Water trade groups urge lawmakers to consider cyber training and more funding for their facilities

Top water trade association officials voiced concerns to House Energy and Commerce Committee lawmakers Wednesday about the need for cyber training and additional government funding for their facilities, in a hearing focused on federal attempts to better secure the thousands of water systems throughout the U.S.

As committee members considered where the federal government fits in assisting the critical infrastructure sector that is being targeted by adversarial nations like China, top national security officials at a separate House hearing sounded the alarm on threats of that kind, particularly for sectors like water and wastewater that lack protections as strong as those in the electric industry. Gen. Paul Nakasone, head of U.S. Cyber Command and director of the NSA, said at the hearing that there is “no reason” for Beijing hackers to be in the water supply, other than to target civilians.

The Republican-led Environment, Manufacturing, & Critical Materials subcommittee panned any potential new cybersecurity regulations during the hearing. Energy and Commerce Committee Chair Cathy McMorris Rodgers, R-Wash., said during her opening statement that new regulations “may do more harm than good,” adding that the Environmental Protection Agency should not “be in the business of micromanaging” utilities.

Rep. Buddy Carter, R-Ga., who chairs the subcommittee, said that the sector needs “technical knowledge and resources,” not new regulations from the EPA.

In October 2023, the Environmental Protection Agency shelved a memo that required cybersecurity audits for water utilities through state sanitary surveys. While the effectiveness of the proposed regulations were questioned by experts, the initiative represented a rare example of the government trying to force water utilities to devote greater resources to security after decades of underinvestment in the defense of digital systems.

However, while the witnesses — all trade organizations from the water industry — brought up the same concerns initially levied when EPA announced the memo, they also reiterated the need for additional resources and training from the government.

Cathy Tucker-Vogel, a public water supply section chief of the Kansas Department of Health and Environment who was speaking on behalf of the Association of State Drinking Water Administrators, noted a partnership with the Cybersecurity and Infrastructure Security Agency that started last week that includes additional training and access to expert help when it comes to cybersecurity assessments.

“The water operators are very receptive and they want the training and they want to make sure that they’re putting appropriate protections in place, so there’s not a resistance to doing something,” Tucker-Vogel said. “It’s just they have a lack of understanding of what it is they need to do and when you start talking cybersecurity, it’s almost like a foreign language.”

The witnesses also called for additional funding from Congress. While there are funds through various EPA grants and the $1 trillion bipartisan infrastructure law, many of those are focused on ensuring the water is clean, as opposed to protecting technology that undergirds it.

“A lot of money is being put forth for a lot of different infrastructure and we’ve been focused on the quality issue of water and not necessarily cyber,” said Scott Dewhirst, superintendent and chief operating officer at Tacoma Water, speaking on behalf of the Association of Metropolitan Water Agencies. “To be told this is for cyber purposes, I think you would see some action take place.”

Kevin Morley, manager of federal regulations for the American Water Works Association, reiterated the group’s call for a regulatory framework similar to the electric industry, which consists of an industry-led organization to develop standards overseen and audited by the EPA.

The hearing also comes shortly after a series of hacks on an Israeli-based manufacturer by CyberAv3ngers, a group linked to Iran’s Islamic Revolutionary Guard Corps that often overstate their hacks. Those attacks hit several water facilities.

Rep. Chris Deluzio, D-Pa., who represents a district whose water utility was hit by the CyberAv3ngers’ spree, sent a letter on Tuesday to members of the House Energy and Commerce Committee as well as the Environment, Manufacturing, and Critical Materials subcommittee. Deluzio’s letter called on  lawmakers to outfit the EPA with “the tools and resources it needs to support and coordinate with the water sector to prepare for and build resilience against risks like cyber threats.”