Review - HR 6088 Introduced – Smart Water Infrastructure Grants

Last week, Rep Gallego (D,AZ) introduced HR 6088, the Water Infrastructure Modernization Act. The bill would amend 42 USC 300j–12, State Revolving Loan Funds, by adding a new subsection (u), Smart Water Infrastructure Technology For Drinking Water. It would establish a new grant program for “owners or operators of community water systems for purposes of the planning, design, construction of, and operations training” relating to smart water infrastructure. The bill would authorize $25 million per year through 2027 for the new grant program.

Neither Gallego nor his sole cosponsor {Rep Katko (R,NY)} are members of the House Energy and Commerce Committee to which this bill was assigned for consideration. This means that there is unlikely to be sufficient influence to see this bill considered in Committee. If the bill were considered, I suspect that it would draw bipartisan support and would be able to move to the floor of the House under the suspension of the rules process.

This bill would provide support for smart system technologies, including extensive sensor suites, operational controls and operations management, but there is no mention of any requirement to provide cybersecurity protections for those technologies. Any program that is so dependent on technology for success must have cybersecurity as a key part of the design, implementation and support process. To drive support for that necessity, I would suggest inserting a new paragraph (u)(2):

(2) Any program for which a grant is provided under this section will include a comprehensive cybersecurity program to protect the operation of the smart water infrastructure technology funded by the grant. That cybersecurity program will include, as a minimum:

(i) virtual and physical network segmentation separating the smart water infrastructure technology from the business networks of the agency being supported,

(ii) least privilege access controls for the smart water infrastructure networks, including two-factor authentication for remote access,

(iii) an incident response plan that allows for continued, uninterrupted drinking water delivery service in the event of a system failure due to cyberattack, power failure or foreseeable weather events, and

(iv) an annual third-party audit of cybersecurity controls, software updates, internal system log reviews and incident response reports.

For more details about the provisions of this bill, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-6088-introduced - subscription required.