A member of the House Committee on Homeland Security introduced bipartisan supported legislation, ‘DHS Industrial Control Systems Enhancement Act of 2021,’ in a critical step that could help to solidify the Cybersecurity & Infrastructure Security Agency’s (CISA) lead role in protecting the critical infrastructure in the U.S., especially industrial control systems (ICS), from cyber threats.
“As I have said consistently, we need to continue to build centralized cybersecurity capacity with CISA where possible for the entire critical infrastructure community to voluntarily benefit from,” said Congressman John M. Katko, who introduced the legislation, in a statement. “The DHS Industrial Control Systems Enhancement Act of 2021 does just that. This important piece of legislation will solidify CISA’s lead role in protecting our nation’s critical infrastructure from cyber threats, particularly to our industrial control systems,”
In Congress, Katko serves as ranking member on the House Committee on Homeland Security, and as a member of the House Committee on Transportation and Infrastructure.
The bill introduced by Katko seeks to amend the Homeland Security Act of 2002 in order to provide for the responsibility of the CISA, maintain capabilities to identify threats to industrial control systems, and for other purposes.
The Katko-led initiative has strong bipartisan support from cybersecurity voices in Congress. The bill is co-sponsored by Homeland Security Committee Chairman Bennie Thompson (D-MS), Cybersecurity Subcommittee Chair Yvette Clarke (D-NY), Cybersecurity Subcommittee Ranking Member Andrew Garbarino (R-NY), and Reps. Don Bacon (R-NE), Kat Cammack (R-FL), Carlos Gimenez (R-FL), Jim Langevin (D-RI), and John Rutherford (R-FL).
The move is evidently the response from U.S. lawmakers to the Oldsmar water plant hack last month, which saw unidentified cyber attackers gaining access remotely to a panel and trying to change the settings that control the sodium hydroxide level at the water treatment plant. Modifying the setting could have drastically increased the amount of sodium hydroxide in the water supply from about 100 parts-per-million (ppm) to about 11,100 ppm, officials from Pinellas County in Florida said at the time.
This incident did not lead to any damage or loss of life, as the plant operator immediately reversed the change to the appropriate amount of 100 ppm. Sodium hydroxide, also known as lye, is the main ingredient in liquid drain cleaners, apart from being used to control water acidity and remove metals from drinking water in the water treatment plant.
The bill aims for the director of the CISA to create a structure that will help in identifying and addressing threats and vulnerabilities to products and technologies intended for use in the automated control of critical infrastructure processes. It also requires CISA to maintain cross-sector incident response capabilities, provide technical assistance to stakeholders, and collect, coordinate and provide vulnerability information about industrial control systems to stakeholders.
The DHS Industrial Control Systems Enhancement Act seeks to lead federal government efforts to identify and mitigate cybersecurity threats to ICS, including supervisory control and data acquisition (SCADA) systems. It also aims to maintain threat hunting and incident response capabilities to respond to ICS cybersecurity risks and incidents, while offering cybersecurity technical assistance to industry end-users, product manufacturers, other federal agencies, and other ICS stakeholders to identify, evaluate, assess, and mitigate vulnerabilities.
The Act also wants the CISA director to collect, coordinate, and provide vulnerability information to the ICS community by, as appropriate, working closely with security researchers, industry end-users, product manufacturers, other federal agencies, and other ICS stakeholders.
Twenty-three percent of vulnerabilities that Dragos analyzed in its ‘ICS Cybersecurity Year in Review 2020’ report applied to products bordering the enterprise, up from 21 percent in 2019. This can include networking communication equipment, VPNs, data historians, or firewalls commonly deployed in ICS networks.
As most vulnerabilities reside deep within the ICS network, correlating to equipment on Levels 0 to 3 of the Purdue Model, such as engineering workstations, PLCs, sensors, and industrial controllers, these vulnerabilities require access to a control system network to exploit, offering some mitigation for organizations provided they implement proper network segmentation, Dragos said. With the increasing connectivity in organizations, this security control is diminishing in value and should be enhanced with efforts such as network monitoring, and where possible, multi-factor authentication (MFA) for remote sessions.