House approves cybersecurity research bill focused on energy infrastructure

The U.S. House of Representatives on Monday passed a bill that would provide funding for cybersecurity research with a focus on protecting the country’s energy infrastructure. 

The Energy Cybersecurity University Leadership Act — inspired by the ransomware attack on Colonial Pipeline and several other incidents — proposes grants and other forms of funding to graduate students and postdoctoral researchers focusing on cybersecurity and energy infrastructure.

Introduced by Reps. Deborah Ross (D-NC) and Congressman Mike Carey (R-OH) in January, the bill now heads to the Senate. 

In addition to grants, the legislation seeks to bolster the nation’s energy sector cybersecurity workforce through scholarships, fellowships, and research and development at colleges and universities that receive Department of Energy funding. 

Students would also have the opportunity to get research experience at the department’s national laboratories and utilities. The bill includes efforts to reach students at Historically Black Colleges and Universities, Minority Serving Institutions, and Tribal Colleges and Universities.

“To confront growing cyber threats and attacks against our country’s critical energy infrastructure, we must make real investments in a strong and diverse workforce ready to meet any challenge,” Ross said Monday on the House floor. 

“I’m proud to represent much of the Research Triangle, home to institutions and universities that are leading our nation’s innovation in cybersecurity and clean energy."

Representatives from the Senate Committee on Energy and Natural Resources did not respond to requests for comment. The bill passed in the House last year with bipartisan support but stalled in the Senate.

Ross noted that the need for cybersecurity workers is affecting every industry but can have dire effects on the energy sector, where companies are rapidly integrating complex technologies. 

Vulnerabilities in the sector are typically only discovered after they have been exploited in attacks, she said, and several attacks on U.S. energy infrastructure have been uncovered by the federal government in recent years.

The Cybersecurity and Infrastructure Security Agency (CISA) is in the process of creating incident reporting rules that will require critical infrastructure operators — particularly those in the energy sector — to alert agencies within 72 hours of a breach and within 24 hours if an organization has made a ransomware payment.

CISA frequently releases advisories about vulnerabilities in industrial control systems. Tuesday it warned about a bug in EnOcean's SmartServer product, which is used in energy management for "smart buildings, cities and factories."