HR 7922 Introduced

Water Risk and Resilience Organization

Earlier this month, Rep Crawford (R,AR) introduced HR 7922 (no fancy name). The bill would require the EPA to craft regulations providing for the certification of an independent Water Risk and Resilience Organization (WRRO) seemingly similar to NERC in the electric sector. The bill would authorize $5 million per year through 2025 to establish the WRRO.

Definitions

Section 1(a) provides the definitions of seven key terms used in the legislation. Two of the terms are defined by reference to subsections of this bill. One term, ‘covered water system’, is defined by reference to existing statute (42 U.S.C. 300f and 33 U.S.C. 1292). The two key technical terms are:

• Cyber resilient, and

• Cybersecurity incident,

The definition of ‘cybersecurity incident’ contains a reference to ‘programmable electronic devices’. While undefined, this could refer to computers, but it could be stretched to include a wide range of process control equipment but would probably not include most sensors and actuators used in process control operations.

WRRO Establishment

Section 1(b) gives the EPA jurisdiction over the WRRO. It requires that the EPA establish by direct final regulation the requirements of this bill to establish the requirements for the WRRO. Once those regulations are established the EPA is required to certify on organization as the Water Risk and Resilience Organization, if the Agency determines that the organization:

• Demonstrates advanced technical knowledge and expertise in the operations of covered water systems,

• Is comprised of 1 or more members with relevant experience as owners or operators of covered water systems,

• Has demonstrated the ability to develop and implement cybersecurity risk and resilience requirements that provide for an adequate level of cybersecurity risk and resilience for a covered water system, and

• Is capable of establishing measures, in line with prevailing best practices, to secure sensitive information and to protect sensitive security information from public disclosure.

The organization would also have to have established rules that require that:

• It is independent of the users, owners, and operators of a covered water system, with balanced and objective stakeholder representation in the selection of directors of the organization and balanced decision making in any committee or subordinate organizational structure,

• It allocate reasonable dues, fees, and other charges among end-users for all activities under this section,

• It provides just and reasonable procedures for enforcement of cybersecurity risk and resilience requirements and the imposition of penalties (including limitations on activities, functions, or operations, or other appropriate sanctions), and

• It provides for reasonable notice and opportunity for public comment, due process, openness, and balance of interests in developing cybersecurity risk and resilience requirements and otherwise exercising duties.

Cybersecurity Risk and Resilience Requirements

Section 1(d) outlines the cybersecurity risk and resilience requirements for the WRRO that the EPA will establish by regulation. It first establishes the requirement for the WRRO to submit to the EPA each cybersecurity risk and resilience requirement or modification that it proposes, along with an implementation plan. The EPA would approve the requirement if it was found to be just, reasonable, and not unduly discriminatory, or preferential. The EPA would be required to defer to the “technical expertise of the WRRO with respect to the content of a proposed cybersecurity risk and resilience requirement or modification to such a requirement.”

Paragraph (3) outlines that action to be taken if the EPA disapproves a requirement.

Paragraph (6) requires the EPA to establish by regulation the “specific processes for the identification and timely resolution of any conflict between a cybersecurity risk and resilience requirement and any function, rule, order, tariff, or agreement accepted, approved, or ordered by the Administrator applicable to a covered water system.”

Section 1(e) establishes the requirements for monitoring covered water systems implementation of WRRO requirements. The WRRO is given responsibility to routinely monitor and conduct periodic assessments, specifically including a requirement for annual ‘self-attestations’ from the covered water systems. The WRRO is required every five years to conduct an assessment of each covered water system. This assessment can be conducted by a designated third party. In turn, the WRRO is required to provide an annual report to the EPA on “the implementation of cybersecurity risk and resilience requirements, the effectiveness of cybersecurity risk and resilience requirements for covered water systems in the United States”.

Section 1(f) provides the WRRO with enforcement authority for the cybersecurity risk and resilience requirements established under this legislation. It outlines the required enforcement process and authorizes the WRRO to levy penalties of up to $25,000 per day the entity is in violation.

Moving Forward

Crawford is a member, as is his sole cosponsor {Rep Duarte (R,CA)}, of the House Transportation and Infrastructure Committee to which this bill was assigned for primary consideration. This means that there may be sufficient influence to see it considered in Committee. I expect that any number of small communities are going to pressure their representatives to oppose this legislation as it would end up increasing the costs of maintaining their water systems. Many mid to large size water systems will also object, again because of funding issues. I suspect that there will be significant bipartisan opposition to this bill based upon those objections. I do not expect this bill to move forward, especially since there is no cosponsor on the House Energy and Commerce Committee, to which this bill has been assigned for secondary consideration. That Committee is well known for guarding their prerogatives when they have even limited oversight responsibilities.

Commentary

This attempt to move cybersecurity oversight of water systems out from under the direct control of the EPA is fraught with problems. The first is funding; the two-year $5 million authorization under the bill is a pittance compared to what it is going to need to establish and operate an organization with this level of oversight. Again, based upon the NERC model, the crafters expect the WRRO to be funded from dues and fees from the covered water systems. Those fees will come on top of the costs of implementing the new cybersecurity requirements established by the WRRO. Since the vast majority of these systems are small, municipal-controlled systems, they are going to have a hard time funding required cybersecurity upgrades, much less the dues and fees assessed by the WRRO.

On a side note, this idea has some support in the water sector. In fact, the idea traces back at least as far as the American Water Works Association. You can see a brief look at their interpretation of the idea in an article on ACSH.org from May of last year. Needless to say, the AWWA will almost certainly support this bill.