[Congressional Record Volume 167, Number 127 (Tuesday, July 20, 2021)]
[House]
[Pages H3695-H3696]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]




  DHS INDUSTRIAL CONTROL SYSTEMS CAPABILITIES ENHANCEMENT ACT OF 2021

  Ms. CLARKE of New York. Madam Speaker, I move to suspend the rules 
and pass the bill (H.R. 1833) to amend the Homeland Security Act of 
2002 to provide for the responsibility of the Cybersecurity and 
Infrastructure Security Agency to maintain capabilities to identify 
threats to industrial control systems, and for other purposes, as 
amended.
  The Clerk read the title of the bill.
  The text of the bill is as follows:

                               H.R. 1833

       Be it enacted by the Senate and House of Representatives of 
     the United States of America in Congress assembled,

     SECTION 1. SHORT TITLE.

       This Act may be cited as the ``DHS Industrial Control 
     Systems Capabilities Enhancement Act of 2021''.

     SEC. 2. CAPABILITIES OF THE CYBERSECURITY AND INFRASTRUCTURE 
                   SECURITY AGENCY TO IDENTIFY THREATS TO 
                   INDUSTRIAL CONTROL SYSTEMS.

       (a) In General.--Section 2209 of the Homeland Security Act 
     of 2002 (6 U.S.C. 659) is amended--
       (1) in subsection (e)(1)--
       (A) in subparagraph (G), by striking ``and'' after the 
     semicolon;
       (B) in subparagraph (H), by inserting ``and'' after the 
     semicolon; and
       (C) by adding at the end the following new subparagraph:
       ``(I) activities of the Center address the security of both 
     information technology and operational technology, including 
     industrial control systems;''; and
       (2) by adding at the end the following new subsection:
       ``(p) Industrial Control Systems.--The Director shall 
     maintain capabilities to identify and address threats and 
     vulnerabilities to products and technologies intended for use 
     in the automated control of critical infrastructure 
     processes. In carrying out this subsection, the Director 
     shall--
       ``(1) lead Federal Government efforts, in consultation with 
     Sector Risk Management Agencies, as appropriate, to identify 
     and mitigate cybersecurity threats to industrial control 
     systems, including supervisory control and data acquisition 
     systems;
       ``(2) maintain threat hunting and incident response 
     capabilities to respond to industrial control system 
     cybersecurity risks and incidents;
       ``(3) provide cybersecurity technical assistance to 
     industry end-users, product manufacturers, Sector Risk 
     Management Agencies, other Federal agencies, and other 
     industrial control system stakeholders to identify, evaluate, 
     assess, and mitigate vulnerabilities;
       ``(4) collect, coordinate, and provide vulnerability 
     information to the industrial control systems community by, 
     as appropriate, working closely with security researchers, 
     industry end-users, product manufacturers, Sector Risk 
     Management Agencies, other Federal agencies, and other 
     industrial control systems stakeholders; and
       ``(5) conduct such other efforts and assistance as the 
     Secretary determines appropriate.''.
       (b) Report to Congress.--Not later than 180 days after the 
     date of the enactment of this Act and every six months 
     thereafter during the subsequent 4-year period, the Director 
     of the Cybersecurity and Infrastructure Security Agency of 
     the Department of Homeland Security shall provide to the 
     Committee on Homeland Security of the House of 
     Representatives and the Committee on Homeland Security and 
     Governmental Affairs of the Senate a briefing on the 
     industrial control systems capabilities of the Agency under 
     section 2209 of the Homeland Security Act of 2002 (6 U.S.C. 
     659), as amended by subsection (a).
       (c) GAO Review.--Not later than two years after the date of 
     the enactment of this Act, the Comptroller General of the 
     United States shall review implementation of the requirements 
     of subsections (e)(1)(I) and (p) of section 2209 of the 
     Homeland Security Act of 2002 (6 U.S.C. 659), as amended by 
     subsection (a), and submit to the Committee on Homeland 
     Security in the House of Representatives and the Committee on 
     Homeland Security and Government Affairs of the Senate a 
     report containing findings and recommendations relating to 
     such implementation. Such report shall include information on 
     the following:
       (1) Any interagency coordination challenges to the ability 
     of the Director of the Cybersecurity and Infrastructure 
     Agency of the Department of Homeland Security to lead Federal 
     efforts to identify and mitigate cybersecurity threats to 
     industrial control systems pursuant to subsection (p)(1) of 
     such section.
       (2) The degree to which the Agency has adequate capacity, 
     expertise, and resources to carry out threat hunting and 
     incident response capabilities to mitigate cybersecurity 
     threats to industrial control systems pursuant to subsection 
     (p)(2) of such section, as well as additional resources that 
     would be needed to close any operational gaps in such 
     capabilities.
       (3) The extent to which industrial control system 
     stakeholders sought cybersecurity technical assistance from 
     the Agency pursuant to subsection (p)(3) of such section, and 
     the utility and effectiveness of such technical assistance.
       (4) The degree to which the Agency works with security 
     researchers and other industrial control systems 
     stakeholders, pursuant to subsection (p)(4) of such section, 
     to provide vulnerability information to the industrial 
     control systems community.
  The SPEAKER pro tempore. Pursuant to the rule, the gentlewoman from 
New York (Ms. Clarke) and the gentleman from New York (Mr. Katko) each 
will control 20 minutes.
  The Chair recognizes the gentlewoman from New York.


                             General Leave

  Ms. CLARKE of New York. Madam Speaker, I ask unanimous consent that 
all Members may have 5 legislative days in which to revise and extend 
their remarks and include extraneous material on this measure.
  The SPEAKER pro tempore. Is there objection to the request of the 
gentlewoman from New York?
  There was no objection.
  Ms. CLARKE of New York. Madam Speaker, I yield myself such time as I 
may consume.
  Madam Speaker, I rise in support of H.R. 1833, the DHS Industrial 
Control Systems Capabilities Enhancement Act.
  This bill seeks to give the Cybersecurity and Infrastructure Security 
Agency, or CISA, a stronger hand in securing industrial control systems 
and would help to clarify its central coordination role across the 
Federal Government.

                              {time}  1315

  The importance of securing industrial control systems cannot be 
overstated. We rely on these systems to provide vital services, like 
water treatment, energy distribution, and critical manufacturing.
  As control systems have grown more and more connected to business and 
IT networks that rely on the internet, we have seen systems become more 
vulnerable to cyberattacks.
  Industrial control systems have been targeted by groups closely 
aligned with nation-states like China and Russia who seek to undermine 
the United States and advance their own geopolitical interests.
  We have also seen criminal groups, like the perpetrators of the 
ransomware attack on the Colonial Pipeline, create great economic 
disruption while extorting companies.
  It doesn't take a criminal mastermind to infiltrate an industrial 
environment, either. Earlier this year, an unsophisticated, unknown 
perpetrator was able to breach a water treatment plant in Oldsmar, 
Florida, and manipulate chemical levels in ways that could have 
poisoned nearby residents.
  H.R. 1833 will strengthen CISA's authority as the lead Federal 
coordinator for securing industrial control systems and empower CISA to 
hunt for threats, respond to incidents, and to promote strong 
cybersecurity for critical infrastructure.
  The Department of Homeland Security has been working on control 
system security since 2004. H.R. 1833 recognizes that role at a pivotal 
time as cyber threats to critical infrastructure reach new heights.
  Importantly, this bill also includes a GAO review of whether CISA has 
the resources, staffing, and authorities it needs to effectively 
implement these provisions. Such oversight will be key, given that 
these systems are complex, diverse, and there are a limited number of 
skilled cyber experts capable of securing them.
  Madam Speaker, I urge my colleagues to support H.R. 1833, and I 
reserve the balance of my time.
  Mr. KATKO. Madam Speaker, I yield myself such time as I may consume.
  I want to thank my colleague from New York for supporting my bill, 
H.R.

[[Page H3696]]

1833, the DHS Industrial Control Systems Capabilities Enhancement Act 
of 2021.
  As I have said from day one as ranking member of this committee, we 
need to continue to bolster cybersecurity capabilities at CISA to 
defend our Federal networks and the Nation's critical infrastructure 
from cyber threats.
  The volume of cyberattacks and ransomware attacks in 2021 alone shows 
that no one is immune from nation-state cyber actors or cyber 
criminals. Cyber threats, particularly ransomware, are the preeminent 
national security threat facing our Nation today. From Colonial 
Pipeline to a local water facility in Florida, we have witnessed the 
real-world consequences cyberattacks can have on our critical 
infrastructure.
  In the cyberattack against a water treatment plant in Florida, 
hackers were able to gain access to industrial control systems, or ICS 
for short, and attempted to alter the mixture of water chemicals to 
what could have been catastrophic fatal levels.
  Cyber incidents are very rarely sector specific. CISA is a central 
agency that can quickly connect the dots when a malicious cyber 
campaign spans multiple sectors. It is vital that we continue to 
enhance its visibility across the critical infrastructure ecosystem.
  This bill requires the CISA director to maintain capabilities to 
detect and mitigate threats and vulnerabilities affecting automated 
control of critical infrastructure, particularly industrial control 
systems.
  This includes maintaining cross-sector incident response capabilities 
to respond to cybersecurity incidents and providing cybersecurity 
technical assistance to stakeholders.
  We must continue to solidify CISA's lead role in protecting our 
Nation's critical infrastructure from cyber threats, particularly the 
industrial control systems that underpin vital components of our daily 
lives.
  This bill is one step in the committee's continued efforts to build 
up CISA's authorities and resources to effectively carry out its 
mission, and it is a resounding statement to have such heavy-hitting, 
bipartisan support.
  Madam Speaker, I urge all Members to join me in supporting H.R. 1833, 
and I reserve the balance of my time.
  Ms. CLARKE of New York. Madam Speaker, I have no further speakers, 
and I am prepared to close after the gentleman from New York closes. I 
reserve the balance of my time.
  Mr. KATKO. Madam Speaker, I have no further speakers. I urge Members 
to support this bill. I yield back the balance of my time.
  Ms. CLARKE of New York. Madam Speaker, I yield myself the balance of 
my time to close.
  I would like to start by thanking the gentleman from New York for his 
outstanding leadership in this regard.
  Industrial control systems are a rich target for cyber adversaries 
looking to disrupt, extort, and simply wreak havoc. These systems 
underpin the functions and services we rely on for our day-to-day 
lives, and the threats they face have never been higher.
  Successful disruption of one of these systems could have dire 
consequences for public health and safety, public confidence, and even 
the national and economic security of the United States.
  CISA is well-positioned to help owners and operators better 
understand risks to operational technology and work with them to close 
security gaps.
  I again want to congratulate the gentleman from New York (Mr. Katko), 
my committee colleague and ranking member, on authoring this bill to 
codify the role that CISA plays in leading Federal efforts to secure 
industrial control systems.
  Enactment of H.R. 1833 will help to raise our cybersecurity posture 
across the board.
  Madam Speaker, I yield back the balance of my time.
  The SPEAKER pro tempore. The question is on the motion offered by the 
gentlewoman from New York (Ms. Clarke) that the House suspend the rules 
and pass the bill, H.R. 1833, as amended.
  The question was taken.
  The SPEAKER pro tempore. In the opinion of the Chair, two-thirds 
being in the affirmative, the ayes have it.
  Mr. BISHOP of North Carolina. Madam Speaker, on that I demand the 
yeas and nays.
  The SPEAKER pro tempore. Pursuant to section 3(s) of House Resolution 
8, the yeas and nays are ordered.
  Pursuant to clause 8 of rule XX, further proceedings on this motion 
are postponed.

                          ____________________