New bill looks to centralize CISA's role in ICS threat response

Rep. John Katko (R-N.Y.) on Thursday introduced bipartisan legislation that would centralize the Cybersecurity and Infrastructure Security Agency's role in responding to incidents across industry sectors and require the agency's chief to monitor vulnerabilities of industrial control systems.

"These systems operate many vital components of our nation's critical infrastructure and remain under constant attack from cyber criminals and nation state actors. As we saw recently when a Florida water treatment facility was targeted, these attacks can have devastating, real-world consequences," Katko said.

The DHS Industrial Control Systems Enhancement Act of 2021 is co-sponsored by Homeland Security Committee Chairman Bennie Thompson (D-Miss.) as well as several other subcommittee chairs and members of the committee.

The bill mandates CISA's director pay specific attention to threat hunting and responding to attacks against industrial control systems and provide technical assistance to both federal agencies and industry. CISA's director would also have to "collect, coordinate, and provide vulnerability information" to appropriate organizations using industrial control systems.

Katko's bill further directs CISA to provide briefings to the Homeland Security committee every six months for the next four years on DHS's industrial control system capabilities.

Cybersecurity experts previously testified to lawmakers that it would be beneficial for CISA to play a greater role in helping various federal agencies to improve their cybersecurity.

"The 101 federal civilian agencies are simply not in a position to secure themselves all by themselves. And the reason for that is the lack of resources, the lack of personnel and the and the lack of follow through," Chris Krebs, the former director of CISA, told the House Homeland Security Committee in February.

Encouraged by CISA's work during the election, lawmakers have shown a willingness to add other responsibilities to the agency's mission as well as the funding necessary to accomplish that work. But in interviews with FCW, analysts predicted greater resistance to any push to put CISA in a regulatory role.

"Having separate regulators is important because each industry faces unique challenges in cybersecurity," David Forscey, managing director of the Aspen Cybersecurity Group, recently told FCW. "The federal agencies who oversee the nuclear and healthcare sectors employ people who understand those realities and are less likely to write rules that make zero practical sense."