Bill Overview
Title: DHS Industrial Control Systems Capabilities Enhancement Act of 2021
Description: This bill requires the Cybersecurity and Infrastructure Security Agency (CISA) to maintain certain capabilities to identify and address threats to industrial control systems. Specifically, the bill requires CISA's National Cybersecurity and Communications Integration Center to ensure that its activities address the security of both information and operational technology, including industrial control systems. Additionally, CISA must maintain capabilities to identify and address threats and vulnerabilities to products and technologies intended for use in the automated control of critical infrastructure processes by (1) leading efforts to identify and mitigate cybersecurity threats to industrial control systems; (2) maintaining threat hunting and incident response capabilities to respond to cybersecurity risks and incidents; (3) providing cybersecurity technical assistance to stakeholders; and (4) collecting, coordinating, and providing vulnerability information to the industrial control systems community. CISA shall provide to the homeland security committees a briefing on its industrial control systems capabilities at specified intervals. The Government Accountability Office must review and report on implementation of the bill's requirements.
Sponsors: Sen. Peters, Gary C. [D-MI]
Target Audience
Population: Individuals relying on critical infrastructure services worldwide
Estimated Size: 331000000
- The bill focuses on enhancing cybersecurity measures for industrial control systems which are used across various industries including energy, water, transportation, manufacturing, and more.
- Industrial control systems are a foundational element of critical infrastructure, meaning any vulnerabilities could affect significant portions of both the U.S. and global populations relying on these services.
- Stakeholders in industries that utilize industrial control systems will be directly impacted as the bill provides for technical assistance meant to aid in mitigating cybersecurity threats.
- These systems are critical to operations in industries that supply essential services, such as electricity and clean water, thus affecting any individual who relies on these services.
Reasoning
- The policy primarily affects industries and sectors reliant on industrial control systems (ICS) such as energy, water, transportation, and manufacturing industries. Thus, individuals directly working within these industries and those relying on these services will experience varying levels of impact.
- Given the widespread reliance of critical infrastructure on ICS, most Americans indirectly depend on these systems, albeit not all will notice the policy's effects immediately or drastically in terms of personal wellbeing.
- The policy may enhance the sense of security and stability over time, particularly among those with heightened awareness or concern about cybersecurity threats, leading to an improvement in perceived wellbeing.
- The focus on cybersecurity could lead to increased operational efficiency and reliability of critical infrastructure, yielding a potential slight uptick in overall quality of life and consumer confidence.
- The budgetary constraints imply that while significant improvements are targeted, they may not be immediately prominent or detectable to all, especially individuals not acutely involved with ICS or not within directly affected service territories.
- The widespread and foundational integration of these systems into everyday American life suggests that the nationwide impact will likely range from none to low-medium immediate personal wellbeing changes for most, with higher levels of influence on professionals within the field of cybersecurity.
Simulated Interviews
Industrial Control Systems Engineer (Houston, TX)
Age: 45 | Gender: male
Wellbeing Before Policy: 7
Duration of Impact: 20.0 years
Commonness: 5/20
Statement of Opinion:
- The policy brings much-needed attention and resources to the cybersecurity realm of industrial controls.
- It feels reassuring to have backing from CISA in facing these cyber threats.
Wellbeing Over Time (With vs Without Policy)
| Year | With Policy | Without Policy |
|---|---|---|
| Year 1 | 8 | 7 |
| Year 2 | 8 | 7 |
| Year 3 | 8 | 7 |
| Year 5 | 9 | 6 |
| Year 10 | 9 | 6 |
| Year 20 | 9 | 6 |
Cybersecurity Analyst (San Francisco, CA)
Age: 32 | Gender: female
Wellbeing Before Policy: 6
Duration of Impact: 10.0 years
Commonness: 8/20
Statement of Opinion:
- It's encouraging to see governmental involvement in this field, supporting critical infrastructure.
- This policy could improve the resources available to my team.
Wellbeing Over Time (With vs Without Policy)
| Year | With Policy | Without Policy |
|---|---|---|
| Year 1 | 7 | 6 |
| Year 2 | 7 | 6 |
| Year 3 | 8 | 6 |
| Year 5 | 8 | 5 |
| Year 10 | 8 | 5 |
| Year 20 | 7 | 5 |
Manufacturing Plant Manager (Detroit, MI)
Age: 60 | Gender: male
Wellbeing Before Policy: 5
Duration of Impact: 15.0 years
Commonness: 4/20
Statement of Opinion:
- Any steps to improve cybersecurity in manufacturing is vital for operational safety and efficiency.
- Hoping for more hands-on support from CISA in addressing specific vulnerabilities.
Wellbeing Over Time (With vs Without Policy)
| Year | With Policy | Without Policy |
|---|---|---|
| Year 1 | 6 | 5 |
| Year 2 | 6 | 5 |
| Year 3 | 6 | 5 |
| Year 5 | 7 | 5 |
| Year 10 | 7 | 4 |
| Year 20 | 6 | 4 |
Civil Engineer (New York, NY)
Age: 29 | Gender: female
Wellbeing Before Policy: 7
Duration of Impact: 10.0 years
Commonness: 6/20
Statement of Opinion:
- The policy can potentially streamline the security processes in projects I manage.
- Hoping it reduces the incidence of cyber disruptions.
Wellbeing Over Time (With vs Without Policy)
| Year | With Policy | Without Policy |
|---|---|---|
| Year 1 | 7 | 7 |
| Year 2 | 7 | 7 |
| Year 3 | 7 | 7 |
| Year 5 | 8 | 7 |
| Year 10 | 8 | 6 |
| Year 20 | 7 | 6 |
Public Transit Manager (Los Angeles, CA)
Age: 55 | Gender: male
Wellbeing Before Policy: 6
Duration of Impact: 12.0 years
Commonness: 4/20
Statement of Opinion:
- Policies like these are critical to keeping our transportation systems safe from emerging threats.
- It hopefully allows for better integration of security solutions across the board.
Wellbeing Over Time (With vs Without Policy)
| Year | With Policy | Without Policy |
|---|---|---|
| Year 1 | 6 | 6 |
| Year 2 | 6 | 6 |
| Year 3 | 7 | 6 |
| Year 5 | 7 | 6 |
| Year 10 | 7 | 5 |
| Year 20 | 7 | 5 |
Software Developer (Chicago, IL)
Age: 26 | Gender: male
Wellbeing Before Policy: 7
Duration of Impact: 8.0 years
Commonness: 10/20
Statement of Opinion:
- It's exciting that there is more government recognition and commitment to cybersecurity.
- I expect this could result in greater demand for my firm's software solutions.
Wellbeing Over Time (With vs Without Policy)
| Year | With Policy | Without Policy |
|---|---|---|
| Year 1 | 7 | 7 |
| Year 2 | 8 | 7 |
| Year 3 | 8 | 7 |
| Year 5 | 8 | 6 |
| Year 10 | 8 | 6 |
| Year 20 | 7 | 5 |
Water Treatment Operator (Salt Lake City, UT)
Age: 38 | Gender: other
Wellbeing Before Policy: 6
Duration of Impact: 15.0 years
Commonness: 7/20
Statement of Opinion:
- An enhanced focus on cybersecurity can prevent system failures.
- I hope it will make my job less stressful in ensuring water safety.
Wellbeing Over Time (With vs Without Policy)
| Year | With Policy | Without Policy |
|---|---|---|
| Year 1 | 6 | 6 |
| Year 2 | 6 | 6 |
| Year 3 | 6 | 6 |
| Year 5 | 7 | 6 |
| Year 10 | 7 | 5 |
| Year 20 | 6 | 5 |
Power Grid Technician (Phoenix, AZ)
Age: 43 | Gender: female
Wellbeing Before Policy: 8
Duration of Impact: 20.0 years
Commonness: 4/20
Statement of Opinion:
- Legislation like this can lead to advancements in how we secure our grid.
- Security is a top priority, and with CISA's backing, I feel more supported.
Wellbeing Over Time (With vs Without Policy)
| Year | With Policy | Without Policy |
|---|---|---|
| Year 1 | 8 | 8 |
| Year 2 | 8 | 8 |
| Year 3 | 9 | 8 |
| Year 5 | 9 | 7 |
| Year 10 | 9 | 7 |
| Year 20 | 8 | 6 |
Hospital Administrator (Miami, FL)
Age: 50 | Gender: female
Wellbeing Before Policy: 5
Duration of Impact: 5.0 years
Commonness: 5/20
Statement of Opinion:
- The intersection of healthcare and cybersecurity is crucial, hence this policy is welcome.
- I anticipate it will help us better align with national security standards.
Wellbeing Over Time (With vs Without Policy)
| Year | With Policy | Without Policy |
|---|---|---|
| Year 1 | 6 | 5 |
| Year 2 | 6 | 5 |
| Year 3 | 6 | 5 |
| Year 5 | 6 | 5 |
| Year 10 | 5 | 5 |
| Year 20 | 5 | 5 |
Independent Consultant (Denver, CO)
Age: 48 | Gender: male
Wellbeing Before Policy: 7
Duration of Impact: 10.0 years
Commonness: 9/20
Statement of Opinion:
- The policy will shape future consultations and best practices in the industry.
- Could increase client demand and awareness of cybersecurity threats.
Wellbeing Over Time (With vs Without Policy)
| Year | With Policy | Without Policy |
|---|---|---|
| Year 1 | 7 | 7 |
| Year 2 | 7 | 7 |
| Year 3 | 8 | 7 |
| Year 5 | 8 | 7 |
| Year 10 | 7 | 6 |
| Year 20 | 6 | 6 |
Cost Estimates
Year 1: $85000000 (Low: $75000000, High: $95000000)
Year 2: $87500000 (Low: $77500000, High: $97500000)
Year 3: $90000000 (Low: $80000000, High: $100000000)
Year 5: $95000000 (Low: $85000000, High: $105000000)
Year 10: $105000000 (Low: $95000000, High: $115000000)
Year 100: $150000000 (Low: $140000000, High: $160000000)
Key Considerations
- The increasing frequency and sophistication of cyber threats necessitate robust cybersecurity measures for critical infrastructure.
- Potential overlap with existing cybersecurity measures and collaborations within the Department of Homeland Security should be evaluated.
- Funding for the expanded activities of CISA should ensure efficiency without redundancies in other areas.
- Long-term benefits will depend on continued effectiveness and adaptation to evolving cybersecurity threats.