Model Legislation Aims to Improve Cybersecurity in the Water Sector

April 20, 2022 Anthony DeRosa

The Foundation for Defense of Democracies (FDD) released a six-part legislative proposal for improving cybersecurity in the water and wastewater sector. The model legislative text, which has not been introduced in Congress, is based on recommendations from the congressionally chartered Cyberspace Solarium Commission’s 2020 report.

The first proposal, Establishing a Water Risk and Resilience Organization, would provide authority for a process by which minimum cybersecurity standards would be developed and implemented based on a similar approach in the electric sector. This new governance process would have oversight from the U.S. Environmental Protection Agency (EPA) but implementation would be performed by a new water risk and resilience organization.
The second proposal, Water and Wastewater Infrastructure Cybersecurity Improvement Program, seeks to improve cyber threat information sharing with water systems and WaterISAC, including $10M in FY23-24 to support enhanced engagement and collaboration.
The third proposal, Resource and Empower the EPA as the SRMA for the Water Sector, is intended to strengthen and expand EPA’s functionality to perform its duties as the sector risk management agency for the water sector.
The fourth proposal, Direct More of the EPA’s Funding Toward Cybersecurity, recognizes the budgetary constraints facing water systems and recommends that each state revolving loan fund program designate at least one percent of appropriated funds for technical cybersecurity assistance and/or the deployment of innovative cybersecurity technologies.
The fifth proposal, Cybersecurity Circuit Rider Program for Rural Water and Wastewater Infrastructure, would provide $5M annual in FY22 through FY2027 for technical assistance through the circuit rider programs supported by the U.S. Department of Agriculture.
The sixth proposal, Amend the Clean Water Act to Require Wastewater Systems to Perform Risk and Resilience Assessments, would require wastewater systems to conduct risk and resilience assessments and prepare emergency response plans in a similar manner to what drinking water systems must do under §2013 of Americas Water Infrastructure Act of 2018.

While cybersecurity remains a top priority of the Biden Administration, the water and wastewater sector continues to evaluate options to further bolster cyber protections and has yet to come to a consensus on the best approach or suite of approaches. In the meantime, FDD’s proposals have received favorable reactions from the sector and may serve as a foundational blueprint for future work toward developing a more robust cyber defense framework for water.