[Congressional Record Volume 164, Number 106 (Monday, June 25, 2018)]
[House]
[Pages H5630-H5632]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]
DHS INDUSTRIAL CONTROL SYSTEMS CAPABILITIES ENHANCEMENT ACT OF 2018
Mr. BACON. Mr. Speaker, I move to suspend the rules and pass the bill
(H.R. 5733) to amend the Homeland Security Act of 2002 to provide for
the responsibility of the National Cybersecurity and Communications
Integration Center to maintain capabilities to identify threats to
industrial control systems, and for other purposes, as amended.
The Clerk read the title of the bill.
The text of the bill is as follows:
H.R. 5733
Be it enacted by the Senate and House of Representatives of
the United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ``DHS Industrial Control
Systems Capabilities Enhancement Act of 2018''.
SEC. 2. CAPABILITIES OF NATIONAL CYBERSECURITY AND
COMMUNICATIONS INTEGRATION CENTER TO IDENTIFY
THREATS TO INDUSTRIAL CONTROL SYSTEMS.
(a) In General.--Section 227 of the Homeland Security Act
of 2002 (6 U.S.C. 148) is amended--
(1) in subsection (e)(1)--
(A) in subparagraph (G), by striking ``and'' after the
semicolon;
(B) in subparagraph (H), by inserting ``and'' after the
semicolon; and
(C) by adding at the end the following new subparagraph:
``(I) activities of the Center address the security of both
information technology and operational technology, including
industrial control systems;'';
[[Page H5631]]
(2) by redesignating subsections (f) through (m) as
subsections (g) through (n), respectively; and
(3) by inserting after subsection (d) the following new
subsection:
``(f) Industrial Control Systems.--The Center shall
maintain capabilities to identify and address threats and
vulnerabilities to products and technologies intended for use
in the automated control of critical infrastructure
processes. In carrying out this subsection, the Center
shall--
``(1) lead, in coordination with relevant sector specific
agencies, Federal Government efforts to identify and mitigate
cybersecurity threats to industrial control systems,
including supervisory control and data acquisition systems;
``(2) maintain cross-sector incident response capabilities
to respond to industrial control system cybersecurity
incidents;
``(3) provide cybersecurity technical assistance to
industry end-users, product manufacturers, and other
industrial control system stakeholders to identify and
mitigate vulnerabilities;
``(4) collect, coordinate, and provide vulnerability
information to the industrial control systems community by,
as appropriate, working closely with security researchers,
industry end-users, product manufacturers, and other
industrial control systems stakeholders; and
``(5) conduct such other efforts and assistance as the
Secretary determines appropriate.''.
(b) Report to Congress.--Not later than 180 days after the
date of the enactment of this Act, and every 6 months
thereafter during the subsequent four-year period, the
National Cybersecurity and Communications Integration Center
shall provide to the Committee on Homeland Security of the
House of Representatives and the Committee on Homeland
Security and Governmental Affairs of the Senate a briefing on
the industrial control systems capabilities of the Center
under subsection (f) of section 227 of the Homeland Security
Act of 2002 (6 U.S.C. 148), as added by subsection (a).
The SPEAKER pro tempore. Pursuant to the rule, the gentleman from
Nebraska (Mr. Bacon) and the gentleman from Rhode Island (Mr. Langevin)
each will control 20 minutes.
The Chair recognizes the gentleman from Nebraska.
General Leave
Mr. BACON. Mr. Speaker, I ask unanimous consent that all Members may
have 5 legislative days within which to revise and extend their remarks
and include extraneous material on the bill under consideration.
The SPEAKER pro tempore. Is there objection to the request of the
gentleman from Nebraska?
There was no objection.
Mr. BACON. Mr. Speaker, I yield myself such time as I may consume.
Mr. Speaker, I rise today in support of H.R. 5733, the DHS Industrial
Control Systems Capabilities Enhancement Act of 2018.
Industrial control systems are the critical interface between digital
controls and a physical process. These systems are ubiquitous in our
modern society and are utilized in all 16 sectors of our Nation's
critical infrastructure.
Whether they are used in managing the operations of electric power
generators, water treatment facilities, medical devices, manufacturing
facilities, or transportation networks, disruptions or damage to these
systems have the potential to cause catastrophic and cascading
consequences to our Nation's national security, our economic security,
and our public health and safety.
The Department of Homeland Security's National Cybersecurity and
Communications Integration Center, or NCCIC, has a key role in
addressing the security of both information technology and operational
technology, including the industrial control systems.
DHS, through the NCCIC, currently provides operators of industrial
control systems across critical infrastructure sectors with support.
They do this with malware and vulnerability analysis, incident
response, and briefings on emerging threats and vulnerabilities.
H.R. 5733 codifies DHS' current role and directs them to maintain
existing capabilities to identify and address threats and
vulnerabilities to products and technologies intended for use in
automated control of critical infrastructure processes. This
legislation also supports DHS' function to secure ICS technologies by
allowing NCCIC to provide cybersecurity technical assistance to ICS end
users, product manufacturers, and other stakeholders to mitigate and
identify vulnerabilities.
DHS operates a central hub for ICS information exchange, technical
expertise, operational partnerships, and ICS-focused cybersecurity
capabilities. Mr. Speaker, I urge my colleagues to support H.R. 5733 to
codify the work that DHS performs in mitigating industrial control
system vulnerabilities, while ensuring that private industry has a
permanent place for assistance to address cybersecurity risks.
I want to thank Chairman McCaul and Chairman Ratcliffe for their
support of this legislation, as well as Congressman Langevin for his
amendment in committee. This is a bipartisan effort.
Mr. Speaker, I reserve the balance of my time.
Mr. LANGEVIN. Mr. Speaker, I yield myself such time as I may consume.
Mr. Speaker, I rise in support of H.R. 5733, the DHS Industrial
Control Systems Capabilities Enhancement Act. H.R. 5733 would codify
the Department of Homeland Security's role in leading Federal efforts
to secure industrial control systems.
I want to commend the gentleman from Nebraska (Mr. Bacon) for his
hard work on this legislation. I have enjoyed collaborating with him on
it, and I am grateful for his support and his support of the amendment
that I offered in committee to make the act, I think, even better.
Mr. Speaker, we depend on control systems to deliver basic
necessities like clean water, a steady energy supply, reliable
transportation systems, and medical care.
This is not a new role for DHS, which has been working on control
system security since 2004. However, enactment of H.R. 5733 will help
provide clarity to DHS and its Federal partners at a critical moment in
our Nation's history.
Cyber threats, Mr. Speaker, to critical infrastructure have never
been greater, yet leadership from the White House is dangerously
lacking. Over the past few months, we have seen top cyber officials at
the White House leave, resign, or, in the case of the Cybersecurity
Coordinator, have the position eliminated altogether.
What is more, the President appears to be making major foreign policy
decisions with little, if any, regard for cybersecurity. The President
ignored warnings from the intelligence community about Chinese telecom
company ZTE when, in May, he directed the Commerce Department, by
tweet, to save this habitual sanctions offender. The same month, the
news broke that the Chinese Government had hacked into the networks of
a U.S. Navy contractor and syphoned off sensitive military data.
This month, DHS officials reported that the North Korean Government
is ramping up its cyber intrusions on critical infrastructure in the
U.S. and around the world.
With respect to Russia, we know that the Kremlin has the capability
to turn off the lights with a cyber intrusion, as it has done in
Ukraine. We also know that Russia has been able to successfully
infiltrate the networks of a wide range of U.S. critical infrastructure
operators, including power plants.
DHS, through the National Cybersecurity and Communications
Integration Center, or the NCCIC, provides critical infrastructure
owners and operators with valuable cyber assistance and resources to
help secure their systems. The NCCIC, and specifically the Industrial
Control Systems Computer Emergency Response Team, or ICS-CERT, has
longstanding relationships with critical infrastructure stakeholders
and the expertise to help owners and operators harden their defenses.
Expertise in operational technology, or OT, cybersecurity is even
harder to come by than the more traditional information and
communications technology, or ICT, space, and all of my colleagues know
how much of a workforce challenge we are facing there.
Congress is wise to recognize the amazing resource we have in ICS-
CERT by formally authorizing it with Mr. Bacon's bill. Security
solutions in the ICT space do not always map well onto operational
technology, and being conversant in the nuances is essential if we are
to protect the systems that we so heavily rely on.
During the committee consideration, I was also proud to offer an
amendment to codify ICS-CERT's coordinated vulnerability disclosure
program that ensures ICS vulnerabilities can be reported securely,
promptly, and responsibly. Through this program, manufacturers are
assured of a chance to patch
[[Page H5632]]
vulnerabilities before they are publicly announced, and security
researchers are assured that their voices will be heard.
ICS-CERT is to be commended for running a progressive program that
recognizes that most security researchers want to help make the
internet and the scary devices that connect to it a safer place. The
coordinated vulnerability program does just that by helping critical
infrastructure owners and operators who receive notices from ICS-CERT
about discovered vulnerabilities and effective patches before malicious
actors have a chance to exploit any flaws. Mr. Speaker, this bill would
empower ICS-CERT to carry out this mission fully and effectively.
Mr. Speaker, I want to again commend the gentleman for his work on
this important piece of legislation. I urge my colleagues to support
the measure.
Mr. Speaker, I reserve the balance of my time.
Mr. BACON. Mr. Speaker, I just want to say it has been a pleasure
working with Mr. Langevin not only on the Homeland Security Committee,
but also on the Armed Services Committee. We have partnered on quite a
few things, and it is wonderful to make a difference with him.
Mr. Speaker, I reserve the balance of my time.
Mr. LANGEVIN. Mr. Speaker, I yield myself the balance of my time.
Mr. Speaker, there is no question that industrial control systems are
a high-value target for our adversaries. Critical infrastructure owners
and operators use these systems to deliver the services that underpin
our day-to-day lives, and destruction to one of those systems could
have tremendous economic ramifications or could even be the difference
between life and death.
We know that our adversaries--most notably Russia, China, Iran, and
North Korea--have all targeted U.S. critical infrastructure and the
operational technology employed across these sectors. Mr. Speaker, it
is important that we solidify DHS' longstanding leadership role in
securing critical infrastructure, particularly with respect to
industrial control systems.
It has been a pleasure working with my colleague Mr. Bacon, the
gentleman from Nebraska, on this bill. I deeply appreciate both his
service to the country as well as his contributions both on the Armed
Services Committee and on the Homeland Security Committee. Likewise, it
has been a pleasure working with him over these years.
Mr. Speaker, I encourage my colleagues to support H.R. 5733, and I
yield back the balance of my time.
Mr. BACON. Mr. Speaker, I yield myself the balance of my time.
Mr. Speaker, first, I again want to thank my colleague from Rhode
Island for his partnership on this, and his comments were absolutely
right. The Russians and the Chinese are both working to be able to
attack our energy grid, among other parts of our infrastructure, and we
need to be prepared. And it doesn't start on day one of a war. It
starts now, when we have the time to prepare.
The next December 7 will not be like Pearl Harbor with aircraft and
torpedoes and bombs coming to attack our Pacific Fleet. It is going to
be preceded by a cyber attack that is going to try to shut down our
energy grid and other parts of our infrastructure, and the time to
prepare is now. This bill starts that process, or continues that
process, so that we are prepared.
Mr. Speaker, I urge my colleagues to support this bill, and I yield
back the balance of my time.
____________________