Wednesday, November 7, 2018

S 3021 Changes Water Security Requirements

Thanks to Jake Brodsky for pointing me at an article about recent legislation affecting water treatment and waste water treatment cybersecurity. I did not cover S 3021, the America’s Water Infrastructure Act of 2018, when it was amended in the House (it was introduced as a courthouse name change bill in the Senate) as I did not see any cybersecurity or chemical security references in the long table of contents. Ooops, they slid in in as “SEC. 2013. COMMUNITY WATER SYSTEM RISK AND RESILIENCE”.

Cybersecurity Assessment

Section 2013 re-writes $1433 of the Safe Drinking Water Act (42 USC 300i–2) the current law regarding EPA’s regulation of security at water treatment facilities and waste water treatment facilities. The focus of §1433 is changed somewhat as reflected in the change of the title from “Terrorist and other intentional acts” to “Community water system risk and resilience”. Similar wording changes are found throughout the revised section.

The item that caught the author’s attention is found in the new §1433(a)(1)(A) risk assessment requirements:

“(A) shall include an assessment of—
‘‘(i) the risk to the system from malevolent acts and natural hazards;
‘‘(ii) the resilience of the pipes and constructed conveyances, physical barriers, source water, water collection and intake, pretreatment, treatment, storage and distribution facilities, electronic, computer, or other automated systems (including the security of such systems) [emphasis added] which are utilized by the system;

Interestingly, the new language in §1433(a) makes two other significant changes to the assessment requirements. First it removes the requirement for providing the EPA with a copy of the assessment; it only requires a brief certification statement to be submitted to the EPA. Secondly, it reduces the disclosure protections for the assessments; removing protection from disclosure requirements of 5 USC 522. Fortunately, no information of is being provided to the EPA that could be required to be disclosed under §522 beyond the certification statement.

Cybersecurity Emergency Response Plans

The emergency response plan requirements of §1433(b) have also been revised to include specific cybersecurity requirements. In addition to the formatting changes made to this paragraph, it now includes:

(1) strategies and resources to improve the resilience of the system, including the physical security and cybersecurity of the system; [emphasis added]

Again, the new language only requires covered entities to provide certification to the EPA that the emergency response plans have been prepared.

Alternative Programs

Paragraph (f) of the revised section allows facilities to meet the assessment and/or planning requirements by satisfying “technical standards that are developed or adopted by third-party organizations or voluntary consensus standards bodies that carry out the objectives or activities required by this section” {new §1433(f)(2)}.


Paragraph (g) establishes the Drinking Water Infrastructure Risk and Resilience Program which includes provisions for grants and technical assistance to support the assessment and response plan requirements of this section. It also authorizes $25 million for the Program for FY2020 and FY2021, with $5 million of that earmarked for ‘technical assistance’ and $10 million for grants to small (supporting less than 3,300 people; facilities that are not required to comply with §1433) facilities.


This bill does very little to change the EPA’s oversight of security of water treatment or waste water treatment facilities. It does not require the EPA to review or approve the assessments or emergency response plans, nor even give them the authority to suggest changes to those activities. The additional cybersecurity language simply recognizes that the control systems at these facilities are potentially subject to attack or internal malfeasance and that their security should be addressed by facilities.

The ludicrously small amount of money remaining for grants to covered treatment facilities or works how little Congress appreciates the scope of the problem.

1 comment:

Jake Brodsky said...

I came to much of the same conclusions as you on this bill. The only real change is that it puts the Army Corps of Engineers on that footing as well, and they insist that the Secretary of the Army coordinate with state and local authorities "where possible."

This puts cybersecurity on people's radar. Cybersecurity legislation has already been passed in New Jersey, and I'm curious to see how this "coordination where possible" plays out.

Furthermore, while there are requirements for emergency plans for cybersecurity problems, it doesn't assign responsibility to a specific entity in the organizations, nor does it assign penalties for not filing them or keeping them up to date.

I think that oversight will be dealt with using this mandate by having the EPA and the Army Corps of Engineers discuss this with each other.

Do note that the EPA has been asking about these problems. I was on a panel of Subject Matter Experts that attended a two day conference at the EPA headquarters about three years ago. But they're really lost. This may be the nudge that puts security in their court.

And then again, without funding, this may not go anywhere.

/* Use this with templates/template-twocol.html */