Wednesday, April 28, 2021

Senate Starts Consideration of S 914 – Water Systems Authorization

Yesterday, by a vote of 92 to 3, the Senate agreed to begin consideration of S 914, the Drinking Water and Wastewater Infrastructure Act of 2021. Ten amendments were offered, including S 1460 (pgs S2229 to S2242) which is the substitute language that the Senate will consider instead of the language reported by the Senate Environment and Public Works Committee earlier this month. S 1460 includes additional changes to the cybersecurity provisions in the bill. None of the other amendments offered to this bill yesterday contain cybersecurity language.

Minor Language Changes

There were some minor formatting changes to the cybersecurity language that was found in the reported version of the bill. The only substantive revision was the removal of language that was originally found in §101 that specifically included ‘cybersecurity event’ as a potential cause for the emergency situations that could trigger the provision of technical assistance or grants under 42 USC 300j-1.

New Cybersecurity Support Language

S 1460 would add a new §113, Cybersecurity support for public water systems, to the bill. That section would add §1429A to the Safe Drinking Water Act. That section would require the EPA, in coordination with CISA, to “develop a prioritization framework to identify public water systems (including sources of water for those public water systems) that, if degraded or rendered inoperable due to an incident, would lead to significant impacts on the health and safety of the public” {§1429A(b)(1)(A), pg S2235}.

That ‘prioritization framework’ would incorporate consideration of {§1429A(b)(1)(B), pg S2236}:

• Whether cybersecurity vulnerabilities for a public water system have been identified under section 1433 [42 USC 300i–2],

• The capacity of a public water system to remediate a cybersecurity vulnerability without additional Federal support,

• Whether a public water system serves a defense installation or critical national security asset, and

• Whether a public water system, if degraded or rendered inoperable due to an incident, would cause a cascading failure of other critical infrastructure.

The ‘section 1433’ reference is to the EPA’s Risk Assessments and Emergency Response Plans requirements that I briefly described in my post about the Florida Water System Hack. The term ‘incident’ in the last bullet is defined in this section by reference to the 44 USC 3552 definition which applies specifically to information systems.

The new §1429A then goes on to require the EPA, again in coordination with CISA to develop “a Technical Cybersecurity Support Plan for public water systems” {new §1429A(b)(2)(A)} for providing voluntary support to public water systems. That Plan would {{new §1429A(b)(2)(B)}:

• Establish a methodology for identifying specific public water systems for which cybersecurity support should be prioritized;

• Establish timelines for making voluntary technical support for cybersecurity available to specific public water systems;

• May include public water systems identified by the Administrator, in coordination with the Director, as needing technical support for cybersecurity;

• Include specific capabilities of the Administrator and the Director that may be utilized to provide support to public water systems under the Support Plan, and

• Only include plans for providing voluntary support to public water systems.

The frequent use of the word ‘voluntary’ almost certainly refers to the voluntary use of the offered support by water systems and not the voluntary provision of support by EPA and CISA that the wording seems to imply. This is somewhat clarified by §1429A(c)(2), which states that nothing in this section “compels a public water system to accept technical support offered by the Administrator.”

There is no funding specifically authorized for §1429A activities. This is evidenced by the reference in means an occurrence that actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information on an information system, or actually or imminently jeopardizes, without lawful authority, an information system;:

(A) the integrity, confidentiality, or availability of information on an information system,

(B) the timely availability of accurate process information, the predictable control of the designed process or the confidentiality of process information, or

(C) an information system or a control system;

Commentary

Let me start with my now standard diatribe about definitions. The use of the IT centric definition of ‘incident’ in the new §1429A really bothers me. It defines the term by reference to 44 USC 3552 which reads:

(2) The term ‘‘incident’’ means an occurrence that—

(A) actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information or an information system; or

(B) constitutes a violation or imminent threat of violation of law, security policies, security procedures, or acceptable use policies.

The attack on the Oldsmar, Florida water treatment facility would NOT be an incident under this definition. An ‘information system’ as defined under §3552 was not involved. The ‘integrity, confidentiality or availability’ of information was not involved. Only by greatly stretching ‘acceptable use policies’ could this definition of ‘incident’ be made to apply to that attack.

Unfortunately, the definition in 6 USC 659 is essentially the same except that it removes (B) provision found in §3552. That is why I proposed a revision to §659 last year that would have changed that definition. Unfortunately, this bill is not the place to try to effect a change in §659, so I would propose to change the definition in the new §1420A:

‘‘(3) INCIDENT.—The term ‘incident’ has the meaning given the term in section 3552 of title 44, United States Code means an occurrence that actually or imminently jeopardizes, without lawful authority:

“(A) the integrity, confidentiality, or availability of information on an information system,

“(B) the timely availability of accurate process information, the predictable control of the designed process or the confidentiality of process information, or

“(C) an information system or a water treatment control system;.”

With that out of the way, I would like to turn to the ‘Prioritization Framework’ outlined in the new §1429A. This requires that the EPA have some understanding of the cybersecurity risks faced by individual water treatment facilities. This is evidenced in the reference in §1429A(b)(1)(B)(i) to §1433. While the risk assessment currently required under §1433 does vaguely address cybersecurity concerns, facilities are not required to send a copy of that assessment to the EPA, instead, they are required to certify to the EPA that they have completed that assessment. For the EPA to rely on the §1433 data a revision to §1433 would be required. To accomplish this I would suggest that Section 113 of the bill would also require a (b):

(b) Section 1433(a)(4) of the Safe Water Drinking Act (44 USC § 300i–2) is amended to read:

(4) Contents of certifications

A certification required under paragraph (3) shall contain only—

(A) information that identifies the community water system submitting the certification;

(B) a listing of any cybersecurity vulnerabilities identified;

(C) the date of the certification; and

(D) a statement that the community water system has conducted, reviewed, or revised the assessment, as applicable.

I would actually think that a copy of the complete risk assessment in (B) would be very valuable, but I am only going suggest this as that is all that this section of the bill would need.

No comments:

 
/* Use this with templates/template-twocol.html */