A new bill proposes to increase cybersecurity funding for rural water systems by $7.5 million dollars per year. It’s not a lot of money for part of the critical infrastructure, but it’s better than nothing for an area that misses out on other funding.
The bill was announced June 5, 2023. “Congressman Don Davis (NC-01), along with Representatives Zachary Nunn (IA-03), Angie Craig (MN-02), and Abigail Spanberger (VA-07), members of the U.S. House Committee on Agriculture, introduced the Cybersecurity for Rural Water Systems Act of 2023.”
The bill (PDF) is a simple amendment that adds $7.5 million per year to existing legislation and states that the new money provided for each year from 2024 through 2028 “shall be used to provide cyber security technical assistance.”
The Oldsmar incident, where it was first reported that a hacker gained remote access to systems at the water plant in Oldsmar (Florida) and attempted to elevate levels of a certain chemical to a point where it could put the public at risk of being poisoned, is an example of the need for improved cybersecurity. While the incident did raise the alarm, recent reports on the incident claim that it was not at the hands of an outside hacker, but rather an employee that mistakenly clicked on the wrong buttons before alerting management of the error. GCN cited former Oldsmar City Manager Al Braithwaite who described it as a “non-event” that was resolved in two minutes.
“The reality is that Iowa’s water supply could be devastated by a single cyberattack right now, so improving the cybersecurity of our water systems must be a top priority,” said Rep. Nunn. “Unfortunately, the changes that are needed to keep our water supply safe are often cost prohibitive for smaller rural communities. This bipartisan bill will provide critical resources and funding to prevent cyberattacks so that all Iowans can rest easy at night knowing our water supply is safe.”
The big questions are whether the new bill is correctly targeted, and whether it provides enough funds to make a difference.
“This bill focuses on very specific and small water utilities that serve less than 10,000 customers… (Oldsmar wouldn’t necessarily meet the requirements for this funding avenue.) The proposed bill allocates $7.5M annually for 5 years to assist these utilities with cybersecurity issues through ‘technical assistance’ under the USDA’s Circuit Rider program,” Ron Fabela, CTO at Xona Systems, told SecurityWeek. “This bill looks to creatively utilize the USDA [US Dept of Agriculture] program to assist small water utilities in improving their security posture.”
Mike Hamilton, CISO at Critical Insight, adds, “This bill appears to be attempting to cover the fiscal gap created by the new mandates from the EPA to perform a cybersecurity assessment as part of their periodic sanitary survey. This is very similar to the Coast Guard mandating that maritime ports must perform a similar assessment as part of the ‘facility security plan’, which has also been in place for a long time.”
The bill, he continues, “appears to be more of a leveling for the sake of rural private sector water operators that cannot participate in the state, local cyber grant program. It’s an interesting tactic that looks like it’s trying to avoid rate hikes to pay for required controls in rural areas where rate hikes would be very unwelcome.”
But is it enough? “Funding is a key challenge and considering the focus of this bill on only the very small water utilities it may be seen by some as a ‘drop in the bucket’ from a national strategy perspective, but is critical dollars to the receiving organizations,” comments Fabela.
“It’s not remotely enough,” says Hamilton. “If this is the size of the purse, they’re going to have to do some risk-based prioritization as to who gets funds.” Although there is no water grid that can cause cascading problems over large portions of the country, disruption would still be problematic.
“Water sources are generally geographically nearby,” explains Hamilton. “However, disrupting water does cause cascading failures. For example, manufacturing requires a lot of water, hospitals can’t function without water. An attack would not affect other water plants, but it would affect a broad region.”
This funding is important, but probably insufficient for all cybersecurity needs. Rural water will still need to protect itself as best it can. How? “By relegating all personal use of the internet to a personal device while on premise of a water (waste, dam, etcetera) utility,” suggests Hamilton. “By carefully managing remote access; keeping operational technologies updated and patched; and monitoring the OT environment with 24/7/365 eyes on events – and a good incident response plan.”