House panel advances industrial control systems bill
- By Adam Mazmanian
- Mar 18, 2021
A new bill advanced on Thursday by the House Homeland Security Committee would give the Cybersecurity and Infrastructure Security Agency newly defined responsibilities in detecting and mitigating cyber threats to industrial control systems.
The DHS Industrial Control Systems Capabilities Enhancement Act of 2021, introduced by Rep. John Katko (R-N.Y.), the ranking member of the committee, gives CISA's director the lead role in federal government efforts to "identify and mitigate" risks and threats to computer systems that control critical industrial systems and processes, such as electricity generation and distribution, water treatment and delivery, oil and gas production and more.
The bill also tasks the CISA director with providing technical assistance to system users and manufacturers and with sharing vulnerability information with stakeholders. The bill specifies that the CISA director's responsibility extends across "supervisory control and data acquisition systems."
The bill was offered in the wake of an attempt to hack a water treatment plant in Florida.
"These systems operate many vital components of our nation's critical infrastructure and remain under constant attack from cyber criminals and nation state actors," Katko said in a statement when the bill was introduced earlier this month. "As we saw recently when a Florida water treatment facility was targeted, these attacks can have devastating, real-world consequences."
At a committee hearing in February, Dimitri Alperovitch, the co-founder and former CTO of Crowdstrike, testified that the government needs to pay more attention to industrial control systems.
"We have not focused on protecting those systems. We need a different approach to the one that protects the enterprise networks or laptops and servers to the way we will protect the systems that interact with the physical world and this absolutely needs to be a government focus," he said.
An amendment from Rep. Jim Langevin (D-R.I.) adds sector risk management agencies to the list of stakeholder groups that will consult with CISA's director on industrial control system risks and vulnerabilities.
The bill stops short of requiring system owners and manufacturers to report on vulnerabilities to CISA.
An amendment from Rep. Richie Torres (D-N.Y.) orders a Government Accountability Officer report on the ability of CISA to identify and mitigate threats to industrial control systems as well as on interagency coordination challenges, and the extent to which infrastructure owners are reporting vulnerabilities or seeking help from CISA with industrial control system risks.
Adam Mazmanian is executive editor of FCW.
Before joining the editing team, Mazmanian was an FCW staff writer covering Congress, government-wide technology policy and the Department of Veterans Affairs. Prior to joining FCW, Mazmanian was technology correspondent for National Journal and served in a variety of editorial roles at B2B news service SmartBrief. Mazmanian has contributed reviews and articles to the Washington Post, the Washington City Paper, Newsday, New York Press, Architect Magazine and other publications.
Click here for previous articles by Mazmanian. Connect with him on Twitter at @thisismaz.