Critical infrastructure operators’ resilience would get federal assessment under new bill

How well critical infrastructure sectors are equipped to switch to manual operations in the event of a cyberattack would be assessed and reported to Congress under new legislation from a bipartisan pair of House lawmakers.

The Contingency Plan for Critical Infrastructure Act, introduced this week by Reps. Dan Crenshaw, R-Texas, and Seth Magaziner, D-R.I., would require the Cybersecurity and Infrastructure Security Agency director, the Federal Emergency Management Agency administrator and other sector risk management agencies to deliver a report to Congress that details the risks that sectors face when they are unable to pivot quickly to manual operating mode. 

“Cyberattacks are the number one threat to America’s critical infrastructure, and it’s not a problem any one government agency can solve or even protect against,” Crenshaw said in a statement. “The private sector must be more involved, especially when it comes to our water, our energy, our transportation, and our communications. We need a comprehensive assessment of what more can be done to make critical infrastructure more resilient to future cyberattacks, and we need it immediately.”

As part of the overall assessment, the bill calls for an evaluation of CISA’s capacity and obligations, including how the agency responds to cyber incidents and supports critical infrastructure operators’ essential systems. It would also require an assessment of FEMA’s National Response Framework, with a look specifically at how the agency assists owners and operators with the transition to manual during a cyberattack.

Additionally, the assessment would feature an examination of the costs and challenges tied to sector-wide requirements to switch to manual operation during a cyber incident, covering financial, logistical and operational implications. 

The legislation also calls for policy recommendations “aimed at ensuring the continuous operation of critical infrastructure” during cyber incidents that affect critical systems. 

FEMA, meanwhile, would also be required by the bill to update its Planning Considerations for Cyber Incidents, which includes best practices for personnel, steps that owners and operators should take in response to degraded systems, guidance on response and remediation to industrial control devices impacted by cyber incidents, and the identification of state, local and federal resources that can be of assistance in scenarios of this kind.

“We need to ensure that the infrastructure Americans depend on to keep the lights on, the water running and commerce flowing, are protected from cyberattacks,” Magaziner said in a statement. “This bipartisan bill will help ensure that Americans are protected from criminals and adversarial nations who target our country in cyberspace on a daily basis.”

The legislation comes amid a rising chorus of warnings from federal officials that foreign adversaries are already inside critical infrastructure IT networks and planning for increasingly disruptive attacks. 

National Cyber Director Harry Coker said during an event last month that resilience has been a focus of the Biden administration. “We need to operate through some of the cyber threats that will persist, and being prepared is a way to do that,” he said.