Sec. 5. Technical standards and guidance documents for electricity sector cybersecurity research
463 words·~2 min read·
/bill/115/hr/4120/ih/section-5A research copy — for the controlling text, always check the official state or federal source. Not legal advice.
The Secretary, in coordination with appropriate Federal agencies, the Electricity Subsector Coordinating Council, standards development organizations, State, tribal, local, and territorial governments, private sector vendors, and other relevant stakeholders, shall coordinate the development of guidance documents for research and demonstration activities to improve the cybersecurity capabilities of the electricity sector through participating agencies. As part of these activities, the Secretary shall— facilitate stakeholder involvement to update— the Roadmap to Achieve Energy Delivery Systems Cybersecurity (published in September 2011); the Cybersecurity Procurement Language for Energy Delivery Systems (published by the Energy Sector Control Systems Working Group in April 2014), including developing guidance for— contracting with third parties to conduct vulnerability testing for industrial control systems; contracting with third parties that will utilize transient devices to access industrial control or information technology systems; and managing supply chain risks; and the Electricity Subsector Cybersecurity Capability Maturity Model (published by the Department of Energy in February 2014), including the development of— metrics to measure changes in cybersecurity capabilities and assess the potential for metrics to drive unexpected behavioral changes that would reduce security; and an analysis of incentive mechanisms and their potential to increase investments in cybersecurity; develop voluntary guidance to improve forensic analyses capabilities, including— developing standardized terminology and monitoring processes; identifying minimum data needed; and utilizing human factors research to develop more effective procedures for logging incident events; and work with the National Science Foundation, Department of Homeland Security, National Institute of Standards and Technology, and stakeholders to develop a mechanism to anonymize, aggregate, and share the testing results from cybersecurity industrial control system test beds to facilitate technology improvements by public and private sector researchers.
Information provided to Federal agencies for the purposes of carrying out subsection
(a)shall be considered critical electric infrastructure information and provided the protections established in section 10. The Secretary, in collaboration with the Director of the National Institute of Standards and Technology and other appropriate Federal agencies, shall convene relevant stakeholders and facilitate the development of— voluntary, consensus-based technical standards to improve cybersecurity for— emerging energy technologies; distributed generation and storage technologies, and other distributed energy resources; electric vehicles; and other technologies and devices that connect to the electric grid that can affect voltage stability; recommended cybersecurity features and requirements that can be used by the private sector to design and build interoperable cybersecurity features into— devices and components; software and hardware; and other technologies that connect to the electric grid; and voluntary standards for test beds and test bed methodologies that will enable reproducible testing of industrial control system devices, components, software, and hardware across test beds. Subsection
(c)shall not be construed to authorize regulatory actions that would duplicate or conflict with regulatory requirements, mandatory standards, or related processes under any other provision of Federal law.