Bill Codifying Federal Role in ICS Cybersecurity Clears House

A bill codifying the Department of Homeland Security’s (DHS’s) role in addressing industrial control systems (ICS) cybersecurity has cleared the U.S. House of Representatives.

While H.R. 5733, “DHS Industrial Control Systems Capabilities Enhancement Act,” contains no mandates for the private sector, it directs the DHS’s National Cybersecurity and Communications Integration Center (NCCIC) to develop and maintain “capabilities” to identify and mitigate threats and vulnerabilities to products and technologies in both information and operational technology, including ICS.

Significantly, it also requires the DHS to collect, coordinate, and provide vulnerability information to the ICS community by working closely with security researchers, industry end-users, product manufacturers, and other ICS stakeholders.

It also directs DHS to maintain cross-sector incident-response capabilities to respond to cybersecurity incidents and prove technical assistance to stakeholders. The bill requires DHS to provide briefings to Congress on those capabilities within six months of its enactment, and every six months thereafter over the next four years.

Introduced on May 9, 2018, by Rep. Don Bacon (R-Neb.), the bill cleared the House on June 25.

ICS—which are the operational technology that include supervisory control and data acquisition (SCADA) systems, process control systems (PCS), and distributed control systems (DCS)—are commonly used in power plants, dams, water treatment facilities, and natural gas pipelines for critical functions, such as to measure, control, and provide a view of control processes. However, experts warn that nearly two-thirds of ICS vulnerabilities identified in 2017 could cause severe operational impact if exploited.

The NCCIC already works with ICS operators and manufacturers to provide malware and vulnerability analysis, as well as to monitor, track, and investigate cyber incidents and provide incident response. NCCIC also disseminates threat briefings, security bulletins, and notices related to emerging threats and vulnerabilities.

According to Bacon, the bill to codify NCCIC’s work is important because it ensures industry has a “centralized and permanent place for assistance with addressing cybersecurity risk” to ICS.

While no hearings were held on the bill, it is one of the first major pieces of legislation targeting ICS cybersecurity. Since the beginning of the year, House lawmakers have held at least two hearings on cybersecurity as it pertains to operational technology.

The Senate on June 26 received the bill and has referred it to the Committee on Homeland Security and Governmental Affairs.

—Sonal Patel is a POWER associate editor (@sonalcpatel, @POWERmagazine)