This Act may be cited as the “Energy Cybersecurity Act of 2018”.

In this Act:

(a) Cybersecurity for the energy sector research, development, and demonstration program.—

(1) IN GENERAL.—The Secretary, in consultation with appropriate Federal agencies, the energy sector, the States, and other stakeholders, shall carry out a program—

(A) to develop advanced cybersecurity applications and technologies for the energy sector—

(i) to identify and mitigate vul­ner­a­bil­i­ties, including—

(I) dependencies on other critical infrastructure; and

(II) impacts from weather and fuel supply; and

(ii) to advance the security of field devices and third-party control systems, including—

(I) systems for generation, transmission, distribution, end use, and market functions;

(II) specific electric grid elements including advanced metering, demand response, distributed generation, and electricity storage;

(III) forensic analysis of infected systems; and

(IV) secure communications;

(B) to leverage electric grid architecture as a means to assess risks to the energy sector, including by implementing an all-hazards approach to communications infrastructure, control systems architecture, and power systems architecture;

(C) to perform pilot demonstration projects with the energy sector to gain experience with new technologies; and

(D) to develop workforce development curricula for energy sector-related cybersecurity.

(2) AUTHORIZATION OF APPROPRIATIONS.—There is authorized to be appropriated to carry out this subsection $65,000,000 for each of fiscal years 2018 through 2026.

(b) Energy sector component testing for cyberresilience program.—

(1) IN GENERAL.—The Secretary shall carry out a program—

(A) to establish a cybertesting and mitigation program to identify vulnerabilities of energy sector supply chain products to known threats;

(B) to oversee third-party cybertesting; and

(C) to develop procurement guidelines for energy sector supply chain components.

(2) AUTHORIZATION OF APPROPRIATIONS.—There is authorized to be appropriated to carry out this subsection $15,000,000 for each of fiscal years 2018 through 2026.

(c) Energy sector operational support for cyberresilience program.—

(1) IN GENERAL.—The Secretary may carry out a program—

(A) to enhance and periodically test—

(i) the emergency response capabilities of the Department; and

(ii) the coordination of the Department with other agencies, the National Laboratories, and private industry;

(B) to expand cooperation of the Department with the intelligence communities for energy sector-related threat collection and analysis;

(C) to enhance the tools of the Department and ES–ISAC for monitoring the status of the energy sector;

(D) to expand industry participation in ES–ISAC; and

(E) to provide technical assistance to small electric utilities for purposes of assessing cybermaturity level.

(2) AUTHORIZATION OF APPROPRIATIONS.—There is authorized to be appropriated to carry out this subsection $10,000,000 for each of fiscal years 2018 through 2026.

(d) Modeling and assessing energy infrastructure risk.—

(1) IN GENERAL.—The Secretary shall develop an advanced energy security program to secure energy networks, including electric, natural gas, and oil exploration, transmission, and delivery.

(2) SECURITY AND RESILIENCY OBJECTIVE.—The objective of the program developed under paragraph (1) is to increase the functional preservation of the electric grid operations or natural gas and oil operations in the face of natural and human-made threats and hazards, including electric magnetic pulse and geomagnetic disturbances.

(3) ELIGIBLE ACTIVITIES.—In carrying out the program developed under paragraph (1), the Secretary may—

(A) develop capabilities to identify vul­ner­a­bil­i­ties and critical components that pose major risks to grid security if destroyed or impaired;

(B) provide modeling at the national level to predict impacts from natural or human-made events;

(C) develop a maturity model for physical security and cybersecurity;

(D) conduct exercises and assessments to identify and mitigate vulnerabilities to the electric grid, including providing mitigation recommendations;

(E) conduct research hardening solutions for critical components of the electric grid;

(F) conduct research mitigation and recovery solutions for critical components of the electric grid; and

(G) provide technical assistance to States and other entities for standards and risk analysis.

(4) AUTHORIZATION OF APPROPRIATIONS.—There is authorized to be appropriated to carry out this subsection $10,000,000 for each of fiscal years 2018 through 2026.

(e) Leveraging existing programs.—The programs established under this section shall be carried out consistent with—

(1) the report of the Department entitled “Roadmap to Achieve Energy Delivery Systems Cybersecurity” and dated 2011;

(2) existing programs of the Department; and

(3) any associated strategic framework that links together academic and National Laboratory researchers, electric utilities, manufacturers, and any other relevant private industry organizations, including the Electricity Sub-Sector Coordinating Council.

(f) Study.—

(1) IN GENERAL.—Not later than 180 days after the date of enactment of this Act, the Secretary, in consultation with the Federal Energy Regulatory Commission and the North American Electric Reliability Corporation, shall conduct a study to explore alternative management structures and funding mechanisms to expand industry membership and participation in ES–ISAC.

(2) REPORT.—The Secretary shall submit to the appropriate committees of Congress a report describing the results of the study conducted under paragraph (1).