S 413 - Coverage of Industrial Control Systems

As I mentioned in Monday’s blog, while most of S 413 refers to ‘information systems’ in the federal government, there is a section of the bill that looks like it may provide authority for DHS to regulate the security of industrial control systems in critical infrastructure facilities. Section 248(b)(1) requires the Director of the National Center for Cybersecurity and Communications (NCCC) to “issue interim final regulations establishing risk-based security performance requirements to secure covered critical infrastructure [emphasis added] against cyber risks through the adoption of security measures that satisfy the security performance requirements identified by the Director”

Covered Facilities

The whole issue of what facilities would be covered hinges on a complex set of rules set forth later in the proposed legislation. The definition of ‘covered critical infrastructure’ is found in § 241(4); “the term ‘covered critical infrastructure’ means a system or asset identified by the Secretary as covered critical infrastructure under section 254”.

To find §254 you have to go way back to Title V of the bill (pg 210). There you find three requirements that must be met for the Secretary to declare that the ‘system or asset’ is covered critical infrastructure. The first of these is that “the destruction or the disruption of the reliable operation of the system or asset would cause national or regional catastrophic effects identified under section 210E(a)(2)(B)(iii)” {§254(a)(2)(A)(i)}. That section is also added by this new bill and includes mass casualty events, severe economic consequences, and mass evacuations. We can easily see where industrial facilities might be included in these requirements, particularly some (though certainly not all) high-risk chemical facilities.

The second requirement is that “the system or asset is on the prioritized critical infrastructure list established by the Secretary under section 210E(a)(2)” {§254(a)(2)(A)(ii)}. That list is not generally available to the public, but we can assume that many of the facilities that would be included in the first requirement would also make placement on this list.

The final requirement is that the system or asset is either a component of the ‘national information infrastructure, or it relies upon that infrastructure for its ‘reliable operation’. Industrial control systems are not generally part of the ‘national information infrastructure’ (we hope) so the inclusion of an industrial control system under the coverage of this regulations required by this bill will hinge on the definition of ‘reliable operation’ which is not outlined in this bill.

Some assets like the electric grid or various pipeline systems that rely on internet communications or even telephone systems to coordinate the operations of its various components will certainly fall under the regulations required to be developed by this bill. Chemical facilities that rely on the inbound or outbound movement of chemicals via pipelines will also certainly be included.

Depending on how expansive a definition of ‘reliable operation’ the Secretary employs will determine how many other high-risk chemical facilities would be included under the cyber security regulations. Would, for example, facilities that rely on natural gas as an energy source be covered? Would the use of off-site electricity be sufficient? A positive answer to either would greatly expand the potential coverage of these regulations.

It might be interesting for Congress to consider more clearly defining what industrial control systems might be covered. As a suggestion, they might clearly state that CFATS covered facilities with release chemicals of interest as the primary source of their CFATS coverage would be included in the NCCC regulations.

Dual Regulatory Coverage

It would be hard to see how these regulations could made to apply to the control systems at all high-risk chemical facilities. Certainly none of the facilities covered under CFATS solely based upon the presence of theft/diversion COI could be included under the mass casualty provisions. So we would expect that if this bill passes that there will be at least two different types of CFATS covered facilities, those that are covered under the new cyber security regulations and those that are not.

It would be nice to see a requirement in this bill that would require the National Center for Cybersecurity and Communications (NCCC) and ISCD to coordinate their regulations of these facilities. I think it would be appropriate for the bill to specify that such dual coverage facilities would be exempt from or considered to have fulfilled the CFATS cyber security requirements under RBPS #8. One would assume that the cyber security experts at NCCC would provide more effective regulatory coverage of cyber security requirements than the limited expertise available to ISCD.

Similarly, facilities covered under MTSA that would also fall under these new regulations (many of the covered hazmat pipelines have port terminals) should have the relationship between MTSA and the NCCC regulations more clearly defined in this bill.

Another alternative would be a specific requirement that ISCD and the Coast Guard would be required to incorporate the cyber security rules developed by NCCC for control systems into their regulations for high-risk chemical facilities or MTSA covered facilities. Unfortunately, they would not be expected to have the personnel with the expertise to enforce such regulations.