In a predominantly bipartisan vote, the Industrial Control Systems Cybersecurity Training Act was passed by the House of Representatives on the evening of June 21, 2022. The bill, sponsored by Representative Eric Swalwell (D-CA) establishes within the Cybersecurity and Infrastructure Security Agency (CISA) an initiative to provide the cybersecurity workforce with no-cost training related to securing industrial control systems. These information systems are used to control industrial processes such as manufacturing, product handling, production and distribution.
Industrial Control Systems Cybersecurity Training Act
This bill will supplement an already impressive array of training programs from CISA to keep the infrastructure of the United States secure. Unlike a great many bills, the action elements are concise and precise.
CISA must ensure its efforts include:
- Virtual and in-person training and courses provided at no cost to participants;
- Training and courses available for different skill levels, including introductory-level courses;
- Training and courses that cover cybersecurity defense strategies for industrial control systems, including an understanding of the unique cybersecurity threats facing industrial control systems and the mitigation of security vulnerabilities in industrial control systems technology and
- Appropriate consideration regarding the availability of training and courses in different regions of the United States.
CISA must also ensure “collaboration with the Department of Energy’s National Laboratories; Consultation with Sector Risk Management Agencies; and as appropriate, consultation with private sector entities with relevant expertise, such as vendors of industrial control systems technologies,” according to the text of the bill.
CISA will report to both houses of Congress’ Homeland Security Committees on an annual basis providing Congress with a report on this training initiative. Specifically, CISA must include:
- A description of the courses provided under the initiative.
- A description of the outreach efforts to raise awareness of the availability of such courses.
- Information on the number and demographics of participants in such courses, including by gender, race and place of residence.
- Information on the participation in such courses of workers from each critical infrastructure sector.
- Plans for expanding access to industrial control systems education and training, including expanding access to women and underrepresented populations and expanding access to different regions of the United States.
- Recommendations on how to strengthen the state of industrial control systems cybersecurity education and training.
The Act has now been referred to the Senate Homeland Security and Governmental Affairs Committee for their action.
CISA’s Current Training Initiatives and Advisory Board Recommendations
CISA’s current array of training and learning programs, all of which are available at no cost to the participant, are available via the CISA.gov website and are divided into two sub-groups: The Critical Infrastructure Learning Series and The Critical Infrastructure Training Program.
Additionally, on June 22, included in CISA’s third cybersecurity advisory committee meeting readout were the reports from the various subcommittees, all of which were focused on the protection of the nation’s infrastructure.
- The Transforming the Cyber Workforce Subcommittee made recommendations focused on enhancing the talent acquisition process so as to make CISA more competitive and to create a new position within CISA, that of chief people officer.
- The Turning the Corner on Cyber Hygiene Subcommittee made three recommendations:
- CISA should launch a 311 national campaign to provide an emergency call line and clinics for assistance following cybersecurity incidents for small and medium businesses.
- CISA should expand its multifactor authentication (MFA) campaign by identifying additional vehicles for publicizing its More Than a Password campaign
- CISA should take all available steps to ensure that companies are working with the federal government to fully adopt MFA by 2025.
- The Protecting Critical Infrastructure from Mis- Dis- and Malinformation (MDM) Subcommittee recommended that CISA focus on addressing MDM risks that undermine critical functions of American society. As part of this work, the subcommittee recommended that CISA invest in external research to assess the impact of MDM threats and the efficacy of its MDM mitigation efforts.
- The Building Resilience and Reducing Systemic Risk to Critical Infrastructure Subcommittee continued its efforts to identify systemic risks across the national critical infrastructure and recommended holding tabletop exercises.
- The Strategic Communications Subcommittee echoed the recommendations from the Cyber Hygiene subcommittee with respect to MFA and a national 311 national campaign.
- The Technical Advisory Council recommended CISA develop incentives and access to information to aid security researchers and to invest in infrastructure to enable the timely submission and notification when vulnerabilities are discovered. The end goal is to create a complete loop system from submission to action to providing feedback to the researcher.