[Congressional Record Volume 167, Number 127 (Tuesday, July 20, 2021)]
[House]
[Pages H3695-H3696]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]
DHS INDUSTRIAL CONTROL SYSTEMS CAPABILITIES ENHANCEMENT ACT OF 2021
Ms. CLARKE of New York. Madam Speaker, I move to suspend the rules
and pass the bill (H.R. 1833) to amend the Homeland Security Act of
2002 to provide for the responsibility of the Cybersecurity and
Infrastructure Security Agency to maintain capabilities to identify
threats to industrial control systems, and for other purposes, as
amended.
The Clerk read the title of the bill.
The text of the bill is as follows:
H.R. 1833
Be it enacted by the Senate and House of Representatives of
the United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ``DHS Industrial Control
Systems Capabilities Enhancement Act of 2021''.
SEC. 2. CAPABILITIES OF THE CYBERSECURITY AND INFRASTRUCTURE
SECURITY AGENCY TO IDENTIFY THREATS TO
INDUSTRIAL CONTROL SYSTEMS.
(a) In General.--Section 2209 of the Homeland Security Act
of 2002 (6 U.S.C. 659) is amended--
(1) in subsection (e)(1)--
(A) in subparagraph (G), by striking ``and'' after the
semicolon;
(B) in subparagraph (H), by inserting ``and'' after the
semicolon; and
(C) by adding at the end the following new subparagraph:
``(I) activities of the Center address the security of both
information technology and operational technology, including
industrial control systems;''; and
(2) by adding at the end the following new subsection:
``(p) Industrial Control Systems.--The Director shall
maintain capabilities to identify and address threats and
vulnerabilities to products and technologies intended for use
in the automated control of critical infrastructure
processes. In carrying out this subsection, the Director
shall--
``(1) lead Federal Government efforts, in consultation with
Sector Risk Management Agencies, as appropriate, to identify
and mitigate cybersecurity threats to industrial control
systems, including supervisory control and data acquisition
systems;
``(2) maintain threat hunting and incident response
capabilities to respond to industrial control system
cybersecurity risks and incidents;
``(3) provide cybersecurity technical assistance to
industry end-users, product manufacturers, Sector Risk
Management Agencies, other Federal agencies, and other
industrial control system stakeholders to identify, evaluate,
assess, and mitigate vulnerabilities;
``(4) collect, coordinate, and provide vulnerability
information to the industrial control systems community by,
as appropriate, working closely with security researchers,
industry end-users, product manufacturers, Sector Risk
Management Agencies, other Federal agencies, and other
industrial control systems stakeholders; and
``(5) conduct such other efforts and assistance as the
Secretary determines appropriate.''.
(b) Report to Congress.--Not later than 180 days after the
date of the enactment of this Act and every six months
thereafter during the subsequent 4-year period, the Director
of the Cybersecurity and Infrastructure Security Agency of
the Department of Homeland Security shall provide to the
Committee on Homeland Security of the House of
Representatives and the Committee on Homeland Security and
Governmental Affairs of the Senate a briefing on the
industrial control systems capabilities of the Agency under
section 2209 of the Homeland Security Act of 2002 (6 U.S.C.
659), as amended by subsection (a).
(c) GAO Review.--Not later than two years after the date of
the enactment of this Act, the Comptroller General of the
United States shall review implementation of the requirements
of subsections (e)(1)(I) and (p) of section 2209 of the
Homeland Security Act of 2002 (6 U.S.C. 659), as amended by
subsection (a), and submit to the Committee on Homeland
Security in the House of Representatives and the Committee on
Homeland Security and Government Affairs of the Senate a
report containing findings and recommendations relating to
such implementation. Such report shall include information on
the following:
(1) Any interagency coordination challenges to the ability
of the Director of the Cybersecurity and Infrastructure
Agency of the Department of Homeland Security to lead Federal
efforts to identify and mitigate cybersecurity threats to
industrial control systems pursuant to subsection (p)(1) of
such section.
(2) The degree to which the Agency has adequate capacity,
expertise, and resources to carry out threat hunting and
incident response capabilities to mitigate cybersecurity
threats to industrial control systems pursuant to subsection
(p)(2) of such section, as well as additional resources that
would be needed to close any operational gaps in such
capabilities.
(3) The extent to which industrial control system
stakeholders sought cybersecurity technical assistance from
the Agency pursuant to subsection (p)(3) of such section, and
the utility and effectiveness of such technical assistance.
(4) The degree to which the Agency works with security
researchers and other industrial control systems
stakeholders, pursuant to subsection (p)(4) of such section,
to provide vulnerability information to the industrial
control systems community.
The SPEAKER pro tempore. Pursuant to the rule, the gentlewoman from
New York (Ms. Clarke) and the gentleman from New York (Mr. Katko) each
will control 20 minutes.
The Chair recognizes the gentlewoman from New York.
General Leave
Ms. CLARKE of New York. Madam Speaker, I ask unanimous consent that
all Members may have 5 legislative days in which to revise and extend
their remarks and include extraneous material on this measure.
The SPEAKER pro tempore. Is there objection to the request of the
gentlewoman from New York?
There was no objection.
Ms. CLARKE of New York. Madam Speaker, I yield myself such time as I
may consume.
Madam Speaker, I rise in support of H.R. 1833, the DHS Industrial
Control Systems Capabilities Enhancement Act.
This bill seeks to give the Cybersecurity and Infrastructure Security
Agency, or CISA, a stronger hand in securing industrial control systems
and would help to clarify its central coordination role across the
Federal Government.
{time} 1315
The importance of securing industrial control systems cannot be
overstated. We rely on these systems to provide vital services, like
water treatment, energy distribution, and critical manufacturing.
As control systems have grown more and more connected to business and
IT networks that rely on the internet, we have seen systems become more
vulnerable to cyberattacks.
Industrial control systems have been targeted by groups closely
aligned with nation-states like China and Russia who seek to undermine
the United States and advance their own geopolitical interests.
We have also seen criminal groups, like the perpetrators of the
ransomware attack on the Colonial Pipeline, create great economic
disruption while extorting companies.
It doesn't take a criminal mastermind to infiltrate an industrial
environment, either. Earlier this year, an unsophisticated, unknown
perpetrator was able to breach a water treatment plant in Oldsmar,
Florida, and manipulate chemical levels in ways that could have
poisoned nearby residents.
H.R. 1833 will strengthen CISA's authority as the lead Federal
coordinator for securing industrial control systems and empower CISA to
hunt for threats, respond to incidents, and to promote strong
cybersecurity for critical infrastructure.
The Department of Homeland Security has been working on control
system security since 2004. H.R. 1833 recognizes that role at a pivotal
time as cyber threats to critical infrastructure reach new heights.
Importantly, this bill also includes a GAO review of whether CISA has
the resources, staffing, and authorities it needs to effectively
implement these provisions. Such oversight will be key, given that
these systems are complex, diverse, and there are a limited number of
skilled cyber experts capable of securing them.
Madam Speaker, I urge my colleagues to support H.R. 1833, and I
reserve the balance of my time.
Mr. KATKO. Madam Speaker, I yield myself such time as I may consume.
I want to thank my colleague from New York for supporting my bill,
H.R.
[[Page H3696]]
1833, the DHS Industrial Control Systems Capabilities Enhancement Act
of 2021.
As I have said from day one as ranking member of this committee, we
need to continue to bolster cybersecurity capabilities at CISA to
defend our Federal networks and the Nation's critical infrastructure
from cyber threats.
The volume of cyberattacks and ransomware attacks in 2021 alone shows
that no one is immune from nation-state cyber actors or cyber
criminals. Cyber threats, particularly ransomware, are the preeminent
national security threat facing our Nation today. From Colonial
Pipeline to a local water facility in Florida, we have witnessed the
real-world consequences cyberattacks can have on our critical
infrastructure.
In the cyberattack against a water treatment plant in Florida,
hackers were able to gain access to industrial control systems, or ICS
for short, and attempted to alter the mixture of water chemicals to
what could have been catastrophic fatal levels.
Cyber incidents are very rarely sector specific. CISA is a central
agency that can quickly connect the dots when a malicious cyber
campaign spans multiple sectors. It is vital that we continue to
enhance its visibility across the critical infrastructure ecosystem.
This bill requires the CISA director to maintain capabilities to
detect and mitigate threats and vulnerabilities affecting automated
control of critical infrastructure, particularly industrial control
systems.
This includes maintaining cross-sector incident response capabilities
to respond to cybersecurity incidents and providing cybersecurity
technical assistance to stakeholders.
We must continue to solidify CISA's lead role in protecting our
Nation's critical infrastructure from cyber threats, particularly the
industrial control systems that underpin vital components of our daily
lives.
This bill is one step in the committee's continued efforts to build
up CISA's authorities and resources to effectively carry out its
mission, and it is a resounding statement to have such heavy-hitting,
bipartisan support.
Madam Speaker, I urge all Members to join me in supporting H.R. 1833,
and I reserve the balance of my time.
Ms. CLARKE of New York. Madam Speaker, I have no further speakers,
and I am prepared to close after the gentleman from New York closes. I
reserve the balance of my time.
Mr. KATKO. Madam Speaker, I have no further speakers. I urge Members
to support this bill. I yield back the balance of my time.
Ms. CLARKE of New York. Madam Speaker, I yield myself the balance of
my time to close.
I would like to start by thanking the gentleman from New York for his
outstanding leadership in this regard.
Industrial control systems are a rich target for cyber adversaries
looking to disrupt, extort, and simply wreak havoc. These systems
underpin the functions and services we rely on for our day-to-day
lives, and the threats they face have never been higher.
Successful disruption of one of these systems could have dire
consequences for public health and safety, public confidence, and even
the national and economic security of the United States.
CISA is well-positioned to help owners and operators better
understand risks to operational technology and work with them to close
security gaps.
I again want to congratulate the gentleman from New York (Mr. Katko),
my committee colleague and ranking member, on authoring this bill to
codify the role that CISA plays in leading Federal efforts to secure
industrial control systems.
Enactment of H.R. 1833 will help to raise our cybersecurity posture
across the board.
Madam Speaker, I yield back the balance of my time.
The SPEAKER pro tempore. The question is on the motion offered by the
gentlewoman from New York (Ms. Clarke) that the House suspend the rules
and pass the bill, H.R. 1833, as amended.
The question was taken.
The SPEAKER pro tempore. In the opinion of the Chair, two-thirds
being in the affirmative, the ayes have it.
Mr. BISHOP of North Carolina. Madam Speaker, on that I demand the
yeas and nays.
The SPEAKER pro tempore. Pursuant to section 3(s) of House Resolution
8, the yeas and nays are ordered.
Pursuant to clause 8 of rule XX, further proceedings on this motion
are postponed.
____________________