[Senate Report 117-281]
[From the U.S. Government Publishing Office]


                                                      Calendar No. 680
117th Congress    }                                     {       Report
                                 SENATE
 2d Session       }                                     {      117-281
_______________________________________________________________________

                                     



         INDUSTRIAL CONTROL SYSTEMS CYBERSECURITY TRAINING ACT

                               __________

                              R E P O R T

                                 of the

                   COMMITTEE ON HOMELAND SECURITY AND

                          GOVERNMENTAL AFFAIRS

                          UNITED STATES SENATE

                              to accompany

                               H.R. 7777

             TO AMEND THE HOMELAND SECURITY ACT OF 2002 TO
             AUTHORIZE THE CYBERSECURITY AND INFRASTRUCTURE
               SECURITY AGENCY TO ESTABLISH AN INDUSTRIAL
           CONTROL SYSTEMS CYBERSECURITY TRAINING INITIATIVE,
                         AND FOR OTHER PURPOSES

[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]


               December 19, 2022.--Ordered to be printed  
                             _________
                              
                 U.S. GOVERNMENT PUBLISHING OFFICE
                 
39-010                   WASHINGTON : 2023
               
               
               
               
               
               
               
               
               
               
               
               
               
               
               
               
               
               
               
               
               
               
               
               
               
               
        COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS

                   GARY C. PETERS, Michigan, Chairman
THOMAS R. CARPER, Delaware           ROB PORTMAN, Ohio
MAGGIE HASSAN, New Hampshire         RON JOHNSON, Wisconsin
KYRSTEN SINEMA, Arizona              RAND PAUL, Kentucky
JACKY ROSEN, Nevada                  JAMES LANKFORD, Oklahoma
ALEX PADILLA, California             MITT ROMNEY, Utah
JON OSSOFF, Georgia                  RICK SCOTT, Florida
                                     JOSH HAWLEY, Missouri

                   David M. Weinberg, Staff Director
                    Zachary I. Schram, Chief Counsel
         Christopher J. Mulkins, Director of Homeland Security
         Jeffrey D. Rothblum, Senior Professional Staff Member
                Pamela Thiessen, Minority Staff Director
            Sam J. Mulopulos, Minority Deputy Staff Director
              William H.W. McKenna, Minority Chief Counsel
                     Laura W. Kilbride, Chief Clerk   
                     
                     
                     
                     
                     
                     
                     
                     
                     
                     
                     
                     
                     
                     


                                                      Calendar No. 680
117th Congress    }                                     {       Report
                                 SENATE
 2d Session       }                                     {      117-281

======================================================================



 
         INDUSTRIAL CONTROL SYSTEMS CYBERSECURITY TRAINING ACT

                                _______
                                

               December 19, 2022.--Ordered to be printed

                                _______
                                

 Mr. Peters, from the Committee on Homeland Security and Governmental 
                    Affairs, submitted the following

                              R E P O R T

                        [To accompany H.R. 7777]

      [Including cost estimate of the Congressional Budget Office]

    The Committee on Homeland Security and Governmental 
Affairs, to which was referred the bill (H.R. 7777) to amend 
the Homeland Security Act of 2002 to authorize the 
Cybersecurity and Infrastructure Security Agency to establish 
an industrial control systems cybersecurity training 
initiative, and for other purposes, having considered the same, 
reports favorably thereon with an amendment, in the nature of a 
substitute, and recommends that the bill, as amended, do pass.

                                CONTENTS

                                                                     Page
  I. Purpose and Summary..............................................  1
 II. Background and Need for the Legislation..........................  2
III. Legislative History..............................................  3
 IV. Section-by-Section Analysis of the Bill, as Reported.............  4
  V. Evaluation of Regulatory Impact..................................  4
 VI. Congressional Budget Office Cost Estimate........................  5
VII. Changes in Existing Law Made by the Bill, as Reported............  6

                         I. Purpose and Summary

    Industrial Control Systems are information systems used to 
control, generally, physical industrial processes and often 
consist of combinations of components (e.g., electrical, 
mechanical, hydraulic, pneumatic) that act together to achieve 
an industrial objective, such as manufacturing, product 
handling, or transportation.\1\ H.R. 7777, the Industrial 
Control Systems Cybersecurity Training Act, recognizes the 
unique challenges in securing industrial control systems (ICS) 
and requires specialized training to implement such 
security.\2\ The bill would establish an ICS Training 
Initiative (Initiative) at the Cybersecurity and Infrastructure 
Security Agency (CISA), and authorizes CISA to provide training 
and courses on ICS cybersecurity to public and private sector 
organizations. The bill requires CISA to publish an annual 
report on the Initiative, including future plans of the 
Initiative and recommendations for additional actions to 
strengthen ICS cybersecurity resources.
---------------------------------------------------------------------------
    \1\ National Institute of Standards and Technology, Glossary: 
industrial control system (ICS) (https://csrc.nist.gov/glossary/term/
industrial_control_system) (accessed Dec. 12, 2022).
    \2\The terms operational technology (OT) and ICS are often used 
interchangeably by the private sector entities who develop operate such 
technology, as well as cybersecurity companies that work to protect 
such technology. Some organizations use OT as an umbrella term with ICS 
as the predominant technology within OT. For purposes of this report, 
the term ICS will be used throughout for consistency, even though some 
citations refer to OT rather than ICS.
---------------------------------------------------------------------------

              II. Background and Need for the Legislation

    ICS cybersecurity is different from traditional information 
technology (IT) cybersecurity, in part due to the ``unique 
performance, reliability, and safety requirements'' of ICS 
systems.\3\ Many of these differences stem from the fact that 
ICS systems have a direct effect on the physical world as they 
execute industrial processes, meaning cybersecurity risks can 
lead to significant physical world consequences, including on 
the health and safety of human lives, serious damage to the 
environment, and negative impacts to the nation's economy.\4\
---------------------------------------------------------------------------
    \3\National Institute of Standards and Technology, Guide to 
Operational Technology (OT) Security (SP-800-82 Rev.3 (Draft)) (Apr. 
26, 2022).
    \4\National Institute of Standards and Technology, Guide to 
Operational Technology (OT) Security (SP-800-82 Rev.3 (Draft)) (Apr. 
26, 2022).
---------------------------------------------------------------------------
    The risks to ICS are not hypothetical. In recent years, 
there have been numerous threats and attacks to ICS systems, 
many of which are part of the country's critical infrastructure 
for providing lifeline services. A recent report found 93% of 
ICS organizations experienced an intrusion in 2022; 78% of 
those organizations experienced three or more intrusions.\5\ In 
January of 2021, a hacker was able to gain access to a water 
treatment plant that served large parts of the San Francisco 
Bay area and was in a position to augment the chemical levels 
used in treating wastewater.\6\ Similarly, in February of 2021, 
a hacker utilized the same exploit against an Oldsmar, Florida 
drinking water treatment facility.\7\ In this incident, the 
attacker gained access to the ICS that controlled the sodium 
hydroxide levels in the water and raised them to poisonous 
levels before being manually overridden, avoiding anyone from 
being harmed.\8\ The 2021 Colonial Pipeline cyber attack 
targeted the company's IT systems and the resulting multi-day 
shutdown of the company's pipeline and ICS technology lead to a 
destabilization of fuel supply across the East coast.\9\ These 
attacks foreshadow the scale and severity that more aggressive 
attacks on ICS systems can yield.
---------------------------------------------------------------------------
    \5\Fortinet, 2022 State of Operational Technology and Cybersecurity 
Report (2022) (https://www.fortinet.com/content/dam/fortinet/assets/
analyst-reports/report-2022-ot-cybersecurity.pdf).
    \6\50,000 security disasters waiting to happen: The problem of 
America's water supplies, NBC News (Jun. 17, 2021) (https://
www.nbcnews.com/tech/security/hacker-tried-poison-calif-water-supply-
was-easy-entering-password-rcna1206).
    \7\50,000 security disasters waiting to happen: The problem of 
America's water supplies, NBC News (Jun. 17, 2021) (https://
www.nbcnews.com/tech/security/hacker-tried-poison-calif-water-supply-
was-easy-entering-password-rcna1206); FBI Called In After Hacker Tries 
To Poison Tampa-Area City's Water With Lye, NPR (Feb. 9, 2021) (https:/
/www.npr.org/2021/02/09/965791252/fbi-called-in-after-hacker-tries-to-
poison-tampa-area-citys-water-with-lye).
    \8\50,000 security disasters waiting to happen: The problem of 
America's water supplies, NBC News (Jun. 17, 2021) (https://
www.nbcnews.com/tech/security/hacker-tried-poison-calif-water-supply-
was-easy-entering-password-rcna1206); FBI Called In After Hacker Tries 
To Poison Tampa-Area City's Water With Lye, NPR (Feb. 9, 2021) (https:/
/www.npr.org/2021/02/09/965791252/fbi-called-in-after-hacker-tries-to-
poison-tampa-area-citys-water-with-lye).
    \9\`Juglar' of the U.S. fuel pipeline system shuts down after 
cyberattack, Politico, (May 8, 2021) (https://www.politico.com/news/
2021/05/08/colonial-pipeline-cyber-attack-485984).
---------------------------------------------------------------------------
    Studies have shown there are hundreds of thousands of 
cybersecurity job openings in the United States.\10\ The 
consequences of the is workforce shortage impact all sections, 
but are particularly severe for the ICS community.\11\ ICS 
systems have unique performance and reliability requirements, 
thus the cybersecurity requirements are often unfamiliar or 
seen as unconventional to typical IT cybersecurity 
personnel.\12\ While traditional cybersecurity education 
programs cover most aspects of IT cybersecurity, there are six 
industrial cybersecurity education domains where there is 
little educational focus: industrial operations, 
instrumentation and control, equipment, communications, safety, 
and regulation.\13\\14\
---------------------------------------------------------------------------
    \10\While the number of openings vary, as does the methods of 
measuring the number of openings, the range is most often stated to be 
between 400,000 and 700,000 cybersecurity openings in the United 
States. (ISC)\2\'s annual Cybersecurity Workforce Study for 2022 found 
about 400,000 cybersecurity job openings in the United States in, while 
Cyber Seek found about 465,000 openings and the Biden administration 
has said that the number has grown to more than 700,000. See U.S. has 
almost 500,000 job openings in cybersecurity, CBS News (May 21, 2021) 
(https://www.cbsnews.com/news/cybersecurity-job-openings-united-states/
), Biden administration pushes to close the growing cybersecurity 
workforce gap, CNN (Jul. 19, 2021) (https://www.cnn.com/2022/07/19/
tech/biden-cyber-workforce-gap/index.html), and (ISC)\2\, 2022 
Cybersecurity Workforce Study (2022) (https://www.isc2.org/Research/
Workforce-Study).
    \11\Fortinet, 2022 State of Operational Technology and 
Cybersecurity Report (2022) (https://www.fortinet.com/com/content/dam/
fortinet/assets/analyst-reports/report-2022-ot-cybersecurity.pdf)
    \12\National Institute of Standards and Technology, Guide to 
Operational Technology (OT) Security (SP-800-82 Rev.3 (Draft)) (Apr. 
26, 2022).
    \13\Building an Industrial Cybersecurity Workforce: A Manager's 
Guide, Idaho State University and Idaho National Laboratory, (accessed 
December 7, 2022), available at https://inl.gov/wp-
content/uploads/2021/02/ICS_Workforce-ManagersGuide2021.pdf.
    \14\Building an Industrial Cybersecurity Workforce: A Manager's 
Guide, Idaho State University and Idaho National Laboratory, (accessed 
December 7, 2022), available at https://inl.gov/wp-
content/uploads/2021/02/ICS_Workforce-ManagersGuide2021.pdf.
---------------------------------------------------------------------------
    H.R. 7777 would help address this education gap by 
providing specific ICS training. H.R. 7777 would authorize CISA 
to provide no-cost virtual and in-person trainings and courses 
to help the cyber workforce develop skills that are more 
focused on ICS cybersecurity and the specific threats to ICS. 
The bill would also give Congress an annual report on the 
program which will highlight program progression, expansion 
opportunities, and the participation of women and underserved 
communities.

                        III. Legislative History

    Representative Swalwell (D-CA-15) introduced H.R. 7777, the 
Industrial Control Systems Cybersecurity Training Act, on May 
16, 2022. The bill was referred to the House Committee on 
Homeland Security. On May 19, 2022, the bill was marked up by 
the House Committee on Homeland Security favorably by voice 
vote. On June 21, 2022, the House of Representatives passed the 
bill under a suspension of the rules by a vote of 368 to 47. 
The bill was referred to the Senate Committee on Homeland 
Security and Governmental Affairs.
    The Committee considered H.R. 7777 at a business meeting on 
September 28, 2022. During the business meeting, Senator 
Portman (R-OH) offered a modified substitute amendment that 
made several technical amendments and added a provision 
requiring CISA to consult with commercial training providers 
and academia to minimize the potential for duplication of other 
training opportunities. The Portman substitute amendment, as 
modified, was adopted by voice vote en bloc with Senators 
Peters, Carper, Hassan, Sinema, Rosen, Padilla, Ossoff, 
Portman, Johnson, Paul, Lankford, Romney, Scott, and Hawley 
present for the vote. The Committee ordered the bill, as 
amended, to be favorably reported by voice vote en bloc. 
Senators present for the vote were: Peters, Carper, Hassan, 
Sinema, Rosen, Padilla, Ossoff, Portman, Johnson, Paul, 
Lankford, Romney, Scott, and Hawley.

        IV. Section-by-Section Analysis of the Bill, as Reported


Section 1. Short title

    This section states that the Act may be cited as the 
``Industrial Control Systems Cybersecurity Training Act''.

Sec. 2. Establishment of the Industrial Control Systems Training 
        Initiative

    Subsection (a) amends the Homeland Security Act of 2002 to 
add a new section, 2220E, which authorizes CISA to establish 
the Industrial Control Systems Cybersecurity Training 
Initiative.
    Sec. 2220E subsection (a) establishes that the Initiative 
in order to develop and strengthen the skills of the 
cybersecurity workforce related to securing ICS.
    Sec. 2220E subsection (b) requires CISA to include virtual 
and in-person trainings and courses provided at no cost to 
participants. Trainings and courses will be accessible to 
different skill levels, cover cyber defense strategies for ICS, 
and make appropriate considerations for the availability of 
trainings and courses in different regions of the United 
States. This section further directs CISA to engage in 
collaboration with the Department of Energy's National 
Laboratories, consultation with Sector Risk Management 
Agencies, and, as appropriate, consultation with private sector 
entities.
    Sec. 2220E subsection (c) directs CISA to provide an annual 
report to the House Committee on Homeland Security and the 
Senate Committee on Homeland Security and Government Affairs 
with a description of Initiative courses, outreach efforts, the 
number and demographics of participants, and the participation 
of workers from each critical infrastructure sector, along with 
plans for expanding access to ICS cybersecurity training and 
recommendations on how to improve the state of ICS 
cybersecurity education and training.
    Subsection (b) has a clerical amendment to update the table 
of contents of the Homeland Security Act of 2002.

                   V. Evaluation of Regulatory Impact

    Pursuant to the requirements of paragraph 11(b) of rule 
XXVI of the Standing Rules of the Senate, the Committee has 
considered the regulatory impact of this bill and determined 
that the bill will have no regulatory impact within the meaning 
of the rules.

             VI. Congressional Budget Office Cost Estimate

                                     U.S. Congress,
                               Congressional Budget Office,
                                  Washington, DC, October 17, 2022.
Hon. Gary C. Peters,
Chairman, Committee on Homeland Security, and Governmental Affairs, 
        U.S. Senate, Washington, DC.
    Dear Mr. Chairman: The Congressional Budget Office has 
prepared the enclosed cost estimate for H.R. 7777, the 
Industrial Control Systems Cybersecurity Training Act.
    If you wish further details on this estimate, we will be 
pleased to provide them. The CBO staff contact is Aldo 
Prosperi.
            Sincerely,
                                         Phillip L. Swagel,
                                                          Director.
    Enclosure.

    
    

    H.R. 7777 would require the Cybersecurity and 
Infrastructure Security Agency (CISA) to offer voluntary 
cybersecurity training to critical infrastructure operators. 
Under the bill, CISA would teach attendees to identify and 
mitigate threats to information systems that are used in the 
automated control of critical infrastructure processes (such as 
power generation and water treatment). In addition, the bill 
would require CISA to report to the Congress on the 
effectiveness of its efforts.
    CISA already provides cybersecurity training courses for 
critical infrastructure operators; thus, the bill would codify 
those responsibilities and would not impose any new operating 
requirements on the agency. CBO estimates that implementing 
H.R. 7777 would cost less than $500,000 over the 2023-2027 
period to prepare and deliver the required reports; such 
spending would be subject to the availability of appropriated 
funds.
    On June 9, 2022, CBO transmitted a cost estimate for H.R. 
7777, the Industrial Control Systems Cybersecurity Training 
Act, as ordered reported by the House Committee on Homeland 
Security on May 19, 2022. The two bills are similar, and CBO's 
estimates of their costs are the same.
    The CBO staff contact for this estimate is Aldo Prosperi. 
The estimate was reviewed by Leo Lex, Deputy Director of 
Budget.

       VII. Changes in Existing Law Made by the Bill, as Reported

    In compliance with paragraph 12 of rule XXVI of the 
Standing Rules of the Senate, changes in existing law made by 
the bill, as reported, are shown as follows: (existing law 
proposed to be omitted is enclosed in brackets, new matter is 
printed in italic, and existing law in which no change is 
proposed is shown in roman):

HOMELAND SECURITY ACT OF 2002

           *       *       *       *       *       *       *


SEC. 1. SHORT TITLE; TABLE OF CONTENTS.

    (a) * * *
    (b) Table of Contents.--The table of contents for this Act 
is as follows:
Sec. 1. * * *
     * * * * * * *

      TITLE XXII--CYBERSECURITY AND INFRASTRUCTURE SECURITY AGENCY

     * * * * * * *
Sec. 2220D. Federal Clearinghouse on School Safety Evidence-based 
          Practices.
Sec. 2220E. Industrial Control Systems Cybersecurity Training 
          Initiative.
     * * * * * * *
[Sec. 2220D. Federal Clearinghouse on School Safety Evidence-based 
          Practices.]
     * * * * * * *



      TITLE XXII--CYBERSECURITY AND INFRASTRUCTURE SECURITY AGENCY



     * * * * * * *

Subtitle A--Cybersecurity and Infrastructure Security

           *       *       *       *       *       *       *


SEC. 2220E. INDUSTRIAL CONTROL SYSTEMS CYBERSECURITY TRAINING 
                    INITIATIVE

    (a) Establishment.--
          (1) In general.--The Industrial Control Systems 
        Cybersecurity Training Initiative (in this section 
        referred to as the `Initiative') is established within 
        the Agency.
          (2) Purpose.--The purpose of the Initiative is to 
        develop and strengthen the skills of the cybersecurity 
        workforce related to securing industrial control 
        systems.
    (b) Requirements.--In carrying out the Initiative, the 
Director shall--
          (1) ensure the Initiative includes--
                  (A) virtual and in-person trainings and 
                courses provided at no cost to participants;
                  (B) trainings and courses available at 
                different skill levels, including introductory 
                level courses;
                  (C) trainings and courses that cover cyber 
                defense strategies for industrial control 
                systems, including an understanding of the 
                unique cyber threats facing industrial control 
                systems and the mitigation of security 
                vulnerabilities in industrial control systems 
                technology; and
                  (D) appropriate consideration regarding the 
                availability of trainings and courses in 
                different regions of the United States;
          (2) engage in--
                  (A) collaboration with the Department of 
                Energy national laboratories in accordance with 
                section 309;
                  (B) consultation with Sector Risk Management 
                Agencies; and
                  (C) as appropriate, consultation with private 
                sector entities with relevant expertise, such 
                as vendors of industrial control systems 
                technologies; and
          (3) consult, to the maximum extent practicable, with 
        commercial training providers and academia to minimize 
        the potential for duplication of other training 
        opportunities.
    (c) Reports.--
          (1) In general.--Not later than 1 year after the date 
        of enactment of this section, and annually thereafter, 
        the Director shall submit to the Committee on Homeland 
        Security of the House of Representatives and the 
        Committee on Homeland Security and Governmental Affairs 
        of the Senate a report on the Initiative.
          (2) Contents.--Each report submitted under paragraph 
        (1) shall include the following:
                  (A) A description of the courses provided 
                under the Initiative.
                  (B) A description of outreach efforts to 
                raise awareness of the availability of such 
                courses.
                  (C) The number of participants in each 
                course.
                  (D) Voluntarily provided information on the 
                demographics of participants in such courses, 
                including by gender, race, and place of 
                residence.
                  (E) Information on the participation in such 
                courses of workers from each critical 
                infrastructure sector.
                  (F) Plans for expanding access to industrial 
                control systems education and training, 
                including expanding access to women and 
                underrepresented populations, and expanding 
                access to different regions of the United 
                States.
                  (G) Recommendations on how to strengthen the 
                state of industrial control systems 
                cybersecurity education and training.

                                  [all]