Yesterday, by a vote
of 92 to 3
, the Senate agreed to begin consideration of S
914
, the Drinking Water and Wastewater Infrastructure Act of 2021. Ten
amendments were
offered
, including S 1460 (pgs S2229 to S2242) which is the substitute
language that the Senate will consider instead of the language
reported
by the Senate Environment and Public Works Committee earlier this
month. S 1460 includes additional changes to the cybersecurity provisions in
the bill. None of the other amendments offered to this bill yesterday contain
cybersecurity language.

Minor Language Changes

There were some minor formatting changes to the
cybersecurity language that was found in the reported version of the bill. The
only substantive revision was the removal of language that was originally found
in §101 that specifically included ‘cybersecurity event’ as a potential cause
for the emergency situations that could trigger the provision of technical
assistance or grants under 42
USC 300j-1
.

New Cybersecurity Support Language

S 1460 would add a new §113, Cybersecurity support for
public water systems, to the bill. That section would add §1429A to the Safe
Drinking Water Act. That section would require the EPA, in coordination with
CISA, to “develop a prioritization framework to identify public water systems (including
sources of water for those public water systems) that, if degraded or rendered inoperable
due to an incident, would lead to significant impacts on the health and safety of
the public” {§1429A(b)(1)(A), pg S2235}.

That ‘prioritization framework’ would incorporate
consideration of {§1429A(b)(1)(B), pg S2236}:

• Whether cybersecurity
vulnerabilities for a public water system have been identified under section
1433 [42
USC 300i–2
],

• The capacity of a public water
system to remediate a cybersecurity vulnerability without additional Federal
support,

• Whether a public water system
serves a defense installation or critical national security asset, and

• Whether a public water system, if
degraded or rendered inoperable due to an incident, would cause a cascading
failure of other critical infrastructure.

The ‘section 1433’ reference is to the EPA’s Risk Assessments
and Emergency Response Plans
requirements that I briefly described in my
post about the Florida
Water System Hack
. The term ‘incident’ in the last bullet is defined in
this section by reference to the 44
USC 3552
definition which applies specifically to information systems.

The new §1429A then goes on to require the EPA, again in
coordination with CISA to develop “a Technical Cybersecurity Support Plan for
public water systems” {new §1429A(b)(2)(A)} for providing voluntary support to
public water systems. That Plan would {{new §1429A(b)(2)(B)}:

• Establish a methodology for
identifying specific public water systems for which cybersecurity support
should be prioritized;

• Establish timelines for making voluntary
technical support for cybersecurity available to specific public water systems;

• May include public water systems identified
by the Administrator, in coordination with the Director, as needing technical support
for cybersecurity;

• Include specific capabilities of the
Administrator and the Director that may be utilized to provide support to
public water systems under the Support Plan, and

• Only include plans for providing voluntary
support to public water systems.

The frequent use of the word ‘voluntary’ almost certainly
refers to the voluntary use of the offered support by water systems and not the
voluntary provision of support by EPA and CISA that the wording seems to imply.
This is somewhat clarified by §1429A(c)(2), which states that nothing in this
section “compels a public water system to accept technical support offered by
the Administrator.”

There is no funding specifically authorized for §1429A
activities. This is evidenced by the reference in means an occurrence that
actually or imminently jeopardizes, without lawful authority, the integrity,
confidentiality, or availability of information on an information system, or
actually or imminently jeopardizes, without lawful authority, an information
system;:

(A) the integrity, confidentiality, or availability of
information on an information system,

(B) the timely availability of accurate process information,
the predictable control of the designed process or the confidentiality of
process information, or

(C) an information system or a control system;

Commentary

Let me start with my now standard diatribe about
definitions. The use of the IT centric definition of ‘incident’ in the new
§1429A really bothers me. It defines the term by reference to 44 USC 3552 which
reads:

(2) The term ‘‘incident’’ means an
occurrence that—

(A) actually or imminently
jeopardizes, without lawful authority, the integrity, confidentiality, or
availability of information or an information system; or

(B) constitutes a violation or
imminent threat of violation of law, security policies, security procedures, or
acceptable use policies.

The attack on the Oldsmar, Florida water treatment facility
would NOT be an incident under this definition. An ‘information system’ as
defined under §3552 was not involved. The ‘integrity, confidentiality or availability’
of information was not involved. Only by greatly stretching ‘acceptable use
policies’ could this definition of ‘incident’ be made to apply to that attack.

Unfortunately, the definition in 6
USC 659
is essentially the same except that it removes (B) provision found
in §3552. That is why I
proposed
a revision to §659 last year that would have changed that
definition. Unfortunately, this bill is not the place to try to effect a change
in §659, so I would propose to change the definition in the new §1420A:

‘‘(3) INCIDENT.—The term
‘incident’ has the meaning given the term in section 3552 of title 44,
United States Code
means
an occurrence that actually or imminently jeopardizes, without lawful authority:

“(A) the integrity, confidentiality, or availability of
information on an information system,

“(B) the timely availability of accurate process
information, the predictable control of the designed process or the
confidentiality of process information, or

“(C) an information system or a water treatment control
system;.”

With that out of the way, I would like to turn to the ‘Prioritization
Framework’ outlined in the new §1429A. This requires that the EPA have some
understanding of the cybersecurity risks faced by individual water treatment
facilities. This is evidenced in the reference in §1429A(b)(1)(B)(i) to §1433.
While the risk assessment currently required under §1433 does vaguely address cybersecurity
concerns, facilities are not required to send a copy of that assessment to the
EPA, instead, they are required to certify to the EPA that they have completed
that assessment. For the EPA to rely on the §1433 data a revision to §1433
would be required. To accomplish this I would suggest that Section 113 of the
bill would also require a (b):

(b) Section 1433(a)(4) of the
Safe Water Drinking Act (44 USC § 300i–2) is amended to read:

(4) Contents of certifications

A certification required under
paragraph (3) shall contain only—

(A) information that identifies
the community water system submitting the certification;

(B) a listing of any cybersecurity vulnerabilities identified;

(C) the date of the
certification; and

(D) a statement that the
community water system has conducted, reviewed, or revised the assessment, as
applicable.

I would actually think that a copy of the complete risk assessment
in (B) would be very valuable, but I am only going suggest this as that is all
that this section of the bill would need.

By admin