Industry resistance to regulation, complexity of securing ICS systems are roadblocks to passage of critical infrastructure cybersecurity legislation. Credit: Getty Images Rule number one about legislation affecting the cybersecurity of industrial control systems (ICS) is that no one talks about legislation affecting the cybersecurity of ICS. At least it seems that way based on a number of attempts to get industry stakeholders to talk on the record about the prospects in the 116th Congress for any legislation that affects critical infrastructure, specifically as it relates to industrial control systems.Although a number of cybersecurity-related bills have been introduced in the new Congress, only a handful of relatively non-controversial pieces of legislation, most reintroduced from the last Congress, deal primarily with critical infrastructure industrial control systems, a surprise given the stepped-up concerns over threats to the nation’s electric grids, gas and oil pipelines, transportation systems and dams and the rise of industrial supply chain issues that have grabbed headlines over the past few years.Part of the reason for a hazy legislative outlook regarding industrial control systems is that from most critical infrastructure providers’ perspectives, no legislation is good legislation. Few stakeholders want to give currency to the idea of any form of government regulation or mandates. Neither, apparently, does the Congress, particularly on the Senate side, which is where, in the words of a think tank analyst, “cybersecurity legislation goes to die,” as Politico reports.Industry resistance to regulation thwarting ICS cybersecurity legislation“Senator Johnson [Republican head of the Senate Homeland Security and Governmental Affairs Committee] has a reputation for swatting down cybersecurity legislation. He comes from a business background, he doesn’t like regulation,” says Patrick Coyle, publisher of Chemical Security News, which tracks legislation affecting chemical and industrial control security. Although Johnson has rebuffed cybersecurity legislation over the past four years, that may be changing, Coyle says. Some of Johnson’s actions early in this new Congress, such as mid-February mark-ups of three cybersecurity-related bills, make the point that his committee is going to address cybersecurity this session.Another reason for Congressional inaction on this most sensitive of cybersecurity issues is its complexity. “The lexicon of cybersecurity has a big blind spot: Industrial control security issues. Almost all of the definitions rely on definitions of computer terminology that strictly bear on information technology,” Coyle says. The inside-baseball, inherently complex nature of ICS may be a factor in not only Congressional reluctance to wade into those waters but may very well be a security mechanism in and of itself. “The only thing saving the security of the [electric] grid is that it is such a massive, multi-faceted monster that has been designed to recover quickly from physical attacks by weather and squirrels.”Regulation might negatively impact ICS security effortsMoreover, any form of new legislation or possibly ensuing regulations could end up hamstringing bona fide security efforts in the complex, niche world of ICS. “There’s a point where we can be over-legislative in terms of security to where it’s impossible for security to be done,” Lesley Carhart, principal threat hunter at ICS cybersecurity firm Dragos says.The danger lies in being too specific across the board, delivering overly broad mandates that might not fit a host of diverse, specific industrial control situations. “Don’t make things too granular for a particular vertical or operator,” Carhart says. “Different levels of operation and different levels of maturity” require different solutions.“Security issues in general, cybersecurity in particular, are very difficult to regulate because there is so much diversity in the systems that are vulnerable. What will secure one system will not secure another system. What is a legitimate security expense in one place is overkill in another,” Coyle says.Small critical infrastructure providers stand to gain from Congress’s helpOne ICS area where Congress could unambiguously help is assisting small critical infrastructure companies with crafting any cybersecurity legislation, whether dealing with ICS-specific cybersecurity tasks or managing the broad spectrum of cybersecurity needs, such as breach notification or management of internet of things devices. “It’s hard to write a law that doesn’t impact small organizations differently than big organizations,” Patrick Miller, president emeritus of the Energy Sector Security Consortium (EnergySec) and managing partner of Archer Energy Solutions, says.In terms of cybersecurity, “Power is doing pretty well, so is oil and gas…but when you start looking at smaller water and sewage operators…. often those small operators have one security person if they’re that lucky,” Carhart says. There are not enough “hours in the days to actually start looking at security events, and that’s something that really needs to be addressed,” particularly for smaller operators. Water and sewage are most overlooked critical infrastructurePotentially one overlooked area in industrial control security is the nation’s water and sewage infrastructure. “If you ask my colleagues which industry vertical keeps them up at night, it’s water,” Carhart says. “Having clean water is much more subtle and it’s much more insidious…if water is not treated properly that’s a much more serious situation. Nobody thinks about them so they kind of get left behind in a lot of initiatives.”The one bill on the congressional agenda that unambiguously addresses ICS is H.R.680, the Securing Energy Infrastructure Act, that touches on industrial control systems, introduced by Representative Dutch Ruppersberger (D-MD), with a companion bill on the Senate side introduced by Representative Angus King (I-ME). That legislation allocates $10 million for a two-year program within the Department of Energy National Laboratories to identify cyber vulnerabilities in energy sector non-digital systems and to test technologies that could defend the grid against cyberattacks.Even though the bill is widely considered non-controversial, applying the knowledge gained from the test pilot might prove to be a challenge in the arcane world of industrial security. “The hard part is when it’s created at a national lab is that it’s competing with the private sector, ” Archer Energy’s Miller says. “How do you do the technology transfer? Without exit paths, this is basically going to be an academic exercise.”Even if little Congressional action relating to industrial control systems is on the horizon, that doesn’t mean Congress isn’t doing its homework. “I’m impressed by how congressional staffers have been involved,” Carhart says. “It’s the staffers in the offices that are doing the research and a ton of the outreach.” Related content news UK CSO 30 Awards 2023 winners announced By Romy Tuin Dec 05, 2023 4 mins CSO and CISO C-Suite Roles news analysis Deepfakes emerge as a top security threat ahead of the 2024 US election As the US enters a critical election year, AI-generated threats, particularly deepfakes, are emerging as a top security issue, with no reliable tools yet in place to combat them. By Cynthia Brumfield Dec 05, 2023 7 mins Election Hacking Government Security Practices feature How cybersecurity teams should prepare for geopolitical crisis spillover CISOs can anticipate and prepare for cyberattacks conducted by participants in geopolitical conflict such as the Israel/Hamas war by understanding the threat actors' motivations and goals. By Christopher Whyte Dec 05, 2023 12 mins Advanced Persistent Threats Threat and Vulnerability Management Risk Management news analysis P2Pinfect Redis worm targets IoT with version for MIPS devices New versions of the worm include some novel approaches to infecting routers and internet-of-things devices, according to a report by Cado Security. By Lucian Constantin Dec 04, 2023 5 mins Botnets Hacker Groups Security Practices Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe