HR 4206 Introduced – Grid Modernization

On Wednesday Rep. Sarbanes (D,MD) introduced HR 4206, the 21st Century Power Grid Act. The bill would require the Secretary of Energy to establish a financial assistance program for projects to modernize the electric production, transmission and distribution system to continue to provide safe, secure, reliable, and affordable power. The bill does not include any authorization for funding.

Eligible Projects

The projects would be required to {§2(b)(1)}:

• Improve the performance and efficiency of the future electric grid;

• Provide new options for customer-owned resources; and

• Demonstrate secure integration and management of energy resources as well as secure integration and interoperability of communications and information technologies.

The projects would be required to include at least one of the following{§2(b)(3)(B)}:

• An investor-owned electric utility;

• A publicly owned utility;

• A technology provider;

• A rural electric cooperative;

• A regional transmission organization; or

• An independent system operator.

Each project would be required to include a Cybersecurity Plan {§2(c)} and a Privacy Risk Analysis {§2(d)}.

Moving Forward

Sarbanes and his two co-sponsors {Rep. Ellmers (R,NC) and Rep. McNerny (D,CA)} are on the Energy and Power Subcommittee of the House Energy and Commerce Committee, one of the two Committees to which this bill was referred for consideration. This means that there is a chance that this bill could make it before the Committee next year.

Since there is no new money authorized for this program and no new requirements are being placed upon industry, there is unlikely to be any significant opposition to this bill.

Commentary

As I have mentioned a number of times with a variety of different bills, it is interesting to continue to see generic cybersecurity language in this bill. It would be helpful, however, if Congress provided a little bit more guidance in what they are going to consider to be a ‘cybersecurity plan’ about which they expect the Secretary to provide guidance.

I’m not asking for any level of technical detail. That is not the job of the legislative branch and it certainly is not their strong point. What I am asking for is a little political guidance on what such a plan should include. If I were writing this bill I would include requirements to:

• Conduct a risk analysis to determine the worst case failure modes for the system;

• An outline of the devices and systems that could lead to those failures;

• A plan to insure that the devices and systems are designed, installed and maintained in a manner to reduce the likelihood of those failure modes;

• A plan to isolate those devices and systems from potential attack; and

• An identification of the requirements to recover from a successful attack against those failure modes.

Furthermore, the mere publication of a document that is called a cybersecurity plan should not be sufficient. It needs to be reviewed and approved by an appropriate agency within the DOE before any funding is provided.