[Senate Report 116-147] [From the U.S. Government Publishing Office] Calendar No. 267 116th Congress } { Report SENATE 1st Session } { 116-147 ====================================================================== ENHANCING GRID SECURITY THROUGH PUBLIC-PRIVATE PARTNERSHIPS ACT _______ October 24, 2019.--Ordered to be printed _______ Ms. Murkowski, from the Committee on Energy and Natural Resources, submitted the following R E P O R T [To accompany S. 2095] The Committee on Energy and Natural Resources, to which was referred the bill (S. 2095) to provide for certain programs and developments in the Department of Energy concerning the cybersecurity and vulnerabilities of, and physical threats to, the electric grid, and for other purposes, having considered the same, reports favorably thereon without amendment and recommends that the bill do pass. PURPOSE The purpose of S. 2095 is to provide for certain programs and developments in the Department of Energy (DOE) concerning the cybersecurity and vulnerabilities of, and physical threats to, the electric grid. BACKGROUND AND NEED The United States' electric grid is comprised of a vast network of transmission and distribution systems that deliver electricity from producers to consumer homes and businesses. Many sectors of our economy, including healthcare and manufacturing, simply cannot operate without a reliable supply of electricity. As advances in digital and information technology continue to electrify our daily lives, our exposure to a potentially devastating cyber or physical attack on the grid increases. A number of federal agencies are responsible for protecting our electric grid from physical and cyber threats, including DOE and the Federal Energy Regulatory Commission (FERC). DOE works closely with electric sector owners and operators to detect and mitigate risks to critical electric infrastructure, and to develop tools and other resources to assist the sector in evaluating and improving their security preparedness. With the enactment of the Fixing America's Surface Transportation Act (Public Law 114-94) in 2015, Congress codified DOE as the Sector-Specific Agency for cybersecurity for the energy sector. With respect to FERC, the Energy Policy Act of 2005 (Public Law 109-58) created the Electric Reliability Organization (ERO) to develop mandatory reliability standards for the electric transmission system, including physical and cybersecurity standards. The law tasked FERC with approving and enforcing these mandatory standards--violations of which that can result in penalties of up to $1 million per violation per day. S. 2095 would facilitate and strengthen public-private partnerships to promote and advance the physical and cyber security of electric utilities. Specifically, S. 2095 would require DOE to consult with the electric industry and the ERO to carry out a program to assess the security of the grid, conduct cybersecurity training, advance supply chain cybersecurity, and share best practices. S. 2095 would also require DOE to submit a report to Congress on the physical and cyber threat vulnerabilities of the distribution system, which is not subject to the ERO's mandatory standards. LEGISLATIVE HISTORY S. 2095 was introduced by Senators Gardner and Bennet on July 11, 2019. The Subcommittee on Energy held a hearing on the measure on September 11, 2019. Similar legislation, H.R. 359, was introduced in the House of Representatives by Representatives McNerney (D-CA) and Latta (R-OH) on January 9, 2019. H.R. 359 was referred to the Energy and Commerce Committee, which favorably reported the measure by voice vote on July 17, 2019. In the 115th Congress, Senators Gardner and Bennet introduced similar legislation, S. 3677, on November 29, 2018. H.R. 5240, was introduced in the House of Representatives by Representatives McNerney (D-CA) and Latta (R-OH) on March 9, 2018. H.R. 5240 was referred to the Energy and Commerce Committee which favorably reported the measure by voice vote on June 28, 2018. The Senate Committee on Energy and Natural Resources met in open business session on September 25, 2019, and ordered S. 2095 favorably reported. COMMITTEE RECOMMENDATION The Senate Committee on Energy and Natural Resources, in open business session on September 25, 2019, by a majority voice vote of a quorum present, recommends that the Senate pass S. 2095. SECTION-BY-SECTION ANALYSIS Section 1. Short title Section 1 sets forth the short title of the bill. Sec. 2. Definitions Section 2 provides key definitions. Sec. 3. Program to promote and advance physical security and cybersecurity of electric utilities Section 3(a) requires the Secretary, in consultation with State regulatory authorities, industry, the ERO, and other relevant Federal agencies, to carry out a program to promote and advance the physical security and cybersecurity of electric vehicles. The section specifies that the program is to develop and provide for the voluntary implementation of methods for assessing the physical and cybersecurity of electric utilities; assist with threat assessment and cybersecurity training; provide technical assistance; provide training for cybersecurity supply chain management risks; advance the cybersecurity of third-party vendors; and increase opportunities for sharing best practices and collecting data within the electric sector. Subsection (b) directs the Secretary to take into consideration the different sizes and regions of electric utilities and requires the Secretary to prioritize those electric utilities with fewer available resources. This subsection further requires the Secretary to use existing programs at DOE or other Federal agencies to the maximum extent practicable. Subsection (c) protects information provided to or collected by the Federal government under this section by exempting such information from Federal, State, and Tribal public information disclosure laws. Sec. 4. Report on cybersecurity and distribution systems Section 4(a) requires the Secretary, in consultation with State regulatory authorities, industry, and other relevant Federal agencies, to submit a report to Congress that assesses priorities, policies, procedures, and actions for enhancing the physical security and cybersecurity of electricity distribution systems, and their implementation. Subsection (b) protects information provided to or collected by the Federal government under this section by exempting such information from Federal, State, and Tribal public information disclosure laws. COST AND BUDGETARY CONSIDERATIONS The Congressional Budget Office estimate of the costs of this measure has been requested but was not received at the time the report was filed. When the Congressional Budget Office completes its cost estimate, it will be posted on the internet at www.cbo.gov. REGULATORY IMPACT EVALUATION In compliance with paragraph 11(b) of rule XXVI of the Standing Rules of the Senate, the Committee makes the following evaluation of the regulatory impact which would be incurred in carrying out S. 2095. The bill is not a regulatory measure in the sense of imposing Government-established standards or significant economic responsibilities on private individuals and businesses. No personal information would be collected in administering the program. Therefore, there would be no impact on personal privacy. Little, if any, additional paperwork would result from the enactment of S. 2095, as ordered reported. CONGRESSIONALLY DIRECTED SPENDING S. 2095, as ordered reported, does not contain any congressionally directed spending items, limited tax benefits, or limited tariff benefits as defined in rule XLIV of the Standing Rules of the Senate. EXECUTIVE COMMUNICATIONS The testimony provided by the Department of Energy at the September 11, 2019, hearing on S. 2095 follows: Testimony of Under Secretary of Energy Mark W. Menezes, U.S. Department of Energy introduction Chairman Cassidy, Ranking Member Heinrich, and Members of the Subcommittee, it is a privilege and an honor to serve at the Department of Energy (DOE or the Department), which is tasked with, among other important responsibilities: overseeing the Nation's nuclear energy research and development programs; creating and sustaining American leadership in the transition to a global clean energy economy; working effectively with the States on our Nation's energy challenges; and supporting our current, and developing our Nation's future, energy workforce. Thank you for the opportunity to testify today on behalf of the Department regarding legislation pertinent to DOE that is now pending in the Senate. I have been asked to testify on nine (9) bills today. The Administration continues to review all of these bills. I appreciate the ongoing bipartisan efforts to address our Nation's energy challenges and I look forward to working with the Committee. interactions with the states DOE has a long and successful history of working with States on the Nation's most significant energy challenges. DOE has provided support for State and local governments to develop and refine energy assurance plans, build in-house expertise on infrastructure interdependencies (i.e., other critical infrastructure systems' reliance on electricity for operations) and vulnerabilities, integrate renewable energy, address challenges associated with premature nuclear power plant retirements and opportunities associated with advanced nuclear deployment, and utilize new applications such as cyber and smart grid technologies. S. 2095--Enhancing Grid Security through Public-Private Partnerships Act One of the most critical missions at DOE is developing the science and technology to successfully counter the ever- evolving, increasing threat of cyber and other attacks on our networks, data, facilities, and infrastructure. DOE works closely with our Federal agency partners, as well as governments at the State, local, tribal and territorial government levels, industry, academic institutions, and National Laboratory partners to accomplish this mission. This bill provides for certain activities in the Department concerning cybersecurity and vulnerabilities of, and physical threats to, the electric grid. It creates a program related to physical security and cybersecurity of electric utilities. The Department will continue to review the legislation and looks forward to working with Congress as the legislative process moves forward. conclusion Thank you again for the opportunity to be here today. The Department appreciates the ongoing bipartisan efforts to address our Nation's energy challenges, and looks forward to working with the Committee on the legislation on today's agenda and any future legislation. I would be happy to answer your questions. CHANGES IN EXISTING LAW In compliance with paragraph 12 of rule XXVI of the Standing Rules of the Senate, the Committee notes that no changes in existing law are made by S. 2095 as ordered reported. [all]