HR 1833 Introduced – DHS ICS Capabilities Enhancement Act

Last week Rep. Katko (R,NY) introduced HR 1833 (link is to Committee Print of bill), the DHS Industrial Control Systems Capabilities Enhancement Act of 2021. The bill is very similar to HR 5733 that was introduced in the 115^th Congress and passed in the House in June of 2018. The bill would amend 6 USC 659(e)(1) to ensure that “activities of the Center [NCCIC] address the security of both information technology and operational technology, including industrial control systems” {new 659(3)(1)(I)}.

Industrial Control Systems

In addition to the amendment cited above the bill would also add a new subsection (p) to §659, Industrial Control Systems. That new subsection would require the Cybersecurity and Infrastructure Security Agency (CISA) to:

• Lead Federal Government efforts to identify and mitigate cybersecurity threats to industrial control systems, including supervisory control and data acquisition systems,

• Maintain threat hunting and incident response capabilities to respond to industrial control system cybersecurity risks and incidents,

• Provide cybersecurity technical assistance to industry end-users, product manufacturers, other Federal agencies, and other industrial control system stakeholders to identify, evaluate, assess, and mitigate vulnerabilities,

• Collect, coordinate, and provide vulnerability information to the industrial control systems community by, as appropriate, working closely with security researchers, industry end-users, product manufacturers, other Federal agencies, and other industrial control systems stakeholders, and

• Conduct such other efforts and assistance as the Secretary determines appropriate.

Moving Forward

Katko, and a number of his bipartisan cosponsors, are members of the House Homeland Security Committee to which this bill was assigned for consideration. The fact that Katko is the Ranking Member of the Committee and Rep Thompson (D,MS) is the Chair explains the early consideration (markup this coming Thursday) of this bill by the Committee. The bill is almost certain to receive wide spread bipartisan support in Committee and by the Full House. The bill will be considered in the near future by the House under the suspension of the rules process.

Commentary

First off, it should be obvious to those that follow the control system security activities of CISA that this bill does not actually cause the Agency to undertake any new actions. It merely codifies the authority of CISA to do what it has been doing for quite some time. That could, however, be important in any period of budget constraint; agencies would be more likely to cut back programs and processes that have not been specifically authorized by Congress.

While this bill is similar to HR 5733 there are some interesting changes. First, for clarity’s sake, the section numbering is different because Congress rewrote much of the 6 USC when they stood up CISA as a separate agency within DHS back in November of 2018. For more substantive changes we need only look at the new subsection (p) in comparison to the same addition in the engrossed version of HR 5733.

First is (p)(1) the new version does not contain the phrase ‘in coordination with relevant sector specific agencies,’ following the opening word ‘lead’. This would reinforce the status of CISA as the lead agency for cybersecurity concerns in industrial control systems. This is further reinforced by adding the phrase ‘other Federal agencies’ to the list of entities to which CISA would be required in (p)(3) to provide technical assistance. This reinforcement is extended again in (p)(4) where the same phrase is added to the list of entities in the ‘industrial control system community’ that CISA would be expected to work with in collecting, coordinating, and providing vulnerability information.

As I was with HR 5733, I am concerned that the bill did not modify the subsection (c), Functions, portion of §659 to specifically address the industrial control system support outlined in the new subsection (p). While there are numerous mentions of similar cybersecurity responsibilities, all of the mentions include using terms defined in §659(a) that rely on the IT restrictive definition of information systems. If Congress is not going to address those definitional issues (and that is probably considered by the crafters of this bill as being beyond the scope of the legislation) then they should have included adding a subsection to §659(c) like this:

“(12) supporting the cybersecurity operations of industrial control systems as outline in (p).”