Thanks to Jake Brodsky for pointing me at an
article about recent legislation affecting water treatment and waste water
treatment cybersecurity. I did not cover S 3021, the America’s Water
Infrastructure Act of 2018, when it was amended in the House (it was introduced
as a courthouse name change bill in the Senate) as I did not see any
cybersecurity or chemical security references in the long table of contents.
Ooops, they slid in in as “SEC. 2013. COMMUNITY WATER SYSTEM RISK AND
RESILIENCE”.
Cybersecurity Assessment
Section 2013 re-writes $1433 of the Safe Drinking Water Act
(42
USC 300i–2) the current law regarding EPA’s regulation of security at water
treatment facilities and waste water treatment facilities. The focus of §1433 is changed somewhat
as reflected in the change of the title from “Terrorist and other intentional
acts” to “Community water system risk and resilience”. Similar wording changes
are found throughout the revised section.
The item that caught the author’s attention is found in the
new §1433(a)(1)(A) risk
assessment requirements:
“(A) shall include an assessment
of—
‘‘(i) the risk to the system from
malevolent acts and natural hazards;
‘‘(ii) the resilience of the pipes
and constructed conveyances, physical barriers, source water, water collection
and intake, pretreatment, treatment, storage and distribution facilities,
electronic, computer, or other automated systems (including the security of such
systems) [emphasis added] which are utilized by the system;
Interestingly, the new language in §1433(a) makes two other significant changes to the
assessment requirements. First it removes the requirement for providing the EPA
with a copy of the assessment; it only requires a brief certification statement
to be submitted to the EPA. Secondly, it reduces the disclosure protections for
the assessments; removing protection from disclosure requirements of 5 USC 522.
Fortunately, no information of is being provided to the EPA that could be
required to be disclosed under §522
beyond the certification statement.
Cybersecurity Emergency Response Plans
The emergency response plan requirements of §1433(b) have also been
revised to include specific cybersecurity requirements. In addition to the
formatting changes made to this paragraph, it now includes:
(1) strategies and resources to
improve the resilience of the system, including the physical security and cybersecurity
of the system; [emphasis added]
Again, the new language only requires covered entities to
provide certification to the EPA that the emergency response plans have been
prepared.
Alternative Programs
Paragraph (f) of the revised section allows facilities to meet
the assessment and/or planning requirements by satisfying “technical standards that
are developed or adopted by third-party organizations or voluntary consensus
standards bodies that carry out the objectives or activities required by this
section” {new §1433(f)(2)}.
Funding
Paragraph (g) establishes the Drinking Water Infrastructure
Risk and Resilience Program which includes provisions for grants and technical
assistance to support the assessment and response plan requirements of this section.
It also authorizes $25 million for the Program for FY2020 and FY2021, with $5
million of that earmarked for ‘technical assistance’ and $10 million for grants
to small (supporting less than 3,300 people; facilities that are not required
to comply with §1433)
facilities.
Commentary
This bill does very little to change the EPA’s oversight of
security of water treatment or waste water treatment facilities. It does not
require the EPA to review or approve the assessments or emergency response
plans, nor even give them the authority to suggest changes to those activities.
The additional cybersecurity language simply recognizes that the control
systems at these facilities are potentially subject to attack or internal
malfeasance and that their security should be addressed by facilities.
The ludicrously small amount of money remaining for grants
to covered treatment facilities or works how little Congress appreciates the
scope of the problem.
Posts
1 comment:
I came to much of the same conclusions as you on this bill. The only real change is that it puts the Army Corps of Engineers on that footing as well, and they insist that the Secretary of the Army coordinate with state and local authorities "where possible."
This puts cybersecurity on people's radar. Cybersecurity legislation has already been passed in New Jersey, and I'm curious to see how this "coordination where possible" plays out.
Furthermore, while there are requirements for emergency plans for cybersecurity problems, it doesn't assign responsibility to a specific entity in the organizations, nor does it assign penalties for not filing them or keeping them up to date.
I think that oversight will be dealt with using this mandate by having the EPA and the Army Corps of Engineers discuss this with each other.
Do note that the EPA has been asking about these problems. I was on a panel of Subject Matter Experts that attended a two day conference at the EPA headquarters about three years ago. But they're really lost. This may be the nudge that puts security in their court.
And then again, without funding, this may not go anywhere.
Post a Comment