On December 18, President Barack Obama signed the Cybersecurity Enhancement Act of 2014 which authorizes the Department of Commerce to facilitate and support the development of voluntary standards to reduce cyber risks to critical infrastructure. It requires the Office of Science and Technology Policy to develop a federal cybersecurity research and development plan.
The bill is strongly endorsed by the Automation Federation and the International Society of Automation (ISA).
According to ISA, the bipartisan bill is designed to strengthen and protect the nation’s economic and national security through public-private partnerships that will improve cybersecurity and cybersecurity standards; research and development; workforce development and education; and public awareness and preparedness.
The bill was sponsored by Senate Commerce, Science, and Transportation Committee Chairman John D. (Jay) Rockefeller IV (D-WV) and Ranking Member John Thune (R-SD). The Senate rejected a bill on cybersecurity that was proposed in 2012. The death of this bill prompted Obama to instruct the National Institute of Standards and Technology (NIST) to develop the US Cybersecurity Framework, which was introduced in February of this year.
“Cybersecurity of industrial automation and control systems from the OT [operational technology] side was not a prominent issue in initial legislative discussions,” says Steve Huffman, chair of the Automation Federation’s Government Relations Committee and an ISA99 Security Standards Committee member. “By raising (cybersecurity’s) importance among lawmakers, industrial cybersecurity became a more vital part of the legislation passed by Congress.”
At the federal government’s request, representatives of both the Automation Federation and ISA served as expert consultants to NIST as it coordinated the development of the US Cybersecurity Framework.
According to ISA, industrial automation control systemssecurity standards developed by the association (ISA99/IEC 62443) are integral components of the federal government’s plans to combat cyberattacks. The standards are designed to prevent and offset potentially devastating cyber damage to industrial plant systems and the networks commonly used in transportation grids, power plants, water treatment facilities and other vital industrial settings.
“The passage of this bill represents great progress toward better preparing government and private industry to meet the significant challenges and reduce the serious risks of industrial cyberattack,” says Michael Marlowe, managing director and director of government relations at the Automation Federation. “We know that safeguarding America and the world from cyberattack will require a comprehensive, multifaceted effort—implementing standards that can prevent and mitigate security vulnerabilities; educating and training a skilled cybersecurity workforce; facilitating greater public-private collaboration; and pursuing ongoing research, development and awareness initiatives.”
The Cybersecurity Enhancement Act of 2014:
• Authorizes NIST to facilitate and support the development of voluntary, industry-led cyber standards and best practices for critical infrastructure—drawing on many of the key recommendations outlined in the US Cybersecurity Framework.
• Strengthens cyber research and development by building on existing research and development programs, and ensuring better coordination across the federal government.
• Improves the cyber workforce and cyber education by ensuring the next generation of cyber experts are trained and prepared for the future.
• Increases the public’s awareness of cyber risks and cybersecurity.
• Advances cybersecurity technical standards.