New bill introduced to set up Water Risk and Resilience Organization to secure water systems from cyber threats

Two U.S. Congressmen have introduced a bill aimed at safeguarding water systems from cyber threats. The proposed legislation includes the establishment of a Water Risk and Resilience Organization tasked with developing risk and resilience standards specifically tailored for the water sector.

Titled ‘Water Risk and Resilience Organization (WRRO) Establishment Act,’ the legislation, introduced by Representatives Rick Crawford and John Duarte, proposes establishing a new governing body, the WRRO, with cyber and water-system expertise to develop and enforce cybersecurity requirements for drinking and wastewater systems. The WRRO will work in partnership with the U.S. Environmental Protection Agency (EPA) to ensure cybersecurity measures are both practical and beneficial.

“Foreign adversaries such as Russia and China have utilized cyber-attacks to target critical infrastructure such as water systems,” Rep. Crawford said in a recent media statement. This bill is a more proactive approach to safeguarding our drinking and wastewater from these types of attacks. These protections are vital at a time where cyber threats are constant and technology is evolving quickly.”

“With the constant threat of cyberattacks by our adversaries, the United States’ water infrastructure must be secured and defended properly,” said Rep. Duarte. “I am proud to help lead this crucial legislation with Rep. Crawford to ensure that our wastewater and drinking water systems are adequately prepared to deal with potential cybersecurity threats.”

Cyber-attacks often cost millions of dollars to address and can result in contamination, malfunctions, and service outages. Leveraging private sector expertise to provide cybersecurity awareness to thousands of public water systems across America is critical to ensuring infrastructure security.

The provisions of the legislation call upon the administrator of the EPA to certify one Water Risk and Resilience Organization if the administrator determines that such organization demonstrates advanced technical knowledge and expertise in the operations of covered water systems; and is comprised of one or more members with relevant experience as owners or operators of covered water systems. 

Also, the organization must have demonstrated the ability to develop and implement cybersecurity risk and resilience requirements that provide for an adequate level of cybersecurity risk and resilience for a covered water system; and is capable of establishing measures, in line with prevailing best practices, to secure sensitive information and to protect sensitive security information from public disclosure. 

The bill also proposed that the organization must establish rules requiring independence from the users, owners, and operators of a covered water system. It calls for balanced and objective stakeholder representation in the selection of directors and ensures balanced decision-making in any committee or subordinate organizational structure. 

Also, it must allocate reasonable dues, fees, and other charges among end-users for all activities under this section; provide just and reasonable procedures for enforcement of cybersecurity risk and resilience requirements and the imposition of penalties, and provide reasonable notice and opportunity for public comment, due process, openness, and balance of interests in developing cybersecurity risk and resilience requirements and otherwise exercising duties. 

The bill also prescribed that for each cybersecurity risk and resilience requirement or modification to such a requirement proposed, the WRRO shall also propose an implementation plan, including the schedule by which covered water systems must achieve compliance with all or parts of the cybersecurity risk and resilience requirement or modification to such a requirement. The enforcement date must provide a reasonable implementation period for covered water systems to meet the requirements under the implementation plan. 

Leaders in the water system industry have shown wide support for the Water Risk and Resilience Organization Establishment Act. They recognize the importance of safeguarding this critical resource and are willing to play a role in achieving this goal.

“Strong and effective cybersecurity oversight is critical for the water sector,” said David LaFrance, CEO of the American Water Works Association. “Rep. Crawford’s vision for a collaborative model that leverages the knowledge of the sector is the right approach for protecting water utilities from cyber-attacks.” 

“NAWC applauds the leadership of Rep. Crawford to advance legislation that helps bolster cybersecurity protections for the entire water sector,” said Rob Powelson, President and CEO of the National Association of Water Companies. “This legislation is long overdue and aligns with our guiding cybersecurity pillars, which call for greater collaboration and coordination of efforts to better protect critical water infrastructure.”

“Cyber threats targeting both informational and operational systems today pose a growing threat to the nation’s water systems, and a successful cyber-attack could threaten public health while also undermining the public’s confidence in their water supply,” said Tom Dobbins, CEO of the Association of Metropolitan Water Agencies. “AMWA supports H.R. 7922 as a critical piece of the puzzle to defend the nation’s water systems from criminals and bad actors in cyberspace, and we thank Rep. Crawford for his leadership on this important bill.”

Earlier this year, Christopher Wray, FBI director testified to Congress that Chinese hackers have been targeting infrastructure such as water treatment plants, electrical grids, and pipelines. Just last month, other administration officials echoed this sentiment when both the national security advisor and EPA sent letters to state governors. In the letters, they urge the governors to address any vulnerabilities in their state’s water systems to minimize risks of cyber-attacks. This is more than just a threat; cybersecurity breaches have already happened around the country. 

Last November, a small Pennsylvania water utility was breached by pro-Iran hackers. A Florida water treatment facility was hacked in 2021, and the hackers tried to increase the amount of beneficial chemicals in the water to unsafe levels. In February, the U.S. intelligence community reported that Chinese-backed hackers have had a presence in many critical infrastructure systems in the U.S., including water systems for as long as maybe five years.

New bipartisan legislation was previously brought into the U.S. House of Representatives last June that focused on protecting rural communities from cyber attacks that have the potential to shut off water supply for Iowans, commercial entities, and farms. The initiative updates and expands the U.S. Department of Agriculture’s (USDA) Circuit Rider Program to include robust cyber training and technical expertise for rural water systems. This will provide cybersecurity technical assistance in the national rural water and wastewater circuit rider program.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.