House lawmakers approved a new bill on Monday that’s aimed at securing technology used to power U.S. critical infrastructure from cyber-attacks.
The bill would codify work the Department of Homeland Security is currently doing to identify cyber threats to industrial control systems and ways to mitigate them. Industrial control systems are used to run critical services across the United States, including the electric grid, water systems, and manufacturing plants.
An attack on the nation’s critical infrastructure could be potentially disastrous and could have extremely negative consequences on U.S. public health and safety, national security, and economic security.
Hackers tied to the Russian government were just recently blamed by the FBI and Homeland Security for instigating a cyber-attack against the U.S. energy sector and other critical infrastructure areas. Researchers found that the hackers were able to successfully breach the networks and access information on industrial control and supervisory control and data acquisition, also known as SCADA systems.
The increased fears associated with threats to the U.S. power grid sparked the bill, formally known as the “DHS Industrial Control Systems Capabilities Enhancement Act of 2018”. The bill would codify into law Homeland Security’s efforts to safeguard these systems by adjusting the Homeland Security Act of 2002 to instruct the department to maintain capabilities to help identify threats to industrial control systems and take the lead on coordinating across critical sectors to respond to cyber-attacks.
The bill would allow Homeland Security officials to provide cyber technical assistance to end users, manufacturers, and others to help find ways to mitigate vulnerabilities in industrial controls systems that could potentially be exploited by cybercriminals. It would also codify a current vulnerability disclosure program at the Department of Homeland Security whereby the department would disclose previously unknown flaws in these systems to the private sector.
Homeland Security officials would also be required to brief Congress on efforts to protect these systems twice a year for the first four years following its enactment.
NNT suggests implementing industry standards such as NERC CIP or the CIS Controls at a minimum to better secure industrial control systems from potential attacks. In addition, implementing Closed-Loop Intelligent Change Control to gain visibility into system configuration systems and spot unusual activity that could represent a cyber-attack before any serious damage is done.