NOTE: This bill does not contain any references to control
system security, so it would not normally be addressed in this blog. In a
subtle perversion of my normal policy I am including it specifically because it
contains no reference to control system security.
Last week Sen. Peters (D,MI) introduced S 2665,
the State and Local Cyber Protection Act of 2016. According to a press
release the bill in intended “to promote better coordination of
cybersecurity efforts between Department of Homeland Security (DHS) and state
and local governments.”
Cybersecurity Assistance Provisions
The bill would amend 6
USC 148 which describes the functions of the National Cybersecurity and Communications
Integration Center. Among other requirements the bill would require the NCCIC to
assist State and local governments, upon request, in {new §148(m)(1)}:
• Identifying information system
vulnerabilities; and
• Identifying information security protections
commensurate with cybersecurity risks and the magnitude of the potential harm
resulting from the unauthorized access, use, disclosure, disruption,
modification, or destruction of information systems used or operated by an
agency or by a contractor of a State or local government or other organization
on behalf of a State or local government;
• Coordinating a nationwide effort
to ensure effective implementation of tools, products, resources, policies,
guidelines, and procedures related to information security to secure and ensure
the resiliency of State and local information systems;
• Providing, upon request,
operational and technical cybersecurity training to State and local government
and fusion center analysts and operators to address cybersecurity risks or
incidents; and
• Developing and conducting targeted
operational evaluations, including threat and vulnerability assessments, on the
information systems of State and local governments
The bill does not specifically define ‘information systems’.
Instead it uses the very IT limited definition of ‘information systems’ from §148(a)(4) that, in turn,
refers back to the definition in 44
USC 3502(8) instead of the more expansive definition found in the Cybersecurity
Information Sharing (CSIS) Act of 2015 (Title I of Division N of the
Consolidated Appropriations Act of 2016) that adds the phrase “includes
industrial control systems, such as supervisory control and data acquisition
systems, distributed control systems, and programmable logic controllers” {§102(9)(b)} to the §3502(8) definition.
Moving Forward
Peters is a relatively low ranking Democrat on the Senate
Homeland Security and Governmental Affairs Committee, but he may have enough
influence to have the bill be considered in Committee. If it is considered
there does not appear to be anything that would raise any serious opposition to
the bill. The bigger question then becomes whether there is enough interest in
the bill in an election year to actually bring the bill to the floor of the
Senate where it would probably be considered under their unanimous consent
process. If the bill is not considered in Committee in the next month, it is
unlikely that it would make it to the floor before the November 1st
elections.
Commentary
It is really disappointing to see the crafters of this bill
use the restricted definition of information systems. State and local
government agencies operate a number of utilities across the country that are
considered critical infrastructure and extensively use industrial control
systems in their operations. Using the more expansive definition used in the CSIS
Act would help to ensure that the NCIC would provide State and local government
owned utilities the control system security information that they need to
protect their critical infrastructure.
I am hoping that there is an amendment in the committee
process that would change the language to what has become much more common in
cybersecurity legislation over the last year or so.
Posts
No comments:
Post a Comment