Lawmakers, industry, and government entities, including the Department of Energy (DOE) and the National Institute of Standards and Technology (NIST), this week released a string of measures responding to mounting cybersecurity attacks by state-sponsored actors.
A Revised Cybersecurity Framework
On April 16, the Commerce Department's NIST, a federal standards laboratory, released an updated version of the "Cybersecurity Framework." A living document, the framework is a risk-based approach to cybersecurity that is applicable to organizations relying on technology, whether IT, industrial control systems (ICS), or cyber-physical systems and connected devices–including the Internet of Things (IoT). While it is not a one-size-fits-all approach to managing critical infrastructure risks, organizations typically use it to determine activities that are important to critical service delivery, as well as to prioritize investments.
According to NIST, numerous industry surveys indicate sustained and increasing use of the framework over time. All federal agencies must use the framework, as required by a May 2017 executive order signed by President Trump. NIST noted that the framework has also been adopted by many companies and countries across the world, including Italy, Israel, and Uruguay.
Version 1.0 was issued in February 2014 as required by the Cybersecurity Enhancement Act of 2014. Version 1.1, released on Monday following a period for public comment and workshops held over 2016 and 2017, is "intended to be implemented by first-time and current Framework users," the document says. "Current users should be able to implement Version 1.1 with minimal or no disruption; compatibility with Version 1.0 has been an explicit objective."
Key changes to the framework in the new version include:
- A new section on self-assessment, which explains how the framework can be used to understand and assess risks, including use of measurements;
- An expansion of a section to explain in more detail how stakeholders can better understand cyber supply chain risk management;
- Refinements to better account for authentication, authorization, and identity proofing;
- A better explanation of the relationship between implementation tiers and profiles;
- Updates on vulnerability disclosure;
- A clarification of terms like "compliance."
Later this year, NIST plans to release an updated companion document, the "Roadmap for Improving Critical Infrastructure Cybersecurity," which will describe key areas of development, alignment, and collaboration. NIST will host a free public Webcast explaining Version 1.1 in detail on April 27, 2018, at 1 p.m. Eastern time. NIST is also planning a Cybersecurity Risk Management Conference–which will include a major focus on the framework–to be held November 6–8, 2018, in Baltimore, Maryland.
More Funding for Cybersecurity Research
The DOE on April 16 also made a $25 million funding opportunity announcement (FOA), seeking applications to conduct research, development, and demonstration (RD&D) in five areas:
- Redesign for cyber-resilient architecture–electric, and oil and natural gas (ONG) subsectors;
- Cybersecurity for the ONG environment;
- Cybersecure communications;
- Cybersecure cloud-based technologies in the operation technology (OT) environment;
- Innovative technologies that enhance cybersecurity in the energy sector.
The DOE said applicant submissions, due on June 18, 2018, "must conclude in a demonstration of the developed technology at a relevant end-user site to validate a clear path to industry acceptance." Selected applications will involve advanced tools technologies that are interoperable, scalable, and readily manageable. They will also include a strategy for transitioning solutions into practice throughout the energy sector through commercialization or by making the solution available through open source.
Cybersecurity Gets a Boost on the Hill
Lawmakers in the U.S. House are, meanwhile, scrambling to respond to disclosure by the Department of Homeland Security last month that Russian state-sponsored actors are targeting energy-related ICS.
Cyber Deterrence Bill. On April 18, Rep. Ted S. Yoho (R-Florida) introduced the Cyber Deterrence and Response Act of 2018 (H.R. 5576), a bipartisan bill that would create a three-step process for identifying, deterring, and responding to malicious, state-sponsored cyberattacks.
The bill hasn't been published yet for public viewing, but according to Politico, the measure would require the White House to "name and shame" state-sponsored attackers, label them as "critical cyber threats," and impose sanctions on them for carrying out attacks against the U.S.
The bill has been referred to the Committees on Foreign Affairs, Financial Services, Oversight and Government Reform, and the Judiciary.
Energy Security Bills Clear Energy Subcommittee. On April 18, the Subcommittee on Energy advanced a spate of bills to the full Energy and Commerce Committee to give the DOE "tools it needs to execute its core energy security missions and to promote domestic energy infrastructure and capitalize on the nation's energy abundance," a press release says.
Four bills could directly affect power sector dealings.
H.R. 5239, Cyber Sense Act, authored by Digital Commerce Subcommittee Chairman Bob Latta (R-Ohio) and committee member Rep. Jerry McNerney (D-California), would establish a voluntary DOE program that tests product cybersecurity and technologies intended for use in the bulk-power system, including products related to ICS. It would also authorize the DOE to provide technical assistance to electric utilities, product manufacturers, and other electricity sector stakeholders to help mitigate cybersecurity vulnerabilities. It passed the subcommittee unanimously by voice vote.
H.R. 5240, Enhancing Grid Security through Public-Private Partnerships Act, also authored by Reps. McNerney and Latta, requires the DOE to establish a program to encourage public-private partnerships to promote and advance physical and cybersecurity at smaller electric utilities, which may have fewer resources. It also directs the DOE to assess policies and actions to enhance physical and cybersecurity of distribution systems. It passed the subcommittee unanimously by voice vote.
H.R. 5175, Pipeline and LNG Facility Cybersecurity Preparedness Act, authored by Energy Subcommittee Chairman Rep. Fred Upton (R-Michigan) and committee member Rep. Dave Loebsack (D-Iowa), would require the DOE secretary to carry out a program coordinating federal agencies, states, and the energy sector to ensure security, resiliency, and "survivability" of natural gas pipelines, hazardous liquid pipelines, and liquefied natural gas facilities. It also passed the subcommittee unanimously by voice vote.
H.R. 5174, Energy Emergency Leadership Act, authored by committee members Rep. Tim Walberg (R-Michigan) and subcommittee Ranking Member Bobby Rush (D-Illinois.), updates the DOE's Organization Act to include energy emergency and energy security functions, which the secretary shall assign to an assistant secretary. The measure passed unanimously by voice vote.
–Sonal Patel is a POWER associate editor (@sonalcpatel, @POWERmagazine)