Monday, December 13, 2021

Review – S 3282 Introduced - Water Infrastructure Modernization

Last month, Sen Kelly (D,AZ) introduced S 3282, the Water Infrastructure Modernization Act of 2021. This bill provides for two new grant programs to support the modernization of wastewater and drinking water treatment facilities in the United States. HR 6068, with an identical short title, only addresses the drinking water treatment program with identical language to that found in Title II of this bill. This bill would authorize $25 million for each of the two grant programs.

Kelly is a member of the Senate Environment and Public Works Committee to which this bill was assigned for consideration. This means that there may be enough influence to see this bill considered in Committee. Beyond the cost of the two grant programs, I do not see anything in this bill that would engender any specific opposition. If this bill were considered in Committee, there would probably be bipartisan support for the bill.

Commentary

This bill has the same problem that I identified in HR 6088; it provides for the use of advanced controls technology without providing a requirement to protect those systems from cyberattacks. The same language that I proposed for adding to HR 6088 should be added to Title II of this bill. Similar language, see below, should be added to subsection (a) of the proposed §228.

(3) Any program for which a grant is provided under this section will include a comprehensive cybersecurity program to protect the operation of the smart wastewater infrastructure technology funded by the grant. That cybersecurity program will include, as a minimum:

(i) virtual and physical network segmentation separating the smart water infrastructure technology from the business networks of the agency being supported,

(ii) least privilege access controls for the smart water infrastructure networks, including two-factor authentication for remote access, and

(iii) an annual third-party audit of cybersecurity controls, software updates, internal system log reviews and incident response reports.

For more details about the provisions of this bill, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/s-3282-introduced - subscription required.

No comments:

 
/* Use this with templates/template-twocol.html */