[Senate Report 117-281]
[From the U.S. Government Publishing Office]
Calendar No. 680
117th Congress } { Report
SENATE
2d Session } { 117-281
_______________________________________________________________________
INDUSTRIAL CONTROL SYSTEMS CYBERSECURITY TRAINING ACT
__________
R E P O R T
of the
COMMITTEE ON HOMELAND SECURITY AND
GOVERNMENTAL AFFAIRS
UNITED STATES SENATE
to accompany
H.R. 7777
TO AMEND THE HOMELAND SECURITY ACT OF 2002 TO
AUTHORIZE THE CYBERSECURITY AND INFRASTRUCTURE
SECURITY AGENCY TO ESTABLISH AN INDUSTRIAL
CONTROL SYSTEMS CYBERSECURITY TRAINING INITIATIVE,
AND FOR OTHER PURPOSES
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
December 19, 2022.--Ordered to be printed
_________
U.S. GOVERNMENT PUBLISHING OFFICE
39-010 WASHINGTON : 2023
COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS
GARY C. PETERS, Michigan, Chairman
THOMAS R. CARPER, Delaware ROB PORTMAN, Ohio
MAGGIE HASSAN, New Hampshire RON JOHNSON, Wisconsin
KYRSTEN SINEMA, Arizona RAND PAUL, Kentucky
JACKY ROSEN, Nevada JAMES LANKFORD, Oklahoma
ALEX PADILLA, California MITT ROMNEY, Utah
JON OSSOFF, Georgia RICK SCOTT, Florida
JOSH HAWLEY, Missouri
David M. Weinberg, Staff Director
Zachary I. Schram, Chief Counsel
Christopher J. Mulkins, Director of Homeland Security
Jeffrey D. Rothblum, Senior Professional Staff Member
Pamela Thiessen, Minority Staff Director
Sam J. Mulopulos, Minority Deputy Staff Director
William H.W. McKenna, Minority Chief Counsel
Laura W. Kilbride, Chief Clerk
Calendar No. 680
117th Congress } { Report
SENATE
2d Session } { 117-281
======================================================================
INDUSTRIAL CONTROL SYSTEMS CYBERSECURITY TRAINING ACT
_______
December 19, 2022.--Ordered to be printed
_______
Mr. Peters, from the Committee on Homeland Security and Governmental
Affairs, submitted the following
R E P O R T
[To accompany H.R. 7777]
[Including cost estimate of the Congressional Budget Office]
The Committee on Homeland Security and Governmental
Affairs, to which was referred the bill (H.R. 7777) to amend
the Homeland Security Act of 2002 to authorize the
Cybersecurity and Infrastructure Security Agency to establish
an industrial control systems cybersecurity training
initiative, and for other purposes, having considered the same,
reports favorably thereon with an amendment, in the nature of a
substitute, and recommends that the bill, as amended, do pass.
CONTENTS
Page
I. Purpose and Summary.............................................. 1
II. Background and Need for the Legislation.......................... 2
III. Legislative History.............................................. 3
IV. Section-by-Section Analysis of the Bill, as Reported............. 4
V. Evaluation of Regulatory Impact.................................. 4
VI. Congressional Budget Office Cost Estimate........................ 5
VII. Changes in Existing Law Made by the Bill, as Reported............ 6
I. Purpose and Summary
Industrial Control Systems are information systems used to
control, generally, physical industrial processes and often
consist of combinations of components (e.g., electrical,
mechanical, hydraulic, pneumatic) that act together to achieve
an industrial objective, such as manufacturing, product
handling, or transportation.\1\ H.R. 7777, the Industrial
Control Systems Cybersecurity Training Act, recognizes the
unique challenges in securing industrial control systems (ICS)
and requires specialized training to implement such
security.\2\ The bill would establish an ICS Training
Initiative (Initiative) at the Cybersecurity and Infrastructure
Security Agency (CISA), and authorizes CISA to provide training
and courses on ICS cybersecurity to public and private sector
organizations. The bill requires CISA to publish an annual
report on the Initiative, including future plans of the
Initiative and recommendations for additional actions to
strengthen ICS cybersecurity resources.
---------------------------------------------------------------------------
\1\ National Institute of Standards and Technology, Glossary:
industrial control system (ICS) (https://csrc.nist.gov/glossary/term/
industrial_control_system) (accessed Dec. 12, 2022).
\2\The terms operational technology (OT) and ICS are often used
interchangeably by the private sector entities who develop operate such
technology, as well as cybersecurity companies that work to protect
such technology. Some organizations use OT as an umbrella term with ICS
as the predominant technology within OT. For purposes of this report,
the term ICS will be used throughout for consistency, even though some
citations refer to OT rather than ICS.
---------------------------------------------------------------------------
II. Background and Need for the Legislation
ICS cybersecurity is different from traditional information
technology (IT) cybersecurity, in part due to the ``unique
performance, reliability, and safety requirements'' of ICS
systems.\3\ Many of these differences stem from the fact that
ICS systems have a direct effect on the physical world as they
execute industrial processes, meaning cybersecurity risks can
lead to significant physical world consequences, including on
the health and safety of human lives, serious damage to the
environment, and negative impacts to the nation's economy.\4\
---------------------------------------------------------------------------
\3\National Institute of Standards and Technology, Guide to
Operational Technology (OT) Security (SP-800-82 Rev.3 (Draft)) (Apr.
26, 2022).
\4\National Institute of Standards and Technology, Guide to
Operational Technology (OT) Security (SP-800-82 Rev.3 (Draft)) (Apr.
26, 2022).
---------------------------------------------------------------------------
The risks to ICS are not hypothetical. In recent years,
there have been numerous threats and attacks to ICS systems,
many of which are part of the country's critical infrastructure
for providing lifeline services. A recent report found 93% of
ICS organizations experienced an intrusion in 2022; 78% of
those organizations experienced three or more intrusions.\5\ In
January of 2021, a hacker was able to gain access to a water
treatment plant that served large parts of the San Francisco
Bay area and was in a position to augment the chemical levels
used in treating wastewater.\6\ Similarly, in February of 2021,
a hacker utilized the same exploit against an Oldsmar, Florida
drinking water treatment facility.\7\ In this incident, the
attacker gained access to the ICS that controlled the sodium
hydroxide levels in the water and raised them to poisonous
levels before being manually overridden, avoiding anyone from
being harmed.\8\ The 2021 Colonial Pipeline cyber attack
targeted the company's IT systems and the resulting multi-day
shutdown of the company's pipeline and ICS technology lead to a
destabilization of fuel supply across the East coast.\9\ These
attacks foreshadow the scale and severity that more aggressive
attacks on ICS systems can yield.
---------------------------------------------------------------------------
\5\Fortinet, 2022 State of Operational Technology and Cybersecurity
Report (2022) (https://www.fortinet.com/content/dam/fortinet/assets/
analyst-reports/report-2022-ot-cybersecurity.pdf).
\6\50,000 security disasters waiting to happen: The problem of
America's water supplies, NBC News (Jun. 17, 2021) (https://
www.nbcnews.com/tech/security/hacker-tried-poison-calif-water-supply-
was-easy-entering-password-rcna1206).
\7\50,000 security disasters waiting to happen: The problem of
America's water supplies, NBC News (Jun. 17, 2021) (https://
www.nbcnews.com/tech/security/hacker-tried-poison-calif-water-supply-
was-easy-entering-password-rcna1206); FBI Called In After Hacker Tries
To Poison Tampa-Area City's Water With Lye, NPR (Feb. 9, 2021) (https:/
/www.npr.org/2021/02/09/965791252/fbi-called-in-after-hacker-tries-to-
poison-tampa-area-citys-water-with-lye).
\8\50,000 security disasters waiting to happen: The problem of
America's water supplies, NBC News (Jun. 17, 2021) (https://
www.nbcnews.com/tech/security/hacker-tried-poison-calif-water-supply-
was-easy-entering-password-rcna1206); FBI Called In After Hacker Tries
To Poison Tampa-Area City's Water With Lye, NPR (Feb. 9, 2021) (https:/
/www.npr.org/2021/02/09/965791252/fbi-called-in-after-hacker-tries-to-
poison-tampa-area-citys-water-with-lye).
\9\`Juglar' of the U.S. fuel pipeline system shuts down after
cyberattack, Politico, (May 8, 2021) (https://www.politico.com/news/
2021/05/08/colonial-pipeline-cyber-attack-485984).
---------------------------------------------------------------------------
Studies have shown there are hundreds of thousands of
cybersecurity job openings in the United States.\10\ The
consequences of the is workforce shortage impact all sections,
but are particularly severe for the ICS community.\11\ ICS
systems have unique performance and reliability requirements,
thus the cybersecurity requirements are often unfamiliar or
seen as unconventional to typical IT cybersecurity
personnel.\12\ While traditional cybersecurity education
programs cover most aspects of IT cybersecurity, there are six
industrial cybersecurity education domains where there is
little educational focus: industrial operations,
instrumentation and control, equipment, communications, safety,
and regulation.\13\\14\
---------------------------------------------------------------------------
\10\While the number of openings vary, as does the methods of
measuring the number of openings, the range is most often stated to be
between 400,000 and 700,000 cybersecurity openings in the United
States. (ISC)\2\'s annual Cybersecurity Workforce Study for 2022 found
about 400,000 cybersecurity job openings in the United States in, while
Cyber Seek found about 465,000 openings and the Biden administration
has said that the number has grown to more than 700,000. See U.S. has
almost 500,000 job openings in cybersecurity, CBS News (May 21, 2021)
(https://www.cbsnews.com/news/cybersecurity-job-openings-united-states/
), Biden administration pushes to close the growing cybersecurity
workforce gap, CNN (Jul. 19, 2021) (https://www.cnn.com/2022/07/19/
tech/biden-cyber-workforce-gap/index.html), and (ISC)\2\, 2022
Cybersecurity Workforce Study (2022) (https://www.isc2.org/Research/
Workforce-Study).
\11\Fortinet, 2022 State of Operational Technology and
Cybersecurity Report (2022) (https://www.fortinet.com/com/content/dam/
fortinet/assets/analyst-reports/report-2022-ot-cybersecurity.pdf)
\12\National Institute of Standards and Technology, Guide to
Operational Technology (OT) Security (SP-800-82 Rev.3 (Draft)) (Apr.
26, 2022).
\13\Building an Industrial Cybersecurity Workforce: A Manager's
Guide, Idaho State University and Idaho National Laboratory, (accessed
December 7, 2022), available at https://inl.gov/wp-
content/uploads/2021/02/ICS_Workforce-ManagersGuide2021.pdf.
\14\Building an Industrial Cybersecurity Workforce: A Manager's
Guide, Idaho State University and Idaho National Laboratory, (accessed
December 7, 2022), available at https://inl.gov/wp-
content/uploads/2021/02/ICS_Workforce-ManagersGuide2021.pdf.
---------------------------------------------------------------------------
H.R. 7777 would help address this education gap by
providing specific ICS training. H.R. 7777 would authorize CISA
to provide no-cost virtual and in-person trainings and courses
to help the cyber workforce develop skills that are more
focused on ICS cybersecurity and the specific threats to ICS.
The bill would also give Congress an annual report on the
program which will highlight program progression, expansion
opportunities, and the participation of women and underserved
communities.
III. Legislative History
Representative Swalwell (D-CA-15) introduced H.R. 7777, the
Industrial Control Systems Cybersecurity Training Act, on May
16, 2022. The bill was referred to the House Committee on
Homeland Security. On May 19, 2022, the bill was marked up by
the House Committee on Homeland Security favorably by voice
vote. On June 21, 2022, the House of Representatives passed the
bill under a suspension of the rules by a vote of 368 to 47.
The bill was referred to the Senate Committee on Homeland
Security and Governmental Affairs.
The Committee considered H.R. 7777 at a business meeting on
September 28, 2022. During the business meeting, Senator
Portman (R-OH) offered a modified substitute amendment that
made several technical amendments and added a provision
requiring CISA to consult with commercial training providers
and academia to minimize the potential for duplication of other
training opportunities. The Portman substitute amendment, as
modified, was adopted by voice vote en bloc with Senators
Peters, Carper, Hassan, Sinema, Rosen, Padilla, Ossoff,
Portman, Johnson, Paul, Lankford, Romney, Scott, and Hawley
present for the vote. The Committee ordered the bill, as
amended, to be favorably reported by voice vote en bloc.
Senators present for the vote were: Peters, Carper, Hassan,
Sinema, Rosen, Padilla, Ossoff, Portman, Johnson, Paul,
Lankford, Romney, Scott, and Hawley.
IV. Section-by-Section Analysis of the Bill, as Reported
Section 1. Short title
This section states that the Act may be cited as the
``Industrial Control Systems Cybersecurity Training Act''.
Sec. 2. Establishment of the Industrial Control Systems Training
Initiative
Subsection (a) amends the Homeland Security Act of 2002 to
add a new section, 2220E, which authorizes CISA to establish
the Industrial Control Systems Cybersecurity Training
Initiative.
Sec. 2220E subsection (a) establishes that the Initiative
in order to develop and strengthen the skills of the
cybersecurity workforce related to securing ICS.
Sec. 2220E subsection (b) requires CISA to include virtual
and in-person trainings and courses provided at no cost to
participants. Trainings and courses will be accessible to
different skill levels, cover cyber defense strategies for ICS,
and make appropriate considerations for the availability of
trainings and courses in different regions of the United
States. This section further directs CISA to engage in
collaboration with the Department of Energy's National
Laboratories, consultation with Sector Risk Management
Agencies, and, as appropriate, consultation with private sector
entities.
Sec. 2220E subsection (c) directs CISA to provide an annual
report to the House Committee on Homeland Security and the
Senate Committee on Homeland Security and Government Affairs
with a description of Initiative courses, outreach efforts, the
number and demographics of participants, and the participation
of workers from each critical infrastructure sector, along with
plans for expanding access to ICS cybersecurity training and
recommendations on how to improve the state of ICS
cybersecurity education and training.
Subsection (b) has a clerical amendment to update the table
of contents of the Homeland Security Act of 2002.
V. Evaluation of Regulatory Impact
Pursuant to the requirements of paragraph 11(b) of rule
XXVI of the Standing Rules of the Senate, the Committee has
considered the regulatory impact of this bill and determined
that the bill will have no regulatory impact within the meaning
of the rules.
VI. Congressional Budget Office Cost Estimate
U.S. Congress,
Congressional Budget Office,
Washington, DC, October 17, 2022.
Hon. Gary C. Peters,
Chairman, Committee on Homeland Security, and Governmental Affairs,
U.S. Senate, Washington, DC.
Dear Mr. Chairman: The Congressional Budget Office has
prepared the enclosed cost estimate for H.R. 7777, the
Industrial Control Systems Cybersecurity Training Act.
If you wish further details on this estimate, we will be
pleased to provide them. The CBO staff contact is Aldo
Prosperi.
Sincerely,
Phillip L. Swagel,
Director.
Enclosure.
H.R. 7777 would require the Cybersecurity and
Infrastructure Security Agency (CISA) to offer voluntary
cybersecurity training to critical infrastructure operators.
Under the bill, CISA would teach attendees to identify and
mitigate threats to information systems that are used in the
automated control of critical infrastructure processes (such as
power generation and water treatment). In addition, the bill
would require CISA to report to the Congress on the
effectiveness of its efforts.
CISA already provides cybersecurity training courses for
critical infrastructure operators; thus, the bill would codify
those responsibilities and would not impose any new operating
requirements on the agency. CBO estimates that implementing
H.R. 7777 would cost less than $500,000 over the 2023-2027
period to prepare and deliver the required reports; such
spending would be subject to the availability of appropriated
funds.
On June 9, 2022, CBO transmitted a cost estimate for H.R.
7777, the Industrial Control Systems Cybersecurity Training
Act, as ordered reported by the House Committee on Homeland
Security on May 19, 2022. The two bills are similar, and CBO's
estimates of their costs are the same.
The CBO staff contact for this estimate is Aldo Prosperi.
The estimate was reviewed by Leo Lex, Deputy Director of
Budget.
VII. Changes in Existing Law Made by the Bill, as Reported
In compliance with paragraph 12 of rule XXVI of the
Standing Rules of the Senate, changes in existing law made by
the bill, as reported, are shown as follows: (existing law
proposed to be omitted is enclosed in brackets, new matter is
printed in italic, and existing law in which no change is
proposed is shown in roman):
HOMELAND SECURITY ACT OF 2002
* * * * * * *
SEC. 1. SHORT TITLE; TABLE OF CONTENTS.
(a) * * *
(b) Table of Contents.--The table of contents for this Act
is as follows:
Sec. 1. * * *
* * * * * * *
TITLE XXII--CYBERSECURITY AND INFRASTRUCTURE SECURITY AGENCY
* * * * * * *
Sec. 2220D. Federal Clearinghouse on School Safety Evidence-based
Practices.
Sec. 2220E. Industrial Control Systems Cybersecurity Training
Initiative.
* * * * * * *
[Sec. 2220D. Federal Clearinghouse on School Safety Evidence-based
Practices.]
* * * * * * *
TITLE XXII--CYBERSECURITY AND INFRASTRUCTURE SECURITY AGENCY
* * * * * * *
Subtitle A--Cybersecurity and Infrastructure Security
* * * * * * *
SEC. 2220E. INDUSTRIAL CONTROL SYSTEMS CYBERSECURITY TRAINING
INITIATIVE
(a) Establishment.--
(1) In general.--The Industrial Control Systems
Cybersecurity Training Initiative (in this section
referred to as the `Initiative') is established within
the Agency.
(2) Purpose.--The purpose of the Initiative is to
develop and strengthen the skills of the cybersecurity
workforce related to securing industrial control
systems.
(b) Requirements.--In carrying out the Initiative, the
Director shall--
(1) ensure the Initiative includes--
(A) virtual and in-person trainings and
courses provided at no cost to participants;
(B) trainings and courses available at
different skill levels, including introductory
level courses;
(C) trainings and courses that cover cyber
defense strategies for industrial control
systems, including an understanding of the
unique cyber threats facing industrial control
systems and the mitigation of security
vulnerabilities in industrial control systems
technology; and
(D) appropriate consideration regarding the
availability of trainings and courses in
different regions of the United States;
(2) engage in--
(A) collaboration with the Department of
Energy national laboratories in accordance with
section 309;
(B) consultation with Sector Risk Management
Agencies; and
(C) as appropriate, consultation with private
sector entities with relevant expertise, such
as vendors of industrial control systems
technologies; and
(3) consult, to the maximum extent practicable, with
commercial training providers and academia to minimize
the potential for duplication of other training
opportunities.
(c) Reports.--
(1) In general.--Not later than 1 year after the date
of enactment of this section, and annually thereafter,
the Director shall submit to the Committee on Homeland
Security of the House of Representatives and the
Committee on Homeland Security and Governmental Affairs
of the Senate a report on the Initiative.
(2) Contents.--Each report submitted under paragraph
(1) shall include the following:
(A) A description of the courses provided
under the Initiative.
(B) A description of outreach efforts to
raise awareness of the availability of such
courses.
(C) The number of participants in each
course.
(D) Voluntarily provided information on the
demographics of participants in such courses,
including by gender, race, and place of
residence.
(E) Information on the participation in such
courses of workers from each critical
infrastructure sector.
(F) Plans for expanding access to industrial
control systems education and training,
including expanding access to women and
underrepresented populations, and expanding
access to different regions of the United
States.
(G) Recommendations on how to strengthen the
state of industrial control systems
cybersecurity education and training.
[all]