expand cooperation of DOE with the intelligence community for energy sector-related threat collection; enhance the tools of the DOE and the Electricity Information Sharing and Analysis Center (E-ISAC) for monitoring the status of the energy sector; expand industry participation in E-ISAC; and provide technical assistance to small electric utilities to assess cybermaturity. It further authorizes $10 million for each of FYs 2020 through 2028 to carry out subsection (c). Subsection (d) directs the Secretary to develop an advanced energy security program to secure energy networks. The program's objective is to increase the functional preservation of electric grid operations or natural gas and oil operations in the face of threats and hazards. In carrying out this program the Secretary is authorized to develop capabilities to identify vulnerabilities; provide modeling to predict impacts; develop a maturity model for physical and cybersecurity; conduct exercises to mitigate electric grid vulnerabilities; conduct research for electric grid components; and provide technical assistance for standards and risk analysis. It further authorizes $10 million for each of FYs 2020 through 2028 to carry out subsection (d). Subsection (e) requires the program to be carried out consistent with existing Department programs, DOE's 2011 ``Roadmap to Achieve Energy Delivery Systems Cybersecurity,'' and any other relevant strategic framework. Subsection (f) directs the Secretary, in consultations with FERC and the North American Electric Reliability Corporation, to conduct a study within 180 days of enactment to explore alternative management structures and funding mechanisms to expand industry participation in E-ISAC, and to submit such study to the appropriate Congressional committees. COST AND BUDGETARY CONSIDERATIONS The Congressional Budget Office estimate of the costs of this measure has been requested but was not received at the time the report was filed. When the Congressional Budget Office completes its cost estimate, it will be posted on the internet at www.cbo.gov. REGULATORY IMPACT EVALUATION In compliance with paragraph 11(b) of rule XXVI of the Standing Rules of the Senate, the Committee makes the following evaluation of the regulatory impact which would be incurred in carrying out S. 2333. The bill is not a regulatory measure in the sense of imposing Government-established standards or significant economic responsibilities on private individuals and businesses. No personal information would be collected in administering the program. Therefore, there would be no impact on personal privacy. Little, if any, additional paperwork would result from the enactment of S. 2333, as ordered reported. CONGRESSIONALLY DIRECTED SPENDING S. 2333, as ordered reported, does not contain any congressionally directed spending items, limited tax benefits, or limited tariff benefits as defined in rule XLIV of the Standing Rules of the Senate. EXECUTIVE COMMUNICATIONS Executive views on S. 2333 were not requested by the Committee. CHANGES IN EXISTING LAW In compliance with paragraph 12 of rule XXVI of the Standing Rules of the Senate, the Committee notes that no changes in existing law are made by S. 2333 as ordered reported. [all]