H. Rept. 115-951 - PIPELINE AND LNG FACILITY CYBERSECURITY PREPAREDNESS ACT115th Congress (2017-2018)
Committee Report
Hide Overview| Report Type: | House Report |
|---|---|
| Accompanies: | H.R.5175 |
| Committees: |
Report text available as:
- TXT
- PDF (PDF provides a complete and accurate display of this text.) Tip ?
115th Congress } { Rept. 115-951
HOUSE OF REPRESENTATIVES
2d Session } { Part 1
======================================================================
PIPELINE AND LNG FACILITY CYBERSECURITY PREPAREDNESS ACT
_______
September 13, 2018.--Ordered to be printed
_______
Mr. Walden, from the Committee on Energy and Commerce, submitted the
following
R E P O R T
[To accompany H.R. 5175]
[Including cost estimate of the Congressional Budget Office]
The Committee on Energy and Commerce, to whom was referred
the bill (H.R. 5175) to require the Secretary of Energy to
carry out a program relating to physical security and
cybersecurity for pipelines and liquefied natural gas
facilities, having considered the same, report favorably
thereon with an amendment and recommend that the bill as
amended do pass.
CONTENTS
Page
Purpose and Summary.............................................. 2
Background and Need for Legislation.............................. 2
Committee Action................................................. 5
Committee Votes.................................................. 6
Oversight Findings and Recommendations........................... 6
New Budget Authority, Entitlement Authority, and Tax Expenditures 6
Congressional Budget Office Estimate............................. 6
Federal Mandates Statement....................................... 8
Statement of General Performance Goals and Objectives............ 8
Duplication of Federal Programs.................................. 8
Committee Cost Estimate.......................................... 8
Earmark, Limited Tax Benefits, and Limited Tariff Benefits....... 8
Disclosure of Directed Rule Makings.............................. 8
Advisory Committee Statement..................................... 8
Applicability to Legislative Branch.............................. 8
Section-by-Section Analysis of the Legislation................... 8
Changes in Existing Law Made by the Bill, as Reported............ 9
The amendment is as follows:
Strike all after the enacting clause and insert the
following:
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Pipeline and LNG Facility
Cybersecurity Preparedness Act''.
SEC. 2. PHYSICAL SECURITY AND CYBERSECURITY FOR PIPELINES AND LIQUEFIED
NATURAL GAS FACILITIES.
The Secretary of Energy, in carrying out the Department of Energy's
functions pursuant to the Department of Energy Organization Act (42
U.S.C. 7101 et seq.), and in consultation with appropriate Federal
agencies, representatives of the energy sector, the States, and other
stakeholders, shall carry out a program--
(1) to establish policies and procedures to coordinate
Federal agencies, States, and the energy sector, including
through councils or other entities engaged in sharing,
analysis, or sector coordinating, to ensure the security,
resiliency, and survivability of natural gas pipelines
(including natural gas transmission and distribution
pipelines), hazardous liquid pipelines, and liquefied natural
gas facilities;
(2) to coordinate response and recovery by Federal agencies,
States, and the energy sector, to physical incidents and cyber
incidents impacting the energy sector;
(3) to develop, for voluntary use, advanced cybersecurity
applications and technologies for natural gas pipelines
(including natural gas transmission and distribution
pipelines), hazardous liquid pipelines, and liquefied natural
gas facilities;
(4) to perform pilot demonstration projects relating to
physical security and cybersecurity for natural gas pipelines
(including natural gas transmission and distribution
pipelines), hazardous liquid pipelines, and liquefied natural
gas facilities with representatives of the energy sector;
(5) to develop workforce development curricula for the energy
sector relating to physical security and cybersecurity for
natural gas pipelines (including natural gas transmission and
distribution pipelines), hazardous liquid pipelines, and
liquefied natural gas facilities; and
(6) to provide technical tools to help the energy sector
voluntarily evaluate, prioritize, and improve physical security
and cybersecurity capabilities of natural gas pipelines
(including natural gas transmission and distribution
pipelines), hazardous liquid pipelines, and liquefied natural
gas facilities.
SEC. 3. SAVINGS CLAUSE.
Nothing in this Act shall be construed to modify the authority of any
Federal agency other than the Department of Energy relating to physical
security or cybersecurity for natural gas pipelines (including natural
gas transmission and distribution pipelines), hazardous liquid
pipelines, or liquefied natural gas facilities.
PURPOSE AND SUMMARY
H.R. 5175, Pipeline and LNG Facility Cybersecurity
Preparedness Act, was introduced by Rep. Fred Upton (R-MI) and
Rep. David Loebsack (D-IA) on March 6, 2018. H.R. 5175 requires
the Secretary of Energy to carry out a program to coordinate
among Federal agencies, States, and the energy sector to ensure
the security, resiliency, and survivability of natural gas
pipelines, hazardous liquid pipelines, and liquefied natural
gas facilities.
H.R. 5175 also requires the Secretary to coordinate
response and recovery to physical and cyber incidents impacting
the energy sector, develop advanced cybersecurity applications
and technologies, perform pilot demonstration projects, develop
workforce development curricula relating to physical and
cybersecurity, and provide mechanisms to help the energy sector
evaluate, prioritize, and improve physical and cybersecurity
capabilities.
BACKGROUND AND NEED FOR LEGISLATION
The United States' energy infrastructure is comprised of a
vast network of energy and electricity systems that deliver
uninterrupted electricity from producers to consumers. These
intricate and highly interdependent systems enable every aspect
of our daily lives. Our nation's economy, security, and the
health and safety of its citizens depend upon the reliable and
uninterrupted supply of fuels and electricity. Since the
inception of the Department of Energy (DOE) in 1977, the manner
in which energy and power is generated, transmitted, and
delivered continues to rapidly change and evolve. As advances
in digital and information technologies continue to layer onto
existing practices and energy infrastructures, new risks
emerge, and vulnerabilities are exposed. Recent high-profile
attempts by foreign actors to infiltrate our nation's energy
systems and infrastructure further highlight the need for
legislation aimed at mitigating these significant and growing
threats to the reliable supply of energy in the United States.
The Department of Energy's authorities for cybersecurity, energy
security, and emergency response
When the Department of Energy was organized in 1977, energy
security concerns revolved around oil supply shortages. As a
result, energy security emergency functions in the Department
of Energy Organization Act focused on distributing and
allocating fuels in an emergency. Over time, while DOE's
organic statute remained largely unchanged, its
responsibilities and authorities have evolved substantially
beyond what was envisioned forty years ago. Energy delivery
systems have become increasingly interconnected and digitized,
while society has become more dependent on energy in all its
forms--expanding the opportunities for cybersecurity threats
and other hazards that may require emergency response.
Today, DOE's mission to advance the national, economic, and
energy security of the United States requires it to act as the
lead agency for the protection of electric power, oil, and
natural gas infrastructure. DOE has authority and
responsibilities for the physical and cybersecurity of energy
delivery systems from laws that Congress has passed and
Presidential directives. Congress has provided DOE with a wide
range of emergency response and cybersecurity authorities
affecting multiple segments of the energy sector, beginning
with the Department of Energy Organization Act, and most
recently with the Fixing America's Surface Transportation Act
(FAST Act).
The FAST Act, which was signed into law in 2015, designated
DOE as the Sector-Specific Agency (SSA) for the energy sector
and provided the Department with several new energy security
authorities to respond to physical and cyberattacks to energy
systems. Section 61003 of the FAST Act amended section 215 of
the Federal Power Act (FPA) and created a new section 215A,
entitled ``Critical Electric Infrastructure Security.'' This
new section 215A of the FPA provided definitions for the terms
``bulk power system,'' ``critical electric infrastructure,''
``critical electric infrastructure information,'' and ``grid
security emergency,''\1\ among other terms. Section 215 of the
FPA states that when the President issues or provides to the
Secretary of Energy a written directive or determination
identifying a grid security emergency, the Secretary may, with
or without notice, hearing, or report, issue orders for
emergency measures to protect or restore the reliability of
critical electric infrastructure or of defense critical
electric infrastructure during an emergency.\2\ Section 215A
also includes protections for the sharing of critical electric
information.
---------------------------------------------------------------------------
\1\See Section 215A of the Federal Power Act, the term ``Grid
Security Emergency'' means the occurrence or imminent danger of (A)(i)
a malicious act using electronic communication or an electromagnetic
pulse, or a geomagnetic storm event, that could disrupt the operation
of those electronic devices or communications networks, including
hardware, software, and data, that are essential to the reliability of
critical electric infrastructure or of defense critical electric
infrastructure; and (ii) disruption of the operation of such devices or
networks, with significant adverse effects on the reliability of
critical electric infrastructure or of defense critical electric
infrastructure, as a result of such act or event; or (B)(i) a direct
physical attack on critical electric infrastructure or on defense
critical electric infrastructure; and (ii) significant adverse effects
on the reliability of critical electric infrastructure or of defense
critical electric infrastructure as a result of such physical attack.
\2\Federal Power Act Sec. 215A, 16 U.S.C. Sec. Sec. 824o-1.
---------------------------------------------------------------------------
DOE's cybersecurity roles and responsibilities are also
guided by the Federal government's operational framework, as
provided by the Presidential Policy Directive 41 (PPD-41)
issued in 2016 addressing ``United States Cyber Incident
Coordination.'' A primary purpose of PPD-41 is to improve
coordination across the Federal government by clarifying roles
and responsibilities. Under the PPD-41 framework, DOE serves as
the lead agency for the energy sector, coordinating closely
with other agencies and the private sector to facilitate the
response, recovery, and restoration of damaged energy
infrastructure.
On February 14, 2018, the Energy Secretary established a
new Office of Cybersecurity, Energy Security, and Emergency
Response (CESER) at DOE. The CESER office will be led by an
Assistant Secretary who will focus on energy infrastructure
security, support the expanded national security
responsibilities assigned to DOE, and report to the Under
Secretary of Energy.\3\
---------------------------------------------------------------------------
\3\See Press Release, U.S. Department of Energy, ``Secretary of
Energy Rick Perry Forms New Office of Cybersecurity, Energy Security,
and Emergency Response.'' (Feb. 14, 2018), https://www.energy.gov/
articles/secretary-energy-rick-perry-forms-new-office-cybersecurity-
energy-security-and-emergency.
---------------------------------------------------------------------------
Physical security and cybersecurity for pipeline and LNG facilities
As the Energy SSA, DOE is required to coordinate with
multiple Federal and State agencies and collaborate with energy
infrastructure owners and operators on activities associated
with identifying vulnerabilities and mitigating incidents that
may impact the energy sector. To perform these duties
effectively, DOE must account for each interrelated segment of
the nation's energy infrastructure, including pipelines, which
are subject to an array of other Federal authorities. In a
January 24, 2018 letter, the Committee wrote to Secretary Perry
to better understand the level of coordination among
governmental agencies.\4\ In response, Secretary Perry noted
that ``a coordinated government approach to the cyber and
physical security of pipelines, led by the Department of
Energy, is essential to ensuring the safe and reliable flow of
energy across the U.S.''\5\
---------------------------------------------------------------------------
\4\See Letter from Chairman Greg Walden to Secretary Rick Perry
dated January 24, 2018, available at: https://energycommerce.house.gov/
wp-content/uploads/2018/01/20180124DOE.pdf.
\5\See Letter from Secretary Rick Perry to Chairman Greg Walden
dated March 13, 2018, available at: https://docs.house.gov/meetings/IF/
IF03/20180314/107999/HHRG-115-IF03-20180314-SD053.pdf.
---------------------------------------------------------------------------
The Committee finds that H.R. 5175 would improve the
quality of coordination among the various Federal entities
relating to cybersecurity of the nation's pipeline system, as
noted in the Committee's legislative hearing record. According
to testimony of DOE Undersecretary Mark Menezes, ``the
Department is focusing cyber support efforts to enhance
visibility and situational awareness of operational networks;
increase alignment of cyber preparedness and planning across
local, state, and Federal levels; and leverage the expertise of
DOE's National Labs to drive cybersecurity innovation.''\6\ The
Committee finds that H.R. 5175 would support and enhance these
efforts.
---------------------------------------------------------------------------
\6\See Written Testimony of Under Secretary Mark Menezes, U.S.
Department of Energy, Before the Subcommittee on Energy, Committee on
Energy and Commerce, March 14, 2018.
---------------------------------------------------------------------------
The Committee finds that H.R. 5175 would also allow DOE to
improve collaboration with the energy sector and the States to
build capacity to mitigate cyber threats. The testimony of Mark
Engels, Senior Enterprise Security Advisor for Dominion Energy,
was generally supportive of efforts to improve the focus on
pipeline cybersecurity and physical security and coordination
efforts. Mr. Engels noted that ``while natural gas pipeline
operators have a general idea about how the relevant Federal
agencies associated with pipeline security should work
together, H.R. 5175 would ideally encourage clarification on
the issue.'' Mr. Engels also provided examples where Dominion
Energy successfully collaborated with DOE and the National Labs
to test industrial control systems, identify supply chain
threats, and improve equipment procurement processes.
The purpose of H.R. 5175 is to clarify DOE's role and
responsibility within the existing cyber incident command
framework as the SSA for the Energy Sector.
H.R. 5175 does not authorize a regulatory program and does
not duplicate existing cybersecurity or safety mandates issued
by DHS or DOT. H.R. 5175 clarifies that DOE's advanced
cybersecurity applications, technologies, and technical tools
developed are for voluntary use.
H.R. 5175 also includes a savings clause to clarify that
nothing in the Act shall be construed to modify the authority
of any other Federal agency relating to physical security or
cybersecurity for pipelines or liquefied natural gas
facilities.
COMMITTEE ACTION
On March 14, 2018 the Subcommittee on Energy held a hearing
on H.R. 5175 entitled ``DOE Modernization: Legislation
Addressing Cybersecurity and Emergency Response.'' The
Subcommittee received testimony from:
Mark Menezes, Under Secretary of Energy, U.S.
Department of Energy;
Scott Aaronson, Vice President, Security and
Preparedness, Edison Electric Institute;
Mark Engels, Senior Enterprise Security
Advisor, Dominion Energy;
Tristan Vance, Director, Office of Energy
Development, State of Indiana;
Zachary Tudor, Associate Laboratory Director
for National and Homeland Security, Idaho National
Laboratory; and,
Kyle Pistor, Vice President of Government
Relations, National Electrical Manufactures
Association.
On April 18, 2018, the Subcommittee on Energy met in open
markup session and forwarded H.R. 5175, as amended, to the full
Committee by a voice vote.
On May 9, 2018, the full Committee on Energy and Commerce
met in open markup session and ordered H.R. 5175, as amended,
favorably reported to the House by a voice vote.
COMMITTEE VOTES
Clause 3(b) of rule XIII requires the Committee to list the
recorded votes on the motion to report legislation and
amendments thereto. There were no recorded votes taken in
connection with ordering H.R. 5175 reported.
OVERSIGHT FINDINGS AND RECOMMENDATIONS
Pursuant to clause 2(b)(1) of rule X and clause 3(c)(1) of
rule XIII, the Committee has held a hearing and made findings
that are reflected in this report.
NEW BUDGET AUTHORITY, ENTITLEMENT AUTHORITY, AND TAX EXPENDITURES
Pursuant to clause 3(c)(2) of rule XIII, the Committee
finds that H.R. 5175 would result in no new or increased budget
authority, entitlement authority, or tax expenditures or
revenues.
CONGRESSIONAL BUDGET OFFICE ESTIMATE
Pursuant to clause 3(c)(3) of rule XIII, the following is
the cost estimate provided by the Congressional Budget Office
pursuant to section 402 of the Congressional Budget Act of
1974:
U.S. Congress,
Congressional Budget Office,
Washington, DC, June 6, 2018.
Hon. Greg Walden,
Chairman, Committee on Energy and Commerce,
House of Representatives, Washington, DC.
Dear Mr. Chairman: The Congressional Budget Office has
prepared the enclosed cost estimate for H.R. 5175, the Pipeline
and LNG Facility Cybersecurity Preparedness Act.
If you wish further details on this estimate, we will be
pleased to provide them. The CBO staff contact is Megan
Carroll.
Sincerely,
Keith Hall,
Director.
Enclosure.
H.R. 5175--Pipeline and LNG Facility Cybersecurity Preparedness Act
Summary: H.R. 5175 would direct the Department of Energy
(DOE) to undertake a variety of activities aimed at improving
the physical security and cybersecurity of pipelines and liquid
natural gas (LNG) facilities.
CBO estimates that implementing H.R. 5175 would cost $86
million over the 2019-2023 period, assuming appropriation of
the necessary amounts. Enacting the bill would not affect
direct spending or revenues; therefore, pay-as-you-go
procedures do not apply.
CBO estimates that enacting H.R. 5175 would not increase
net direct spending or on-budget deficits in any of the four
consecutive 10-year periods beginning in 2029.
H.R. 5175 contains no intergovernmental or private-sector
mandates as defined in the Unfunded Mandates Reform Act (UMRA).
Estimated cost to the Federal Government: The estimated
budgetary effect of H.R. 5175 is shown in the following table.
The costs of the legislation fall primarily within budget
function 270 (energy).
----------------------------------------------------------------------------------------------------------------
By fiscal year, in millions of dollars--
----------------------------------------------------------------------
2018 2019 2020 2021 2022 2023 2019-2023
----------------------------------------------------------------------------------------------------------------
INCREASES IN SPENDING SUBJECT TO APPROPRIATION
Estimated Authorization Level............ 0 29 28 18 18 18 111
Estimated Outlays........................ 0 7 17 20 22 20 86
----------------------------------------------------------------------------------------------------------------
Basis of estimate: H.R. 5175 would require DOE, in
consultation with other federal agencies, states,
representatives of the energy sector, and other stakeholders,
to pursue activities related to the physical security and
cybersecurity of pipelines and LNG facilities. The bill would
direct DOE to perform pilot projects to test and demonstrate
security-related technologies. It also would specify DOE's role
in coordinating federal, state, and private entities' responses
to and recoveries from physical and cyber incidents that affect
the energy sector. H.R. 5175 also would authorize DOE to
establish safety criteria related to workforce development and
provide technical assistance to the energy sector.
Assuming appropriation of the necessary amounts, CBO
estimates that implementing H.R. 5175 would require
appropriations totaling $111 million over the 2019-2023 period.
Using information from DOE about the costs of similar
activities, CBO expects DOE would need most of that amount--$95
million--to develop the physical infrastructure necessary to
support pilot projects to test security-related technology
under the bill. Based on spending patterns for similar
activities, CBO estimates that outlays would total $70 million
over the 2019-2023 period, with the remainder spending after
2013.
CBO also estimates that, under H.R. 5175, DOE's
administrative costs would increase by $16 million--primarily
for three or four additional staff needed to meet the agency's
expanded role related to the physical security of pipelines and
LNG facilities, added costs to establish databases and
information-sharing systems, and to provide additional
technical assistance to the energy sector. CBO estimates that
all of those funds would be spent over the 2019-2023 period.
Pay-As-You-Go considerations: None.
Increase in long-term direct spending and deficits: CBO
estimates that enacting H.R. 5175 would not increase net direct
spending or on-budget deficits in any of the four consecutive
10-year periods beginning in 2029.
Mandates: H.R. 5175 contains no intergovernmental or
private-sector mandates as defined in UMRA.
Estimate prepared by: Federal costs: Megan Carroll;
Mandates: Jon Sperl.
Estimate reviewed by: Kim P. Cawley, Chief, Natural and
Physical Resources Cost Estimates Unit; H. Samuel Papenfuss,
Deputy Assistant Director for Budget Analysis.
FEDERAL MANDATES STATEMENT
The Committee adopts as its own the estimate of Federal
mandates prepared by the Director of the Congressional Budget
Office pursuant to section 423 of the Unfunded Mandates Reform
Act.
STATEMENT OF GENERAL PERFORMANCE GOALS AND OBJECTIVES
Pursuant to clause 3(c)(4) of rule XIII, the general
performance goal or objective of this legislation is to require
the Secretary of Energy to carry out a program relating to
physical security and cybersecurity for pipelines and liquified
natural gas facilities.
DUPLICATION OF FEDERAL PROGRAMS
Pursuant to clause 3(c)(5) of rule XIII, no provision of
H.R. 5175 is known to be duplicative of another Federal
program, including any program that was included in a report to
Congress pursuant to section 21 of Public Law 111-139 or the
most recent Catalog of Federal Domestic Assistance.
COMMITTEE COST ESTIMATE
Pursuant to clause 3(d)(1) of rule XIII, the Committee
adopts as its own the cost estimate prepared by the Director of
the Congressional Budget Office pursuant to section 402 of the
Congressional Budget Act of 1974.
EARMARK, LIMITED TAX BENEFITS, AND LIMITED TARIFF BENEFITS
Pursuant to clause 9(e), 9(f), and 9(g) of rule XXI, the
Committee finds that H.R. 5239 contains no earmarks, limited
tax benefits, or limited tariff benefits.
DISCLOSURE OF DIRECTED RULE MAKINGS
Pursuant to section 3(i) of H. Res. 5, the Committee finds
that H.R. 5175 contains no directed rule makings.
ADVISORY COMMITTEE STATEMENT
No advisory committees within the meaning of section 5(b)
of the Federal Advisory Committee Act were created by this
legislation.
APPLICABILITY TO LEGISLATIVE BRANCH
The Committee finds that the legislation does not relate to
the terms and conditions of employment or access to public
services or accommodations within the meaning of section
102(b)(3) of the Congressional Accountability Act.
SECTION-BY-SECTION ANALYSIS OF THE LEGISLATION
Section 1. Short title
Section 1 provides the short title of ``Pipeline and LNG
Facility Cybersecurity Preparedness Act.''
Section 2. Physical security and cybersecurity for pipelines and
liquefied natural gas facilities
Section 2 requires the Secretary of Energy to carry out a
program focused on physical security and cybersecurity for
natural gas and hazardous liquid pipelines and LNG facilities.
Section 2 requires DOE to consult with appropriate Federal
agencies, representatives of the energy sector, the States, and
other stakeholders to establish policies and procedures to
improve coordination; develop advanced cybersecurity
applications and technologies; perform pilot demonstrations;
develop workforce development curricula; and, to provide
technical tools to improve physical security and cybersecurity
capabilities.
CHANGES IN EXISTING LAW MADE BY THE BILL, AS REPORTED
This legislation does not amend any existing Federal
statute.
[all]