Analysis
Attacks and Vulnerabilities
Critical infrastructure
News
Regulation, Standards and Compliance
Utilities: Energy & Power, Water, Waste

Bipartisan bill to fortify rural water systems against cyber attacks introduced

June 13, 2023
Bipartisan bill to fortify rural water systems against cyber attacks introduced

New bipartisan legislation has been brought into the U.S. House of Representatives that focuses on protecting rural communities from cyber attacks that have the potential to shut off water supply for Iowans, commercial entities, and farms. The initiative updates and expands the U.S. Department of Agriculture’s (USDA) Circuit Rider Program to include robust cyber training and technical expertise for rural water systems. This will provide cybersecurity technical assistance in the national rural water and wastewater circuit rider program.

Introduced by Zach Nunn and Don Davis, the bill titled ‘Cybersecurity for Rural Water Systems Act of 2023,’ directs the USDA to expand the Circuit Rider Program to provide technical cybersecurity assistance and authorizes funding to hire an additional 50 cybersecurity circuit riders. These experts will provide critical services to ensure rural water systems are secure from cyber threats, assist small water utilities in building action plans to protect and prevent cyber attacks, and develop and report on cybersecurity for rural water systems across the U.S.

The USDA and the National Rural Water Association (NRWA) started the Circuit Rider Program in 1980 to provide training and technical assistance for rural water systems; however, currently, less than 150 circuit riders service 49 state rural water associations, including Puerto Rico, with only four circuit riders servicing Iowa. Moreover, the circuit riders are not equipped to provide cybersecurity-specific support to help small water and wastewater organizations bolster their defenses.

The provisions of the bill outlined that it shall include cybersecurity technical assistance for rural water systems serving fewer than 10,000 persons, to assess system efficacy in protecting against cyber threats; and implement cybersecurity plans, procedures, and technologies to protect against cyber threats. 

The legislation also is amended by striking ‘‘$25,000,000 for each of fiscal years 222019 through 2023’’ and inserting ‘‘$32,500,000 for each of fiscal years 2024 through 2028, of which $7,500,000 for each of the fiscal years shall be used to provide cyber-security technical assistance.” 

The Cybersecurity and Infrastructure Security Agency (CISA) has reported that 80% of the country is serviced by 153,000 public drinking water systems and 16,000 publicly owned wastewater systems. In 2021, water treatment systems in California and Florida were compromised when hackers attempted to poison water systems that had insufficient cybersecurity measures. Currently, only 20 percent of water systems have even basic levels of cyber protection. 

“The reality is that Iowa’s water supply could be devastated by a single cyber attack right now, so improving the cybersecurity of our water systems must be a top priority,” Rep. Nunn said in a media statement. “Unfortunately, the changes that are needed to keep our water supply safe are often cost-prohibitive for smaller rural communities.  This bipartisan bill will provide critical resources and funding to prevent cyber attacks so that all Iowans can rest easy at night knowing our water supply is safe.”  

“Our agricultural communities and rural water systems are critical to our national defense, and I’m glad to introduce this essential bipartisan legislation that delivers security for rural America,” according to Rep. Davis. “We must ensure our water systems rural communities and farmers rely on have the necessary protections to successfully guard against cyber attacks.”

“The Cybersecurity for Rural Water Systems Act of 2023 will directly assist rural utilities that lack the financial resources and in-house expertise to defend themselves from cyber threats,” Matthew Holmes, CEO of the National Rural Water Association, said. “In addition, the bill will provide a cadre of ‘Circuit Rider’ cybersecurity specialists to help rural water systems protect the public health of their residents. These Circuit Riders will work in rural communities to assess the level of protection of their water system cyberinfrastructure, develop proper protocols to enhance protection, assist with any inadequate cyber protection plan, and document the state of cyber protection in small public water systems.”

Commenting on the latest proposed legislation for rural water systems, Ron Fabela, CTO of critical infrastructure cybersecurity firm, Xona Systems wrote in an emailed statement that “one thing to take note of is that the proposed bill allocates $7.5M annually for 5 years to assist these utilities with cybersecurity issues through ‘technical assistance’ under the USDA’s Circuit Rider program. This means that the bill is looking to leverage the Circuit Rider program to assist small water utilities in improving their security posture.” 

He added that this falls under the administration’s National Cybersecurity Strategy‘s ruling that, “The Federal Government will use existing authorities to set necessary cybersecurity requirements in critical sectors.” Because of this, the proposed Cybersecurity for Rural Water Systems Act of 2023 should not face as many challenges in allocating the proposed funds to organizations in need. 

Fabela added that the bill is solely focused on the very specific and small water utilities that serve less than 10,000 customers. “While this will help allocate critical dollars to receiving organizations, it is not addressing the larger water utilities that impact more substantial populations. I suspect that we will continue to see more regulations coming down the pipeline that will address this gap and will be more in line with EPA’s approach announced back in March.”  

Mike Hamilton, CISO of Critical Insight, wrote in an emailed statement that the bill appears to be attempting to cover the fiscal gap created by the new mandates from the EPA to perform a cybersecurity assessment as part of their periodic sanitary survey. “This is very similar to the Coast Guard mandating that maritime ports must perform a similar assessment as part of the ‘facility security plan’, which has also been in place for a long time.”

“This method of extending regulatory oversight through the rulemaking process does indeed create unfunded mandates, so the choice becomes providing federal funding or covering the expenses through a rate hike, which would have to be approved individually for every water district,” Hamilton said. “This bill seems to also attempt to counterpart of the Republican objections to this tactic, specifically to rural private-sector operators of this infrastructure. Note that publicly operated facilities – those run by cities and counties – can receive funding from the state and local cybersecurity grant program that is embedded in the bipartisan infrastructure act while private sector operators cannot.”

Overall, Hamilton added that the reluctance of the House of Representatives to increase any spending combined with the existing lawsuit regarding regulatory authority may be the catalyst for reevaluating the Administration’s tactics to improve cybersecurity in critical infrastructure operated by the private sector.

Last month, the Association of Metropolitan Water Agencies (AMWA) expressed concerns with the approach and validity of EPA’s interpretive memorandum to require the inclusion of cybersecurity reviews in public water system sanitary surveys, these comments will generally be limited to the contents of sections 4 –8 and the appendices of the guidance document.

“However, we do appreciate that section 3 of the guidance outlines different approaches that states may follow for evaluating cybersecurity at a PWS–including directing PWSs to undertake a self-assessment, or requiring PWS compliance with an alternative state program for water system cybersecurity,” Thomas Dobbins, AMWA chief executive officer wrote in the letter. “Provided that states can clearly articulate to PWSs what actions need to be taken to satisfactorily complete a self-assessment or comply with an alternative state program, we encourage EPA to widely promote these compliance options to states and PWSs.”

He added that in terms of the guidance to states that intend to conduct sanitary surveys with a new cybersecurity component, “we believe the guidance document can be clarified for both public water systems subject to the expanded sanitary survey requirements and state officials who will be charged with implementing them. This is especially important given that these new requirements will apply not only to the largest drinking water systems represented by AMWA but also thousands of small public water systems that may struggle to achieve compliance with the expanded scope of sanitary surveys.”

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Building a Culture of Cyber Resilience in Manufacturing (WEF)
WEF playbook addresses cyber resilience in manufacturing and supply chains, provides three guiding principles
DOE, EPA support NSM-22 focused on critical infrastructure security and resilience
DOE, EPA support NSM-22 focused on critical infrastructure security and resilience
White House releases National Security Memorandum on critical infrastructure security and resilience
White House releases National Security Memorandum on critical infrastructure security and resilience
US DHS delivers safety and security guidelines to secure critical infrastructure from AI-related threats
US DHS delivers safety and security guidelines to secure critical infrastructure from AI-related threats
Xage’s Zero Trust Session Collaboration tool delivers remote access, collaboration across industrial frameworks
Xage announces AI-powered analytics and insight capabilities to boost zero trust access and protection
US DHS establishes AI Safety and Security Board to advise on safe deployment in critical infrastructure
US DHS establishes AI Safety and Security Board to advise on safe deployment in critical infrastructure
AI for Energy - Opportunities for a Modern Grid and Clean Energy Economy (DoE)
US DOE rolls out initial assessment report on AI benefits and risks for critical energy infrastructure
Honeywell’s 2024 USB Threat Report reveals significant rise in malware frequency, highlighting growing concerns
Honeywell’s 2024 USB Threat Report reveals significant rise in malware frequency, highlighting growing concerns
Claroty’s Team82 details exploitation of classic deserialization vulnerability in Siemens EnMPro line
Claroty’s Team82 details exploitation of classic deserialization vulnerability in Siemens EnMPro line
Microsoft debuts ICSpector framework to enable examining information and configurations of industrial PLCs
Microsoft debuts ICSpector framework to enable examining information and configurations of industrial PLCs