The U.S. House of Representatives on Monday passed a bill aimed at protecting industrial control systems (ICS), particularly ones used in critical infrastructure, against cyberattacks.
The legislation, H.R. 5733, formally known as the “DHS Industrial Control Systems Capabilities Enhancement Act,” was introduced on May 9 by Rep. Don Bacon (R-NE) and it was approved by the House Committee on Homeland Security on June 6. The bill was announced a few weeks after the United States officially accused Russia of attempting to take control of critical infrastructure systems.
The new bill amends the Homeland Security Act of 2002 and requires the DHS’s National Cybersecurity and Communications Integration Center (NCCIC) to identify and mitigate threats and risks to ICS technologies and products used in critical infrastructure organizations.
The bill also requires NCCIC to maintain cross-sector incident response capabilities for ICS-related events, and provide technical assistance to end-users, product manufacturers, and other stakeholders in identifying and mitigating vulnerabilities in industrial control systems.
The agency is also required to provide the ICS community information on vulnerabilities based on collaboration with security researchers, manufacturers and industry end-users. The DHS will have to brief Congress every six months over the next four years.
The Congressional Budget Office (CBO) estimates that enacting this piece of legislation would cost less than $500,000 over the 2019-2023 period due to the fact that NCCIC already provides assistance to critical infrastructure operators and control system vendors, and the bill would only codify the agency’s responsibilities without imposing any new operating requirements.
“The next ‘Pearl Harbor attack’ will not be with missiles and torpedoes alone, but will be paired with attacks to our private sector functions needed to support our daily lives, such as our electric grid,” said Rep. Bacon. “DHS provides critical support to operators of industrial control systems (ICS), and my bill clarifies this responsibility so the Department can continue to identify and address threats to ICS in critical infrastructure. Any disruption or damage to critical infrastructure has the potential to cause catastrophic consequences to our nation’s public health and safety, economic security, and national security.”
Related: Russian Cyberspies Hacked Routers in Energy Sector Attacks
Related: New Bill in Georgia Could Criminalize Security Research
Related: Inside the Legislative and Regulatory Minefield Confronting Cybersecurity Researchers