New cybersecurity bill would shore up water system protections
House lawmakers this week introduced a bill that aims to strengthen cybersecurity protections for water and wastewater systems by creating a new, non-federal agency to update and manage the cybersecurity requirements for the critical infrastructure sector.
The bill, introduced Thursday by Reps. Rick Crawford, R-Ariz., and John Duarte, R-Calif., would establish the Water Risk and Resilience Organization, a governing body comprised of cyber and water system experts, to develop and enforce cybersecurity requirements for drinking and wastewater systems.
The group would work with the U.S. Environmental Protection Agency to ensure the proposed cybersecurity measures are both practical and beneficial.
“Foreign adversaries such as Russia and China have utilized cyber-attacks to target critical infrastructure such as water systems. ” Crawford said in a press release. “This bill is a more proactive approach to safeguarding our drinking and wastewater from these types of attacks.”
The legislation follows letters sent in March from EPA and Department of National Security Affairs officials urging governors to address cybersecurity vulnerabilities in their water systems.
“Disabling cyberattacks are striking water and wastewater systems throughout the United States,” the letter states. “These attacks have the potential to disrupt the critical lifeline of clean and safe drinking water, as well as impose significant costs on affected communities.”
FBI Director Christopher Wray testified before Congress in January that Chinese hackers have been targeting U.S. critical infrastructure — such as water treatment plants, maritime ports, electrical grids and pipelines — and may have had a presence in many critical infrastructure systems, including water, for as long as five years.
In November, a small water utility in Aliquippa, Pennsylvania, was breached by pro-Iran hackers. Hackers compromised a Florida water treatment facility in 2021 when they tried to boost chemicals in the water to unsafe levels.
The proposed bill adopts a strategy similar to one implemented in the U.S. electric sector, in which the North American Electrical Corporation and the Federal Electric Regulatory Commission manage cybersecurity efforts across the national power grid.
The recommendation for a more collaborative approach to cybersecurity in the water and wastewater sector aligns with calls last year in President Joe Biden’s National Cyber Strategy for increased public-private partnership.
