Congress steers clear of industrial control systems cybersecurity

Rule number one about legislation affecting the cybersecurity of industrial control systems (ICS) is that no one talks about legislation affecting the cybersecurity of ICS. At least it seems that way based on a number of attempts to get industry stakeholders to talk on the record about the prospects in the 116^th Congress for any legislation that affects critical infrastructure, specifically as it relates to industrial control systems.

Although a number of cybersecurity-related bills have been introduced in the new Congress, only a handful of relatively non-controversial pieces of legislation, most reintroduced from the last Congress, deal primarily with critical infrastructure industrial control systems, a surprise given the stepped-up concerns over threats to the nation’s electric grids, gas and oil pipelines, transportation systems and dams and the rise of industrial supply chain issues that have grabbed headlines over the past few years.

Part of the reason for a hazy legislative outlook regarding industrial control systems is that from most critical infrastructure providers’ perspectives, no legislation is good legislation. Few stakeholders want to give currency to the idea of any form of government regulation or mandates. Neither, apparently, does the Congress, particularly on the Senate side, which is where, in the words of a think tank analyst, “cybersecurity legislation goes to die,” as Politico reports.

Industry resistance to regulation thwarting ICS cybersecurity legislation

“Senator Johnson [Republican head of the Senate Homeland Security and Governmental Affairs Committee] has a reputation for swatting down cybersecurity legislation. He comes from a business background, he doesn’t like regulation,” says Patrick Coyle, publisher of Chemical Security News, which tracks legislation affecting chemical and industrial control security.

Although Johnson has rebuffed cybersecurity legislation over the past four years, that may be changing, Coyle says. Some of Johnson’s actions early in this new Congress, such as mid-February mark-ups of three cybersecurity-related bills, make the point that his committee is going to address cybersecurity this session.

Another reason for Congressional inaction on this most sensitive of cybersecurity issues is its complexity. “The lexicon of cybersecurity has a big blind spot: Industrial control security issues. Almost all of the definitions rely on definitions of computer terminology that strictly bear on information technology,” Coyle says.

The inside-baseball, inherently complex nature of ICS may be a factor in not only Congressional reluctance to wade into those waters but may very well be a security mechanism in and of itself. “The only thing saving the security of the [electric] grid is that it is such a massive, multi-faceted monster that has been designed to recover quickly from physical attacks by weather and squirrels.”

Regulation might negatively impact ICS security efforts

Moreover, any form of new legislation or possibly ensuing regulations could end up hamstringing bona fide security efforts in the complex, niche world of ICS. “There’s a point where we can be over-legislative in terms of security to where it’s impossible for security to be done,” Lesley Carhart, principal threat hunter at ICS cybersecurity firm Dragos says.

The danger lies in being too specific across the board, delivering overly broad mandates that might not fit a host of diverse, specific industrial control situations. “Don’t make things too granular for a particular vertical or operator,” Carhart says. “Different levels of operation and different levels of maturity” require different solutions.

“Security issues in general, cybersecurity in particular, are very difficult to regulate because there is so much diversity in the systems that are vulnerable. What will secure one system will not secure another system. What is a legitimate security expense in one place is overkill in another,” Coyle says.

Small critical infrastructure providers stand to gain from Congress’s help

One ICS area where Congress could unambiguously help is assisting small critical infrastructure companies with crafting any cybersecurity legislation, whether dealing with ICS-specific cybersecurity tasks or managing the broad spectrum of cybersecurity needs, such as breach notification or management of internet of things devices. “It’s hard to write a law that doesn’t impact small organizations differently than big organizations,” Patrick Miller, president emeritus of the Energy Sector Security Consortium (EnergySec) and managing partner of Archer Energy Solutions, says.

In terms of cybersecurity, “Power is doing pretty well, so is oil and gas…but when you start looking at smaller water and sewage operators…. often those small operators have one security person if they’re that lucky,” Carhart says.  There are not enough “hours in the days to actually start looking at security events, and that’s something that really needs to be addressed,” particularly for smaller operators.

Water and sewage are most overlooked critical infrastructure

Potentially one overlooked area in industrial control security is the nation’s water and sewage infrastructure. “If you ask my colleagues which industry vertical keeps them up at night, it’s water,” Carhart says. “Having clean water is much more subtle and it’s much more insidious…if water is not treated properly that’s a much more serious situation. Nobody thinks about them so they kind of get left behind in a lot of initiatives.”

The one bill on the congressional agenda that unambiguously addresses ICS is H.R.680, the Securing Energy Infrastructure Act, that touches on industrial control systems, introduced by Representative Dutch Ruppersberger (D-MD), with a companion bill on the Senate side introduced by Representative Angus King (I-ME). That legislation allocates $10 million for a two-year program within the Department of Energy National Laboratories to identify cyber vulnerabilities in energy sector non-digital systems and to test technologies that could defend the grid against cyberattacks.

Even though the bill is widely considered non-controversial, applying the knowledge gained from the test pilot might prove to be a challenge in the arcane world of industrial security. “The hard part is when it’s created at a national lab is that it’s competing with the private sector, ” Archer Energy’s Miller says. “How do you do the technology transfer? Without exit paths, this is basically going to be an academic exercise.”

Even if little Congressional action relating to industrial control systems is on the horizon, that doesn’t mean Congress isn’t doing its homework. “I’m impressed by how congressional staffers have been involved,” Carhart says. “It’s the staffers in the offices that are doing the research and a ton of the outreach.”