[Congressional Record Volume 164, Number 106 (Monday, June 25, 2018)]
[House]
[Pages H5630-H5632]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]




  DHS INDUSTRIAL CONTROL SYSTEMS CAPABILITIES ENHANCEMENT ACT OF 2018

  Mr. BACON. Mr. Speaker, I move to suspend the rules and pass the bill 
(H.R. 5733) to amend the Homeland Security Act of 2002 to provide for 
the responsibility of the National Cybersecurity and Communications 
Integration Center to maintain capabilities to identify threats to 
industrial control systems, and for other purposes, as amended.
  The Clerk read the title of the bill.
  The text of the bill is as follows:

                               H.R. 5733

       Be it enacted by the Senate and House of Representatives of 
     the United States of America in Congress assembled,

     SECTION 1. SHORT TITLE.

       This Act may be cited as the ``DHS Industrial Control 
     Systems Capabilities Enhancement Act of 2018''.

     SEC. 2. CAPABILITIES OF NATIONAL CYBERSECURITY AND 
                   COMMUNICATIONS INTEGRATION CENTER TO IDENTIFY 
                   THREATS TO INDUSTRIAL CONTROL SYSTEMS.

       (a) In General.--Section 227 of the Homeland Security Act 
     of 2002 (6 U.S.C. 148) is amended--
       (1) in subsection (e)(1)--
       (A) in subparagraph (G), by striking ``and'' after the 
     semicolon;
       (B) in subparagraph (H), by inserting ``and'' after the 
     semicolon; and
       (C) by adding at the end the following new subparagraph:
       ``(I) activities of the Center address the security of both 
     information technology and operational technology, including 
     industrial control systems;'';

[[Page H5631]]

       (2) by redesignating subsections (f) through (m) as 
     subsections (g) through (n), respectively; and
       (3) by inserting after subsection (d) the following new 
     subsection:
       ``(f) Industrial Control Systems.--The Center shall 
     maintain capabilities to identify and address threats and 
     vulnerabilities to products and technologies intended for use 
     in the automated control of critical infrastructure 
     processes. In carrying out this subsection, the Center 
     shall--
       ``(1) lead, in coordination with relevant sector specific 
     agencies, Federal Government efforts to identify and mitigate 
     cybersecurity threats to industrial control systems, 
     including supervisory control and data acquisition systems;
       ``(2) maintain cross-sector incident response capabilities 
     to respond to industrial control system cybersecurity 
     incidents;
       ``(3) provide cybersecurity technical assistance to 
     industry end-users, product manufacturers, and other 
     industrial control system stakeholders to identify and 
     mitigate vulnerabilities;
       ``(4) collect, coordinate, and provide vulnerability 
     information to the industrial control systems community by, 
     as appropriate, working closely with security researchers, 
     industry end-users, product manufacturers, and other 
     industrial control systems stakeholders; and
       ``(5) conduct such other efforts and assistance as the 
     Secretary determines appropriate.''.
       (b) Report to Congress.--Not later than 180 days after the 
     date of the enactment of this Act, and every 6 months 
     thereafter during the subsequent four-year period, the 
     National Cybersecurity and Communications Integration Center 
     shall provide to the Committee on Homeland Security of the 
     House of Representatives and the Committee on Homeland 
     Security and Governmental Affairs of the Senate a briefing on 
     the industrial control systems capabilities of the Center 
     under subsection (f) of section 227 of the Homeland Security 
     Act of 2002 (6 U.S.C. 148), as added by subsection (a).

  The SPEAKER pro tempore. Pursuant to the rule, the gentleman from 
Nebraska (Mr. Bacon) and the gentleman from Rhode Island (Mr. Langevin) 
each will control 20 minutes.
  The Chair recognizes the gentleman from Nebraska.


                             General Leave

  Mr. BACON. Mr. Speaker, I ask unanimous consent that all Members may 
have 5 legislative days within which to revise and extend their remarks 
and include extraneous material on the bill under consideration.
  The SPEAKER pro tempore. Is there objection to the request of the 
gentleman from Nebraska?
  There was no objection.
  Mr. BACON. Mr. Speaker, I yield myself such time as I may consume.
  Mr. Speaker, I rise today in support of H.R. 5733, the DHS Industrial 
Control Systems Capabilities Enhancement Act of 2018.
  Industrial control systems are the critical interface between digital 
controls and a physical process. These systems are ubiquitous in our 
modern society and are utilized in all 16 sectors of our Nation's 
critical infrastructure.
  Whether they are used in managing the operations of electric power 
generators, water treatment facilities, medical devices, manufacturing 
facilities, or transportation networks, disruptions or damage to these 
systems have the potential to cause catastrophic and cascading 
consequences to our Nation's national security, our economic security, 
and our public health and safety.
  The Department of Homeland Security's National Cybersecurity and 
Communications Integration Center, or NCCIC, has a key role in 
addressing the security of both information technology and operational 
technology, including the industrial control systems.
  DHS, through the NCCIC, currently provides operators of industrial 
control systems across critical infrastructure sectors with support. 
They do this with malware and vulnerability analysis, incident 
response, and briefings on emerging threats and vulnerabilities.
  H.R. 5733 codifies DHS' current role and directs them to maintain 
existing capabilities to identify and address threats and 
vulnerabilities to products and technologies intended for use in 
automated control of critical infrastructure processes. This 
legislation also supports DHS' function to secure ICS technologies by 
allowing NCCIC to provide cybersecurity technical assistance to ICS end 
users, product manufacturers, and other stakeholders to mitigate and 
identify vulnerabilities.
  DHS operates a central hub for ICS information exchange, technical 
expertise, operational partnerships, and ICS-focused cybersecurity 
capabilities. Mr. Speaker, I urge my colleagues to support H.R. 5733 to 
codify the work that DHS performs in mitigating industrial control 
system vulnerabilities, while ensuring that private industry has a 
permanent place for assistance to address cybersecurity risks.
  I want to thank Chairman McCaul and Chairman Ratcliffe for their 
support of this legislation, as well as Congressman Langevin for his 
amendment in committee. This is a bipartisan effort.
  Mr. Speaker, I reserve the balance of my time.
  Mr. LANGEVIN. Mr. Speaker, I yield myself such time as I may consume.
  Mr. Speaker, I rise in support of H.R. 5733, the DHS Industrial 
Control Systems Capabilities Enhancement Act. H.R. 5733 would codify 
the Department of Homeland Security's role in leading Federal efforts 
to secure industrial control systems.
  I want to commend the gentleman from Nebraska (Mr. Bacon) for his 
hard work on this legislation. I have enjoyed collaborating with him on 
it, and I am grateful for his support and his support of the amendment 
that I offered in committee to make the act, I think, even better.
  Mr. Speaker, we depend on control systems to deliver basic 
necessities like clean water, a steady energy supply, reliable 
transportation systems, and medical care.
  This is not a new role for DHS, which has been working on control 
system security since 2004. However, enactment of H.R. 5733 will help 
provide clarity to DHS and its Federal partners at a critical moment in 
our Nation's history.
  Cyber threats, Mr. Speaker, to critical infrastructure have never 
been greater, yet leadership from the White House is dangerously 
lacking. Over the past few months, we have seen top cyber officials at 
the White House leave, resign, or, in the case of the Cybersecurity 
Coordinator, have the position eliminated altogether.
  What is more, the President appears to be making major foreign policy 
decisions with little, if any, regard for cybersecurity. The President 
ignored warnings from the intelligence community about Chinese telecom 
company ZTE when, in May, he directed the Commerce Department, by 
tweet, to save this habitual sanctions offender. The same month, the 
news broke that the Chinese Government had hacked into the networks of 
a U.S. Navy contractor and syphoned off sensitive military data.
  This month, DHS officials reported that the North Korean Government 
is ramping up its cyber intrusions on critical infrastructure in the 
U.S. and around the world.
  With respect to Russia, we know that the Kremlin has the capability 
to turn off the lights with a cyber intrusion, as it has done in 
Ukraine. We also know that Russia has been able to successfully 
infiltrate the networks of a wide range of U.S. critical infrastructure 
operators, including power plants.
  DHS, through the National Cybersecurity and Communications 
Integration Center, or the NCCIC, provides critical infrastructure 
owners and operators with valuable cyber assistance and resources to 
help secure their systems. The NCCIC, and specifically the Industrial 
Control Systems Computer Emergency Response Team, or ICS-CERT, has 
longstanding relationships with critical infrastructure stakeholders 
and the expertise to help owners and operators harden their defenses.
  Expertise in operational technology, or OT, cybersecurity is even 
harder to come by than the more traditional information and 
communications technology, or ICT, space, and all of my colleagues know 
how much of a workforce challenge we are facing there.

  Congress is wise to recognize the amazing resource we have in ICS-
CERT by formally authorizing it with Mr. Bacon's bill. Security 
solutions in the ICT space do not always map well onto operational 
technology, and being conversant in the nuances is essential if we are 
to protect the systems that we so heavily rely on.
  During the committee consideration, I was also proud to offer an 
amendment to codify ICS-CERT's coordinated vulnerability disclosure 
program that ensures ICS vulnerabilities can be reported securely, 
promptly, and responsibly. Through this program, manufacturers are 
assured of a chance to patch

[[Page H5632]]

vulnerabilities before they are publicly announced, and security 
researchers are assured that their voices will be heard.
  ICS-CERT is to be commended for running a progressive program that 
recognizes that most security researchers want to help make the 
internet and the scary devices that connect to it a safer place. The 
coordinated vulnerability program does just that by helping critical 
infrastructure owners and operators who receive notices from ICS-CERT 
about discovered vulnerabilities and effective patches before malicious 
actors have a chance to exploit any flaws. Mr. Speaker, this bill would 
empower ICS-CERT to carry out this mission fully and effectively.
  Mr. Speaker, I want to again commend the gentleman for his work on 
this important piece of legislation. I urge my colleagues to support 
the measure.
  Mr. Speaker, I reserve the balance of my time.
  Mr. BACON. Mr. Speaker, I just want to say it has been a pleasure 
working with Mr. Langevin not only on the Homeland Security Committee, 
but also on the Armed Services Committee. We have partnered on quite a 
few things, and it is wonderful to make a difference with him.
  Mr. Speaker, I reserve the balance of my time.
  Mr. LANGEVIN. Mr. Speaker, I yield myself the balance of my time.
  Mr. Speaker, there is no question that industrial control systems are 
a high-value target for our adversaries. Critical infrastructure owners 
and operators use these systems to deliver the services that underpin 
our day-to-day lives, and destruction to one of those systems could 
have tremendous economic ramifications or could even be the difference 
between life and death.
  We know that our adversaries--most notably Russia, China, Iran, and 
North Korea--have all targeted U.S. critical infrastructure and the 
operational technology employed across these sectors. Mr. Speaker, it 
is important that we solidify DHS' longstanding leadership role in 
securing critical infrastructure, particularly with respect to 
industrial control systems.
  It has been a pleasure working with my colleague Mr. Bacon, the 
gentleman from Nebraska, on this bill. I deeply appreciate both his 
service to the country as well as his contributions both on the Armed 
Services Committee and on the Homeland Security Committee. Likewise, it 
has been a pleasure working with him over these years.
  Mr. Speaker, I encourage my colleagues to support H.R. 5733, and I 
yield back the balance of my time.
  Mr. BACON. Mr. Speaker, I yield myself the balance of my time.
  Mr. Speaker, first, I again want to thank my colleague from Rhode 
Island for his partnership on this, and his comments were absolutely 
right. The Russians and the Chinese are both working to be able to 
attack our energy grid, among other parts of our infrastructure, and we 
need to be prepared. And it doesn't start on day one of a war. It 
starts now, when we have the time to prepare.
  The next December 7 will not be like Pearl Harbor with aircraft and 
torpedoes and bombs coming to attack our Pacific Fleet. It is going to 
be preceded by a cyber attack that is going to try to shut down our 
energy grid and other parts of our infrastructure, and the time to 
prepare is now. This bill starts that process, or continues that 
process, so that we are prepared.
  Mr. Speaker, I urge my colleagues to support this bill, and I yield 
back the balance of my time.

                          ____________________