White House Endorses Inclusion of Cybersecurity in Water Infrastructure Bill 

pinkomelet/iStock.com

A recent attempt by hackers to poison the water supply in a Florida town prompted calls for more resources.

The Biden administration threw its weight behind a bill that would authorize the appropriation of grants for improving the cybersecurity of water treatment facilities. 

“S. 914 promotes resiliency projects to address the impacts of climate change and makes explicit that cybersecurity projects are eligible for key programs,” reads a statement of policy the Office of Management and Budget released Tuesday. “The Administration looks forward to working with the Congress on this bipartisan legislation to strengthen our nation’s water systems. This bill is a good start to the much-needed funding required to provide communities with the water quality they deserve and create good-paying jobs.”

It’s not the first time Congress intended for water systems to use grant money for cybersecurity purposes. In 2018, it passed legislation providing $30 million in grants for associated risk and resilience measures but never appropriated the money. 

This time around, lawmakers are considering similar authorization legislation—a vote to end debate on the bill on the Senate floor passed Tuesday—in the wake of a cyberattack in Oldsmar, Florida. An unidentified hacker, or hackers, attempted to poison the small city’s water supply by drastically elevating the amount of a chemical used to regulate pH levels. The event prompted calls for more resources for the sector and garnered the attention of Deputy National Security Advisor for Cyber and Emerging Technology Anne Neuberger, who pledged to prioritize securing the industrial control systems used in water systems and other critical infrastructure.

The bill would provide $25 million for each fiscal year from 2022 through 2026 in grants through a clean water infrastructure resiliency and sustainability program that allows entities to use the money to address cybersecurity vulnerabilities. 

There is also a separate program for advanced drinking water technology that’s funded at $10 million per year over the same period. Entities eligible for that program would have, among other things, identified plans, planned to identify, or expressed interest in identifying “opportunities in the operations of the public water system to employ new or emerging, yet proven, technologies, including technology that could address cybersecurity threats.”

There are caveats. Grants under the program shall not exceed 75% of the total cost of the proposed project, and not more than 2% may be used to pay the administrative costs of the Administrator,” for example.

But in general, the administration wrote, “S. 914 authorizes the Environmental Protection Agency’s core water infrastructure funding programs and continues the commitment to partnering with States, Tribes, and territories to invest in infrastructure projects in communities across the United States, ensuring that all Americans, especially those living in underserved communities, have access to safe and clean water and opportunities for economic growth.”

While water infrastructure owners wait for funds to be appropriated in accordance with the bill, assuming it clears Congress, they can seek funds for cybersecurity from the Environmental Protection Agency under the Water Infrastructure Finance and Innovation Act of 2014, although they’d have to be able to pay it back. 

“The WIFIA program’s mission is to accelerate investment in our nation’s water and wastewater infrastructure by providing long-term, low-cost, supplemental credit assistance under customized terms to creditworthy water infrastructure projects of national and regional significance,” reads a notice set to publish in the Federal Register Thursday.

The EPA is accepting letters of Interest in the program through July 23 and estimates it will be able to provide about $5.5 billion in credit assistance.

In order to qualify, projects must be anticipated to equal or exceed $20 million, unless it’s for a community of fewer than 25,000 individuals, in which case projects should be anticipated to cost at least $5 million.

The notice described EPA’s criteria for choosing projects and included cybersecurity in its strategic priorities. 

“To promote the incorporation of new and innovative approaches into projects, EPA is prioritizing projects that incorporate innovative approaches such as but not limited to the following: cybersecurity; the use of energy-efficient parts and systems; the use of renewable or alternative sources of energy; green infrastructure; and the development of alternative sources of drinking water through, for example, desalination, aquifer recharge or water recycling, and resource recovery,” it said.