HR 5733 Introduced – ICS Cybersecurity

Last week Rep Bacon (R,NE) introduced HR 5733, the DHS Industrial Control Systems Capabilities Enhancement Act of 2018 (Note: the link is to a Committee draft of the bill not the official GPO version). The bill would amend 6 USC 148 to provide specific requirements for the National Cybersecurity and Communications Integration Center (NCCIC) to address industrial control system security issues.

Section 148 Amendments

The bill would make two specific amendments to §148. First it would add to the list of principles outlined in paragraph (3)(1) the following language: “activities of the Center address the security of both information technology and operational technology, including industrial control systems;”.

Second the bill would add a new paragraph (f) that would require the NCCIC to “maintain capabilities to identify and address threats and vulnerabilities to products and technologies intended for use in the automated control of critical infrastructure processes.” This would specifically include requirements to:

• Lead, in coordination with relevant sector specific agencies, Federal Government efforts to identify and mitigate cybersecurity threats to industrial control systems, including supervisory control and data acquisition systems;

• Maintain cross-sector incident response capabilities to respond to industrial control system cybersecurity incidents;

• Provide cybersecurity technical assistance to industry end-users, product manufacturers, and other industrial control system stakeholders to identify and mitigate vulnerabilities; and

• Conduct such other efforts and assistance as the Secretary determines appropriate.

Moving Forward

Bacon and both of his cosponsors {Rep. McCaul (R,TX) and Rep. Ratcliff (R,TX)} are members of the House Homeland Security Committee to which this bill was assigned. The bill is currently scheduled to be marked-up by that Committee on Wednesday. While there are no Democratic sponsors for the bill, I expect that it will receive bipartisan support in the Committee and on the floor of the House. It would likely be considered under the suspension of the rules provisions in the House (limited debate, no floor amendments).

Commentary

While I certainly applaud the addition of control system language to this bill, the lack of a definition and changes to other definitions in §148 is likely to cause problems down the road. I would like to offer this definition for addition to §148(a):

Industrial Control System - The term ‘control system’ means a discrete set of information resources, sensors, communications interfaces and physical devices organized to monitor, control and/or report on physical processes including but not limited to; manufacturing, transportation, access control, and facility environmental controls;

Additionally, the following existing definitions need revision:

Cybersecurity Risk - The term ‘cybersecurity risk’ means:

(A) threats to and vulnerabilities of information, information systems, or control systems and any related consequences caused by or resulting from unauthorized access, use, disclosure, degradation, disruption, modification, or destruction of such information, information systems, or control systems, including such related consequences caused by an act of terrorism; and

(B) does not include any action that solely involves a violation of a consumer term of service or a consumer licensing agreement;

Incident - The term ‘incident’ means an occurrence that actually, or imminently jeopardizes, without lawful authority:

(A) the integrity, confidentiality, or availability of information on an information system,

(B) the timely availability of accurate process information, the predictable control of the designed process or the confidentiality of process information, or

(C) an information system or a control system;

I am disappointed that there was no specific mention of cyber emergency response teams, either US-CERT or ICS-CERT. This bill would have been a good place to add mention of them in §148(d)(1)(C). With the addition of industrial control systems to the areas of NCCIC oversight the mention of ICS-CERT would certainly be appropriate, and that mention could not be made without also including US-CERT.

Finally, I am astounded that this bill did not modify the ‘functions’ of the NCCIC, as outlined in §148(c). If the definitions I suggested above were made, at least part of that problem would be corrected because of the frequent references to ‘cybersecurity risk’ and ‘incidents’. Even so the language of §147(c)(7) would still need to add mention of industrial control systems to ensure that the NCCIC appropriately addresses the cybersecurity issues associated with control systems.