After a spate of attacks on industrial control systems (ICS), the US this week officially recognized the need to secure them with a new bill. On Monday, House representatives passed legislation to bring these systems under the protection of the Department of Homeland Security.
H.R 5733, AKA the “DHS Industrial Control Systems Capabilities Enhancement Act”, is a short bill that effectively highlights industrial control systems as a vulnerable point in US critical infrastructure by including them in the 2002 Homeland Security Act. It amends the 2002 Act, which made no mention of ICS systems, to include specific language about them.
The new legislation calls on the National Cybersecurity and Communications Integration Center (NCCIC) to find and fix threats to industrial control system technologies used in critical infrastructure. It must help a range of stakeholders with technical assistance in fixing industrial control system projects, including manufacturers and end users.
The move may seem like a semantic one, but it is a reaction to a string of attacks that have worried lawmakers in the US. In October, US-CERT warned that hackers were targeting energy, nuclear, water, aviation and critical manufacturing sectors.
Don Bacon, the representative who authored the bill, warned of dire consequences if organizations running critical national infrastructure did not tighten up ICS security.
The next ‘Pearl Harbor attack’ will not be with missiles and torpedoes alone, but will be paired with attacks to our private sector functions needed to support our daily lives, such as our electric grid.
The new legislation may put ICS officially on the list of vulnerable systems to protect, but the key will be in the implementation, and especially in whether the DHS works to change the underlying mechanics of security in ICS component manufacturing. A 2017 report by MIT researcher Joel Brenner on critical infrastructure security highlighted the use of cheap, general purpose hardware and software as components in industrial component systems, driven by commercial concerns.
Brenner’s report called for an initiative to create incentives for producing and using secure and less complex hardware, software, and controls for use in critical infrastructure. This should be directed by a lead departmental secretary reporting directly to the President, it advised.
Having passed the house, the bill reached the Senate on Tuesday before being passed to the Committee on Homeland Security and Governmental Affairs.