Congress Focuses on Industrial Control System SecuritySenate Bill Would Require CISA to Identify and Respond to ICS Threats
A bipartisan group of senators is pushing a bill that would require the Cybersecurity and Infrastructure Security Agency to identify and respond to vulnerabilities and threats that target industrial control systems. The House has already passed a similar measure.
The DHS Industrial Control Systems Capabilities Enhancement Act, introduced Thursday, would also require CISA to provide technical assistance to government agencies and companies to help mitigate flaws in operational technologies and ICS systems as well as sharing intelligence about potential threats and vulnerabilities.
The legislation would require CISA to brief Congress on threats to OT and ICS and mandate that the U.S. Government Accountability Office draft a report describing how CISA is implementing the bill.
The bills were introduced in response to a series of ransomware and other cyber incidents that have targeted parts of the nation's critical infrastructure, especially the May attack that hit Colonial Pipeline Co. which led to the temporary shutdown of a fuel pipeline serving much of the East Coast.
Although the ransomware attack against Colonial Pipeline targeted the company's IT systems, the congressional committees investigating the incident have raised concerns that if the attack spread, it could have interfered with the company's OT systems and caused even greater damage (see: House Probes Specifics of Colonial Ransomware Attack).
"Attacks like the one against Colonial Pipeline show the real-world implications that cyberattacks against critical infrastructure can have,” says Sen. Rob Portman, R-Ohio, the ranking member of the Senate Homeland Security and Government Affairs Committee and one of the four co-sponsors of the bill. "CISA's role to play in supporting critical infrastructure owners and operators is crucial."
Those testifying at a Senate hearing this week raised concerns about the security of water and wastewater treatment facilities, especially the lack of security around ICS and supervisory control and data acquisition - SCADA - systems.
Other sponsors of the Senate bill are Sen. Gary Peters, D-Mich., the chairman of the Homeland Security Committee, as well as Sens. Mark Warner, D-Va., and Marco Rubio, R-Fla., who are the chairman and ranking member, respectively, of the Senate Intelligence Committee.
Peters announced this week that he plans to investigate several recent ransomware attacks, including the Colonial Pipeline incident, as well as the role that cryptocurrency plays in creating a lucrative business model for cybercriminals.
Upgrading ICS solutions is a complex, expensive process, says Austin Berglas, a former cyber investigator for the FBI.
"Many ICS solutions were designed for non-internet facing environments and therefore did not incorporate certain basic security controls. This offers additional vulnerabilities as more and more operational technology environments are allowing access to their ICS systems from the internet," says Berglas, now the global head of professional services at cybersecurity firm BlueVoyant.
"Increased attention and oversight by CISA is necessary, but it will be costly to update the many legacy systems embedded in the critical infrastructure environments," Berglas notes. "In addition, there is a huge shortage of technically trained and experienced individuals available to provide this support and oversight, especially in the ICS arena."
Earlier this month, Robert Hannigan, the former head of U.K. intelligence agency GCHQ, noted that vulnerabilities in OT systems are increasingly exploited by cybercriminal groups.
"Criminals have realized that by going after OT, by going after manufacturing, that they are hitting a sector that really can't afford to stop operating, and needs to pay up to keep going," Hannigan said (see: Constant Ransomware Business Refinements Boosting Profits).
In other legislative action, the Senate has passed a bill co-sponsored by Sen. Angus King, I-Maine, that paves pave the way for hiring personnel to staff the Office of the National Cyber Director, which was created earlier this year with the passage of the 2021 National Defense Authorization Act.
Last month, the Senate unanimously approved John "Chris" Inglis as the national cyber director, who now has oversight of the defense of federal networks and infrastructure as well as the cyber budgets of various agencies (see: Senate Approves Chris Inglis as National Cyber Director).