A bill to study retro approaches to preventing and mitigating the effects of cyberattacks is advancing in the Senate.
Legislation to dumb-down the nation’s electrical grid in the name of cybersecurity advanced out of a Senate committee on Thursday, bringing a retro approach to securing critical infrastructure one step closer to passage.
The Securing Energy Infrastructure Act, cosponsored by Sens. Angus King, I-Maine, and Jim Risch, R-Idaho, advanced out of the Senate Committee on Energy and Natural Resources on a voice vote. The central provision of the bill is a pilot program led by the director of the Office of Intelligence and Counterintelligence at the Energy Department, which is part of the broader intelligence community, to research ways to build redundancies and safety procedures into the power grid that do not rely on digital infrastructure.
The pilot—to begin within 180 days of the bill’s passage—would direct the national laboratories to partner with the private sector to identify potential means of digitally attacking the power grid and research ways of preventing such attacks and quickly remediating any effects.
Specifically, King and Risch want the labs to look for “retro,” or analog approaches that don’t rely on digital infrastructure or tools.
“There is a clear, demonstrable need to develop techniques and technologies to better secure our grid from cyber vulnerabilities,” Risch said after the bill passed committee. “As we reexamine our infrastructure security, this bipartisan approach would utilize the unique assets and expertise of our national laboratories to drive innovation.”
After the 2015 cyberattack on the energy infrastructure in Ukraine, grid operators were able to restore power relatively quickly using human-powered backups—analog systems, rather than digital. The senators said that incident inspired this legislation.
“I was glad to see the legislation advancing because for too long it seemed like the electric power grid has been put on the back burner in terms of solutions to try and combat state-sponsored threats and things of that nature,” said Chris Cummiskey, senior fellow at the George Washington University Center for Cyber and Homeland Security and former Homeland Security undersecretary and chief acquisition officer.
“It’s an interesting approach that people haven’t really thought of this much. You normally think of technology advancement constantly pushing the envelope and innovating. But to use an analog approach to this to ensure speed to recovery is a different way of doing it, which I don’t think folks have really thought of that much.”
Cummiskey said the energy sector was a particularly good place to try to this tactic, as much of that infrastructure is outdated and in need of modernization. But those efforts will take time, he added, and an analog tack could be a good way to bridge the gap.
James Scott, co-founder and senior fellow at the Institute for Critical Infrastructure Technology, was also pleased to see attention given to cybersecurity issues in the energy sector, though he doesn’t like the idea of looking backward for answers.
“Legislation that eschews modern systems in favor of antiquated technologies is a step in the wrong direction because it amounts to significantly crippling the U.S. energy sector instead of addressing the threats,” he said. “Regressive efforts are akin to buying a horse and buggy instead of changing a tire.”
Scott said “going retro” would mean replacing certain technologies currently being used in energy infrastructure with “less cost-effective, efficient and manageable” human-operated technologies.
“Rather than advocating for less technology, Congress should be sponsoring legislation that promotes information security and research into bleeding-edge solutions,” he said.
Cummiskey acknowledged that need, as well, but noted that analog options could be implemented sooner.
“From a decision-maker’s standpoint, when I was at Homeland Security, we would talk to the vendors all the time. We’d say, ‘We don’t care what you have to do to get this thing back up and running, just do it,’ ” he said. “It’s one of these things where, if you think that using older technologies—analog—in order to spin this thing back up is going to be more effective in the short run, then get it done and we’ll go back to the more advanced, digital approaches after you’ve resolved your issues.”
“Anything they can do to get back up as quickly as possible—I don’t think people are really going to care what the mechanism is, as long as it recovers swiftly,” he added.
The language of the bill is also included in the 2018 Intelligence Authorization Act, which is awaiting consideration by the Senate.
An identical version was introduced in the House last year and referred to the Science, Space and Technology Committee, which has yet to take up the bill.