As fears of Russian cyber threats in reprisal for U.S. support of Ukraine continue to grow across Congress, U.S. Rep. Eric Swalwell (D-CA) introduced the Industrial Control Systems Cybersecurity Training Act this week to bolster U.S. cybersecurity.
The new legislation would mandate the permanent creation of education programs for information technology professionals on the best means to protect computer network security systems against intrusion. The Cybersecurity Infrastructure Security Agency (CISA) would manage and provide these programs to build up cyber defenses for both businesses and national infrastructure.
“With the increased threat of Russian cyberattacks, we must be cognizant of cyberwarfare from state-sponsored actors,” Swalwell, member of the House Select Committee on Intelligence, Judiciary Committee, and Homeland Security Committee, said. “This bill would help train our information technology professionals in the federal government, national laboratories, and private sector to better defend against damaging foreign attacks.”
The bill’s namesake, Industrial Control Systems (ICS), is responsible for essential services on computer networks, helping manage electricity, petroleum production, water, transportation, manufacturing, and communication. These tend to rely heavily on online connectivity and functionality, which aids their reach and control, but the downside is this also leaves openings for attack.
In March this year, the White House warned of potentially increased cyberattacks on critical infrastructure by Russian operatives. Since then, the U.S. Department of Energy, together with CISA, the National Security Agency, and the Federal Bureau of Investigation, released a joint advisory laying out the sort of attacks advanced persistent threat (APT) actors are capable of, through various custom-made tools, including gaining full system access to devices such as:
- Schneider Electric programmable logic controllers (PLCs)
- OMRON Sysmac NEX PLCs
- Open Platform Communications Unified Architecture (OPC UA) servers
Training authorized by Swalwell’s legislation would be available to both public and private sector entities. Annual reporting would also be required, along with recommendations on expanding and improving ICS cyber training against future threats.