The Cybersecurity Enhancement Act of 2014 that cleared Congress last week and was presented to President Obama on Monday has the backing of automation organizations.
The bill was one of four cybersecurity measures passed—without much debate and by voice vote—by Congress before the 113th session came to a close on Tuesday, Dec. 16.
Sen. John Rockefeller’s (D-W.Va.) Cybersecurity Enhancement Act of 2014 was introduced in the Senate this July and passed the Senate and, later, the House on Dec. 11. It allows the National Institute of Standards and Technology (NIST) to facilitate and support the development of voluntary, industry-led cyber standards and best practices for critical infrastructure. According to experts, the bill essentially codifies the process through which the NIST Cybersecurity Framework was developed. It also allows the federal government to support research, raise public awareness of cyber risks, and improve the nation’s cybersecurity workforce.
In a joint statement on Thursday, the Automation Federation—an umbrella organization of 16 member organizations and six working groups—and its founding association, the International Society of Automation (ISA), said they have worked closely “for years” with lawmakers in Washington to build support for the passage of federal cybersecurity legislation. Both organizations served as expert consultants to NIST as it developed the cybersecurity framework that was introduced in February this year.
“IACS security standards developed by ISA (ISA99/IEC 62443) are integral components of the federal government’s plans to combat cyberattack because they’re designed to prevent and offset potentially devastating cyber damage to industrial plant systems and networks—commonly used in transportation grids, power plants, water treatment facilities, and other vital industrial settings,” the groups said.
Steve Huffman, chair of the Automation Federation’s government relations committee and an ISA99 security standards committee member, revealed that during initial legislative discussions, cybersecurity of industrial automation and control systems from the operational technology side was not a prominent issue. “By raising its importance among lawmakers, industrial cybersecurity became a more vital part of the legislation passed by Congress,” he said.
The Automation Federation is reportedly already in discussions with NIST officials about how to implement the key provisions of the act once it officially becomes law.
President Obama is expected to sign the bill, along with a separate measure passed by Congress on Dec. 11 that codifies the Department of Homeland Security’s National Cybersecurity and Communications Integration Center and makes it a hub for public-private information sharing. On Dec. 8, the Senate also passed by voice vote the Federal Information Security Modernization Act of 2014, which replaces a requirement in the 12-year-old Federal Information Security management Act by which federal agencies must file checklists to show steps they have taken to secure their IT systems. The House last week also passed the Senate’s Homeland Security Cybersecurity Workforce Assessment Act.
However, law firm Hunton & Williams LLP, which specializes in privacy law, said the flurry of cybersecurity bills passed unexpectedly last week are “more limited in scope than the measures that have been sought by the private sector.” The bills largely make pre-existing actions official, it notes.
Yet, legislative activity on cybersecurity “indicates a seriousness by policymakers to confront issues vital to information systems protection,” it says.
“In its waning days, the Senate may be attempting to set its mark on future cybersecurity policy. For its part, the House’s sudden action on Senate cybersecurity bills may point to a willingness by House committees to overcome internal jurisdictional disagreements that have hampered similar legislation in the past. The significance here is the recognition by Congress that legislative success now builds momentum for systems-protection policies in the next Congress, such as information-sharing liability protection or data breach legislation. How the 114th Congress confronts those issues is important to businesses seeking to enter public-private partnerships and information-sharing agreements.”
—Sonal Patel, associate editor (@POWERmagazine, @sonalcpatel)