HR 2019 Introduced – Smart Water

Earlier this month Rep. McNerney (D,CA) introduced HR 2019, the Smart Energy and Water Efficiency Act of 2019. The bill would require DOE carry out a smart energy and water efficiency management pilot program.

The $15 million grant program {§2(c)} would be designed to help eligible entities to demonstrate advanced and innovative technology-based solutions that would {§2(b)(2)}:

• Increase and improve the energy efficiency of water, wastewater, and water reuse systems to help communities across the United States make significant progress in conserving water, saving energy, and reducing costs;

• Support the implementation of innovative processes and the installation of advanced automated systems that provide real-time data on energy and water; and

• Improve energy and water conservation, water quality, and predictive maintenance of energy and water systems, through the use of internet-connected technologies, including sensors, intelligent gateways, and security embedded in hardware.

Moving Forward

McNerney is a member of the House Science, Space, and Technology Committee to which this bill was assigned for consideration. This means that there is a good chance that the bill will be considered in Committee.

I see nothing in the bill that would engender any serious opposition, but the inclusion of the $15 million grant program means that money would have to be taken from somewhere to fund the program. This means that it will be difficult to get the bill through committee deliberations. I suspect that if the bill did make it through the committee it would receive bipartisan support and would thus be considered in the House under the suspension of the rules process.

Commentary

I initially looked at this bill because it was initially billed as an attempt to “provide for a smart water resource management pilot program.” Anytime I see ‘smart’ as a modifier to any process I am hoping to see some mention of cybersecurity to protect those ‘smart’ activities. I was disappointed when I read the actual text of this bill. There is only a single mention of cybersecurity in the bill and that is the passing mention of a rather generic cybersecurity technique (security embedded in hardware) in the discussion of ‘internet connected devices’ that would be encouraged by the grant program.

While the use of hardware security modules will certainly have a place in the cybersecurity processes used to protect ‘smart water systems’ it is hardly the be-all and end-all of cybersecurity techniques that would have to be employed to ensure the safe and security operations of such systems.

If McNerney is really serious about encouraging the use of internet connected devices in the physical operation of municipal water systems (and I am sure that he is), he really should have included a much more detailed discussion of cybersecurity practices in this bill. First he would have had to start off with the definitions of a number of cybersecurity terms (see my suggested definitions). Then, he would have had to include specific cybersecurity language in grant requirements. Legislation is not the place to get into specific cybersecurity techniques, but two specific items could have been added to this bill to address cybersecurity issues.

First the Secretary should have been required to work with NIST and independent standard setting organizations in the water sector to establish voluntary cybersecurity standards for smart water systems. The language below is a quick example of how such language could have been included in the bill by inserting a new paragraph (c).

(c) Voluntary Cybersecurity Standards:

(1) The Secretary, in coordination with the Director of the National Institute of Standards and Technology, will work with one or more independent standards setting organizations recognized by the water sector to develop a set of voluntary standards to reduce the cybersecurity risks associated with the information technology and control systems associated with smart water systems.

(2) The voluntary standards would include requirements to:

(A) Identify the components and communications networks used in the smart water system;

(B) Monitoring components and communications to identify unauthorized access or process changes;

(C) Identify the known cybersecurity risks associated with those components and communications networks;

(D) Establish methods to be used to mitigate those known risks;

(E) Define the processes used to identify newly discovered cybersecurity risks including membership in industry information sharing and analysis centers; and

(F) Establish requirements and methods for reporting cybersecurity incidents.

Then paragraph (b)(2) would then be modified:

(C) improve energy and water conservation, water quality, and predictive maintenance of energy and water systems, through the use of internet-connected technologies, including sensors, and intelligent gateways, and security embedded in hardware.; and

(D) address adoption of the voluntary cybersecurity standards described in §2(c).

These changes would help to ensure that smart water systems do not become an easy method for a smart attack on a community.