HR 5868 Introduced – Water Cybersecurity

Last month Rep Wilson (D,FL) introduced HR 5868, the Water Cybersecurity Enhancement Act of 2025. The bill would amend 42 U.S.C. 300i–2(g) to rewrite subparagraph (F) to add protecting from and responding to cyberattacks as acceptable uses grants under the Technical Assistance and Grant program. It would also extend the authorization for that grant program through 2031. No change was made to the $25 million per year authorization for that grant program.

This bill is nearly identical to HR 10483, the Water Cybersecurity Enhancement Act, that was introduced by then Rep Gallego in December of 2024. No action was taken on that bill in the 118^th Congress.

Moving Forward

Neither Wilson nor any of her eight cosponsors are members of the House Energy and Commerce Committee to which this bill was assigned for consideration. This means that there is little chance that this bill will be considered in Committee. With no new funding provided, I see nothing in the bill that would engender any organized opposition to the bill. I suspect that it would receive some level of bipartisan support were it to be considered, probably sufficient support to move to the floor of the House under the suspension of the rules process.

Commentary

The problem with bills like this is that when they expand the potential use of a grant program without an increase in the funding base, they dilute the support that is available to the covered community. Any money given out in grants for cybersecurity support is taken away from the other legitimate needs of other community water systems.

I understand that there is little chance that a bill expanding the funding for a grant program would have little chance in passing in the 119^th Congress. And there is even less chance that the Administration would expend the added funds. Still, failing to recognize that this bill would have little cyber impact because of the dilution of funds will stop law makers from looking for providing additional means of support to public water systems.

Review – EPA Publishes Water System Cybersecurity Enforcement Alert – 5-20-24

Yesterday, the EPA updated their website to include a page on “Enforcement Alert: Drinking Water Systems to Address Cybersecurity Vulnerabilities”. The page notes that:

“As part of EPA’s multi-year drinking water National Enforcement and Compliance Initiative, Increasing Compliance with Drinking Water Standards, inspectors are assessing CWS compliance with SDWA Section 1433. Given the vulnerabilities and attacks on systems, EPA also will increase the number of CWS inspections that focus on cybersecurity. Where vulnerabilities are identified and may present an imminent and substantial endangerment to public health, enforcement actions may be appropriate [emphasis added] under SDWA Section 1431 to mitigate those risks.”

Commentary

The EPA typically relies on state water authorities to enforce SDWA related regulations. It simply does not have the number of inspectors necessary to periodically visit each of the 52,000+ community water systems. The number of EPA inspectors with sufficient cybersecurity training to conduct a meaningful review of the cybersecurity assessments and response plans makes it extremely unlikely that any given community water system will be visited in this enforcement effort. This is an awfully small ‘big stick’ being wielded by the EPA.

Review - HR 7922 Introduced – Water Risk and Resilience Organization

Earlier this month, Rep Crawford (R,AR) introduced HR 7922 (no fancy name). The bill would require the EPA to craft regulations providing for the certification of an independent Water Risk and Resilience Organization (WRRO) seemingly similar to NERC in the electric sector. The bill would authorize $5 million per year through 2025 to establish the WRRO.

Moving Forward

Crawford is a member, as is his sole cosponsor {Rep Duarte (R,CA)}, of the House Transportation and Infrastructure Committee to which this bill was assigned for primary consideration. This means that there may be sufficient influence to see it considered in Committee. I expect that any number of small communities are going to pressure their representatives to oppose this legislation as it would end up increasing the costs of maintaining their water systems. Many mid to large size water systems will also object, again because of funding issues. I suspect that there will be significant bipartisan opposition to this bill based upon those objections. I do not expect this bill to move forward, especially since there is no cosponsor on the House Energy and Commerce Committee, to which this bill has been assigned for secondary consideration. That Committee is well known for guarding their prerogatives when they have even limited oversight responsibilities.

Commentary

This attempt to move cybersecurity oversight of water systems out from under the direct control of the EPA is fraught with problems. The first is funding; the two-year $5 million authorization under the bill is a pittance compared to what it is going to need to establish and operate an organization with this level of oversight. Again, based upon the NERC model, the crafters expect the WRRO to be funded from dues and fees from the covered water systems. Those fees will come on top of the costs of implementing the new cybersecurity requirements established by the WRRO. Since the vast majority of these systems are small, municipal-controlled systems, they are going to have a hard time funding required cybersecurity upgrades, much less the dues and fees assessed by the WRRO.

On a side note, this idea has some support in the water sector. In fact, the idea traces back at least as far as the American Water Works Association. You can see a brief look at their interpretation of the idea in an article on ACSH.org from May of last year. Needless to say, the AWWA will almost certainly support this bill.

 

For more details about the provisions of this bill, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-7922-introduced - subscription required.

Committee Hearings – Week of 4-7-24

With the House and Senate returning from a two week break, there is a moderately light hearing schedule. Budget hearings continue the start of the FY 2025 spending cycle. There is a water system cybersecurity hearing this week in the Senate.

Budget Hearings

Budget Hearings	House	Senate
DHS	Approp Subcommittee	Approp Subcommittee
Cyber Command	Armed Ser Subcommittee	Armed Services
DHS – Member	Approp Subcommittee
Armed Services		Armed Services

Cybersecurity Hearing

On Wednesday the Water and Power Subcommittee of the Senate Energy and Natural Resources Committee will hold a hearing on “Examine the Federal and Non-Federal Role of Assessing Cyber Threats to and Vulnerabilities of Critical Water Infrastructure in our Energy Sector”. The witness list includes:

• Terry Turpin, FERC,

• Virginia Wright, INL,

• Scott Aaronson, EEI

While an impressive array of cybersecurity experts, it seems to me that they may have less cogent input on cybersecurity for water systems as their expertise is focused on the national grid. Wrights leadership of the INL's cyberinformed engineering work may be the most important input.

Committee Hearings – Week of 2-4-24

This week, with both the House and Senate in Washington, there is a relatively light hearing schedule. There is only one hearing of interest there, and it is on water system cybersecurity.

Water Cybersecurity

On Tuesday, the Subcommittee on Cybersecurity and Infrastructure Protection of the House Homeland Security Committee will hold a hearing on “Securing Operational Technology: A Deep Dive into the Water Sector”. The witness list includes:

• Robert Lee, Dragos Inc.,

• Charles Clancy, The MITRE Corporation,

• Kevin Morley, American Water Works Association, and

• Marty Edwards, Tenable

This is potentially a good set of witnesses for a decent technical look at the issues facing water systems. A lot will depend on how well the staff prepare the Committee members for questions.

CRS Reports – Week of 2-27-24 – Water System Cybersecurity

On last Monday, the Congressional Research Service (CRS) published a report on “Safe Drinking Water Act (SDWA) Cybersecurity Provisions”. It provides a brief look at the history of the SDWA and the provisions of that legislation (with subsequent amendments) that deal with cybersecurity issues for public drinking water systems. Interestingly, this report does not contain the frequently seen ‘Considerations for Congress’ section that discusses legislative issues that may face members in the near future.

Water Cybersecurity Hearing Added – 1-31-24

This afternoon, the House Energy and Commerce Committee announced that its Subcommittee on Environment, Manufacturing, and Critical Materials would hold a hearing on Wednesday on “Ensuring the Cybersecurity of America’s Drinking Water Systems’. The witness list includes:

• Scott Dewhirst, Tacoma Water (testimony),

• Kevin Morley, American Water Works Association (testimony), and

• Cathy Tucker-Vogel, Kansas Department of Health and Environment (testimony)

It is unusual for witness testimony to be published this far in advance of the scheduled hearing, but I hope that the Subcommittee staff and member’s staffs are taking advantage of the early publication to prepare for some intelligent questions for these three industry representatives.

What is clear from a quick review of the testimony’s is that these three witnesses are experienced in managing cybersecurity issues. And that is a valuable point of view for hearings like this. But there is a difference between ‘managing cybersecurity issues’ and working on the application of cybersecurity measures to drinking water control systems. It would have been instructive to add at least one witness with hands-on cybersecurity application experience. Oh well, this still should be an interesting hearing.

Review - HR 4540 Introduced – Water Infrastructure Enhancement

Last month, Rep Cuellar (D,TX) introduced HR 4540 the Water Infrastructure Enhancement Act of 2023. The bill would require the EPA to “establish a program to provide grants to suppliers of water to carry out eligible activities for the purpose of making infrastructure improvements to public water systems”. The bill would authorize $800 million per year through 2029 to fund that program.

Moving Forward

Neither Cuellar nor his four cosponsors are members of the House Energy and Commerce Committee to which this bill was assigned for consideration. This means that there is probably not sufficient influence to see the bill considered in Committee. I suspect that there would be some Republican opposition to the new funding provided in the bill, though I do suspect that there would be some level of bipartisan support for the bill. While the bill could possibly pass in Committee, I do not think that there would be sufficient Republican support for the bill to be considered under the suspension of the rules process on the floor of the House. The bill is not important enough to take up the time of the House under regular order.

NOTE: Added missing 'Moving Forward' Section 9-14-23 0948 EDT

Commentary

While the approved use of ‘upgrading supervisory control and data acquisition systems’ could certainly be taken to include adding/upgrading cybersecurity provisions for SCADA systems, it would be a major stretch for it to include cybersecurity measures for other water treatment systems (including IT support systems) that could affect operation technology of water systems. I would recommend specifically adding language for cybersecurity in the definition of ‘eligible activities’ by inserting a new §1459H(a)(2)(H):

“(H) Installing or upgrading cybersecurity tools for information and operational technology, including sensors;”

 

For more information on the provisions of this bill, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-4540-introduced - subscription required.

EPA Sends State Water Cybersecurity Memo to OMB

Yesterday, the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had received from the EPA a “Memorandum to State Drinking Water Administrators on Public Water System Cybersecurity”. This is not listed in the 2022 Spring Unified Agenda, so there is no specific information about what such a memorandum would contain.

Looking at various existing EPA websites relating to State supervision of local drinking water systems cybersecurity issues (see here and here), we can get a general idea of what types of actions the EPA could expect States to “require”:

• Inventory of control system assets,

• Network segregation and firewalls,

• Secure remote access technology,

• Access control and system logs,

• Vulnerability patch policy,

• Mobile device security policy,

• Cybersecurity training program,

• Management involvement, and

• Network intrusion detection and response plan

It is important to note that the EPA, for all but one or two States, has authorized State programs to supervise the local water treatment facilities, so as a practical matter, State agencies would be expected exercise cybersecurity oversight. Changing that State oversight would probably require legislative changes.