New legislation puts the director of the Cybersecurity and Infrastructure Security Agency in the center of federal response to threats to computerized industrial systems.
A new bill advanced on Thursday by the House Homeland Security Committee would give the Cybersecurity and Infrastructure Security Agency newly defined responsibilities in detecting and mitigating cyber threats to industrial control systems.
The DHS Industrial Control Systems Capabilities Enhancement Act of 2021, introduced by Rep. John Katko (R-N.Y.), the ranking member of the committee, gives CISA's director the lead role in federal government efforts to "identify and mitigate" risks and threats to computer systems that control critical industrial systems and processes, such as electricity generation and distribution, water treatment and delivery, oil and gas production and more.
The bill also tasks the CISA director with providing technical assistance to system users and manufacturers and with sharing vulnerability information with stakeholders. The bill specifies that the CISA director's responsibility extends across "supervisory control and data acquisition systems."
The bill was offered in the wake of an attempt to hack a water treatment plant in Florida.
"These systems operate many vital components of our nation's critical infrastructure and remain under constant attack from cyber criminals and nation state actors," Katko said in a statement when the bill was introduced earlier this month. "As we saw recently when a Florida water treatment facility was targeted, these attacks can have devastating, real-world consequences."
At a committee hearing in February, Dimitri Alperovitch, the co-founder and former CTO of Crowdstrike, testified that the government needs to pay more attention to industrial control systems.
"We have not focused on protecting those systems. We need a different approach to the one that protects the enterprise networks or laptops and servers to the way we will protect the systems that interact with the physical world and this absolutely needs to be a government focus," he said.
An amendment from Rep. Jim Langevin (D-R.I.) adds sector risk management agencies to the list of stakeholder groups that will consult with CISA's director on industrial control system risks and vulnerabilities.
The bill stops short of requiring system owners and manufacturers to report on vulnerabilities to CISA.
An amendment from Rep. Richie Torres (D-N.Y.) orders a Government Accountability Officer report on the ability of CISA to identify and mitigate threats to industrial control systems as well as on interagency coordination challenges, and the extent to which infrastructure owners are reporting vulnerabilities or seeking help from CISA with industrial control system risks.