The U.S. House of Representatives this week took concrete measures to bolster industrial control cybersecurity, strengthen U.S. critical supply chains, and improve long-term economic security. The DHS Industrial Control Systems Capabilities Enhancement Act of 2021 that addresses critical infrastructure was passed in the House on Tuesday.
Introduced in March by Congressman John M. Katko, the bipartisan supported legislation, requires the Cybersecurity and Infrastructure Security Agency (CISA) to maintain certain capabilities to identify and address threats to industrial control systems. It also requires CISA’s National Cybersecurity and Communications Integration Center to ensure that its activities address the security of both information and operational technology (OT), including industrial control systems.
OT environments include those crucial sectors whose assets, systems, and networks, whether physical or virtual, are considered so vital to the U.S. that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.
CISA must maintain capabilities to identify and address threats and vulnerabilities to products and technologies intended for use in the automated control of critical infrastructure processes by leading efforts to identify and mitigate cybersecurity threats to industrial control systems, maintaining threat hunting and incident response capabilities to respond to cybersecurity risks and incidents, providing cybersecurity technical assistance to stakeholders, and collecting, coordinating and providing vulnerability information to the industrial control systems community.
“As I’ve said from day one, we must continue bolstering CISA’s authorities to defend our federal networks and the nation’s critical infrastructure from cyber threats. Already this year, the nation has confronted numerous major attempts to compromise federal and private sector networks,” Katko said in a press statement. Katko is also a ranking member on the House Committee on Homeland Security.
The DHS Industrial Control Systems Capabilities Enhancement Act of 2021 has been designed to enable the CISA’s ability to work with stakeholders on a partnership-basis to identify vulnerabilities and harden systems. The importance of cyber resilience for critical infrastructure became starkly evident earlier in the year following a hack of a Florida water treatment facility and the ransomware attack on Colonial Pipeline.
The effort continues to grow in importance as the U.S. continues to face a slew of cyber-attacks that threaten the infrastructure operations around the country. Earlier this week, the U.S. Department of Homeland Security’s Transportation Security Administration (TSA) division released its second security directive that requires TSA-designated critical pipeline owners and operators that transport hazardous liquids and natural gas to enforce a number of urgently needed protections against cyber intrusions.
The government directive called on owners and operators of TSA-designated critical pipelines to implement specific mitigation measures to protect against ransomware attacks and other known threats to IT and OT systems, develop and implement a cybersecurity contingency and recovery plan, and conduct a cybersecurity architecture design review,
Apart from the DHS Industrial Control Systems Capabilities Enhancement Act of 2021, the House also passed Katko’s Domains Critical to Homeland Security Act that aimed at addressing vulnerabilities in U.S. supply chains. During the COVID-19 pandemic, the nation found itself reliant on adversarial nations like China for critical goods, technologies, and supplies. These adversaries could leverage vulnerable U.S. supply chains to their advantage and further their own geopolitical goals, Katko said.
“I commend our colleagues in the House for their support of these commonsense homeland security provisions and appreciate the strong leadership from our members. With the threat landscape rapidly evolving, I am committed to a strong partnership with Chairman Thompson to secure the nation,” Katko added in his statement.
The executive and legislative moves come at a time when analyst firm Gartner predicts that by 2025 cyber attackers will have weaponized OT environments to successfully harm or kill humans. The attacks on OT, both hardware and software that monitors or controls equipment, assets and processes, have become more common.
Gartner predicts that the financial impact of cyber-physical systems (CPS) attacks resulting in fatal casualties will reach over US$50 billion by 2023. Even without taking the value of human life into account, the costs for organizations in terms of compensation, litigation, insurance, regulatory fines and reputation loss will be significant. Gartner also predicts that most CEOs will be personally liable for such incidents, the research firm added.
“In operational environments, security and risk management leaders should be more concerned about real-world hazards to humans and the environment, rather than information theft,” Wam Voster, senior research director at Gartner, said in the statement. “Inquiries with Gartner clients reveal that organizations in asset-intensive industries like manufacturing, resources and utilities struggle to define appropriate control frameworks.”