Congress steers clear of industrial control systems cybersecurity

Industry resistance to regulation, complexity of securing ICS systems are roadblocks to passage of critical infrastructure cybersecurity legislation.

Rule number one about legislation affecting the cybersecurity of industrial control systems (ICS) is that no one talks about legislation affecting the cybersecurity of ICS. At least it seems that way based on a number of attempts to get industry stakeholders to talk on the record about the prospects in the 116th Congress for any legislation that affects critical infrastructure, specifically as it relates to industrial control systems.

Although a number of cybersecurity-related bills have been introduced in the new Congress, only a handful of relatively non-controversial pieces of legislation, most reintroduced from the last Congress, deal primarily with critical infrastructure industrial control systems, a surprise given the stepped-up concerns over threats to the nation’s electric grids, gas and oil pipelines, transportation systems and dams and the rise of industrial supply chain issues that have grabbed headlines over the past few years.

Part of the reason for a hazy legislative outlook regarding industrial control systems is that from most critical infrastructure providers’ perspectives, no legislation is good legislation. Few stakeholders want to give currency to the idea of any form of government regulation or mandates. Neither, apparently, does the Congress, particularly on the Senate side, which is where, in the words of a think tank analyst, “cybersecurity legislation goes to die,” as Politico reports.

Industry resistance to regulation thwarting ICS cybersecurity legislation

“Senator Johnson [Republican head of the Senate Homeland Security and Governmental Affairs Committee] has a reputation for swatting down cybersecurity legislation. He comes from a business background, he doesn’t like regulation,” says Patrick Coyle, publisher of Chemical Security News, which tracks legislation affecting chemical and industrial control security.

Although Johnson has rebuffed cybersecurity legislation over the past four years, that may be changing, Coyle says. Some of Johnson’s actions early in this new Congress, such as mid-February mark-ups of three cybersecurity-related bills, make the point that his committee is going to address cybersecurity this session.

To continue reading this article register now

FREE Download: Get the Spring 2019 digital issue of CSO magazine today!