House panel approves bill to secure industrial systems from hacks

The House Homeland Security Committee has advanced legislation designed to boost security around systems used to power the electric grid and other critical services in the United States.

The measure, approved by the committee on Wednesday, would codify and expand the Department of Homeland Security’s current efforts to identify and mitigate cyber threats to industrial control systems — technology used in a wide swath of critical sectors, including power and water systems, manufacturing and transportation. 

Security researchers have observed hackers growing more interested in targeting systems used to power critical infrastructure in recent years. Last month, cybersecurity firm Dragos released research showing that a hacking group that deployed sophisticated destructive malware to an industrial plant in the Middle East last year had expanded its operations to other targets and developed new capabilities.

{mosads}

“The next Dec. 7 won’t be a strictly kinetic attack with missiles and torpedoes, but will be paired with cyberattacks to our private sector functions,” Rep. Don Bacon (R-Neb.), who is sponsoring the legislation, said Wednesday, referring to the attack on Pearl Harbor.

“Industrial controls are the critical interface between the digital controls in an operational process,” Bacon said. “Disruptions or damage to these systems have the potential to cause catastrophic and cascading consequences to our nation’s national security, economic security and our public health and public safety.”

Bacon introduced the legislation after U.S. officials revealed that Russian hackers staged a multiyear cyberattack campaign on the energy sector. In some cases, the hackers breached energy sector networks and accessed information on industrial control and supervisory control and data acquisition (SCADA) systems — information that could provide the basis for staging disruptive or destructive attacks in the future.

“We know we are vulnerable now to these cyberattacks on our energy grid,” Bacon said Wednesday. “The time is now to start building that resiliency in our energy grid.” 

The bill offered by Bacon would codify efforts already underway at Homeland Security to identify and guard against threats to industrial control systems. It would amend the Homeland Security Act of 2002 to direct Homeland Security to maintain capabilities to help identify threats to industrial control systems.

The department’s National Cybersecurity and Communications Integration Center would be designated as the leader of federal efforts to “identify and mitigate” cyber threats to industrial control and SCADA systems. The bill would direct the center to be able to coordinate across sectors to respond to cyber incidents.

The legislation would also authorize the department to provide cyber technical assistance to end users, manufacturers and other industry stakeholders to identify and mitigate vulnerabilities associated with these systems.

An amendment successfully added to the bill by Rep. Jim Langevin (D-R.I.) would also codify a vulnerability coordination program at Homeland Security through which the department helps disclose previously unknown vulnerabilities discovered in industrial control systems to industry and mitigate the threat from these flaws. 

Under the legislation, the department would also be required to brief Congress on efforts to protect industrial control systems twice a year for four years after the bill’s enactment.