New bill would create a governing body for water system cyber standards

A measure led by two House Republicans would enable the Environmental Protection Agency to certify a governing body to develop and recommend cybersecurity requirements for water treatment and wastewater systems.

Reps. Rick Crawford, R-Ark. and John Duarte, R-Calif. unveiled the Water Risk and Resilience Organization Establishment Act on Thursday, with the aim of creating an entity to work alongside the EPA to develop the enforcement measures.

The proposed bill follows a handful of digital security incidents involving the water sector in recent months, such as when the Iran-linked Cyber Av3ngers hacking collective claimed responsibility for breaching industrial water treatment equipment across several states at the end of last year. 

The specific cyber requirements for the water sector are left open to the body to develop and enforce. The EPA administrator would have the final say in approving or remanding proposed cyber requirements back to the WRRO, which would then be responsible for conducting periodic assessments of covered water systems.

The Biden administration has been pushing to shore up protections for water treatment facilities against cyber threats, which researchers say are highly vulnerable to compromises. But the EPA in October rescinded a memorandum that would have directed providers to evaluate the cyber defenses of their water systems when conducting sanitation surveys, after facing legal pushback from GOP-led states and trade groups.

The new legislative measure notably follows feedback from the American Water Works Association, a water industry and lobbying group, that says a WRRO-like body is the best entity to craft and sustain water system cyber standards.

“Foreign adversaries such as Russia and China have utilized cyber-attacks to target critical infrastructure such as water systems. This bill is a more proactive approach to safeguarding our drinking and wastewater from these types of attacks,” said Crawford in a prepared statement.

“We have always thought that the best method to address this was a public-private collaboration to establish standards and design an industry-government mechanism to help assess risk at utilities and provide mitigation assistance. The WRRO is just such a method,” Mark Montgomery, the former head of the Cyberspace Solarium Commission — a congressionally backed cyber policy advisory group — told Nextgov/FCW.

The Environmental Protection Agency and National Security Council last month urged states to stay alert for Iranian and Chinese cyber threats targeting water sector infrastructure. “Drinking water and wastewater systems are an attractive target for cyberattacks because they are a lifeline critical infrastructure sector but often lack the resources and technical capacity to adopt rigorous cybersecurity practices,” their missive to states said.

A FERC official also recently testified that dam systems are exposed to cyberattacks, and said that new dam cybersecurity guidance can be reasonably developed within the next nine months.