The House has passed a bill establishing an “Industrial Control Systems Cybersecurity Training Initiative” at CISA to bolster the cyber workforce in an area identified as a top priority by the cybersecurity agency.
The bill by Rep. Eric Swalwell (D-CA) was approved Tuesday by the House under suspension of the rules, a procedure for noncontroversial bills requiring a two-thirds vote. Similar legislation has yet to emerge in the Senate. Swalwell serves on the House Homeland Security and Intelligence committees.
The legislation directs the Cybersecurity and Infrastructure Security Agency to consult with Sector Risk Management Agencies, the private sector, and the Energy Department’s National Laboratories in building out an initiative that includes:
- virtual and in-person trainings and courses provided at no cost to participants;
- trainings and courses available at different skill levels, including introductory level courses;
- trainings and courses that cover cyber defense strategies for industrial control systems, including an understanding of the unique cyber threats facing industrial control systems and the mitigation of security vulnerabilities in industrial control systems technology; and
- appropriate consideration regarding the availability of trainings and courses in different regions of the United States.
According to the bill text, “The purpose of the Initiative is to develop and strengthen the skills of the cybersecurity workforce related to securing industrial control systems.”
Within one year of enactment, CISA is to report to the House and Senate homeland security committees on issues including courses offered under the initiative; outreach to raise awareness of the program; the number and “demographics of participants”; participation of workers from each critical infrastructure sector; plans for expanding access, including “to women and under-represented populations, and expanding access to different regions of the United States”; and recommendations “on how to strengthen the state of industrial control systems cybersecurity education and training.’’
CISA currently offers a variety of training opportunities related to ICS security.
“CISA program training events consist of 'regional' training courses and workshops at venues in various locations in addition to the 4-day training events held in Idaho Falls, Idaho,” according to the agency. “Note that all CISA training courses are presented with no tuition cost to the attendee.”
Veracode’s Chris Wysopal commented on the bill: “The proposed amendment to the Homeland Security Act of 2002 to include a cybersecurity training initiative illustrates the enhanced need for the implementation of preventative cybersecurity measures to protect our nation’s critical infrastructure, particularly application-layer security. As the first line of defense against increasingly sophisticated hackers, we must arm our developers and cyber professionals with the tools necessary to secure industrial control systems and that starts with proper training.”
He cited training provided by Veracode Security Labs as decreasing the time to fix flaws by 35 percent, “indicating that training can go a long way to advance the security posture of an organization. If passed, this bill will serve as a step in the right direction, giving CISA the power to help ICS organizations that often lack the institutional knowledge and resources, to more effectively deal with evolving threats.”
CrowdStrike’s Robert Sheldon said, “CISA has taken a number of steps over the past couple of years to strengthen its ICS security efforts. This includes an ICS/OT-focused workstream within the Joint Cyber Defense Collaborative (JCDC) to promote collaboration between key players. Additional training can also clearly help here, given some of the specialized requirements and constraints in this space, as well as critical infrastructure entities’ increased focus on cybersecurity readiness overall.”
Sheldon said, “An important consideration is ensuring that new efforts offer something differentiated from existing resources, such as those offered by Sector Risk Management Agencies and other established groups. This will make best use of participants’ time and attention.”
Separately, President Biden on Tuesday signed into law S. 1097, the "Federal Rotational Cyber Workforce Program Act,” and S. 2520, the "State and Local Government Cybersecurity Act,” to help improve cyber efforts throughout the country. -- Charlie Mitchell (cmtchell@iwpnews.com)