On July 21, the U.S. Senate Committee on Environment and Public Works conducted a hearing on the cybersecurity of U.S. infrastructure, with a focus on the water and wastewater sector. The witnesses included John Sullivan, Chief Engineer of Boston Water and Sewer Commission, who represented the Association of Metropolitan Water Agencies. Sullivan has served as the Chair of WaterISAC’s Board of Managers since its inception. The other water sector witness was Sophia Oberton, Special Projects Coordinator for the Delmar Public Works Department, who testified on behalf of the National Rural Water Association. In their testimony, Sullivan noted “the nature of cyber threats is ever-evolving” and emphasized the need for additional resources to augment existing security efforts, while Oberton called for “technical assistance on how to best implement the newest and most advanced cyber protection actions.” Other witnesses included Sen. Angus King (I-Maine) and Rep. Mike Gallagher (R-Wis.), the Co-chairs of the Cyberspace Solarium Commission, a bipartisan, bicameral commission tasked with exploring cybersecurity threats to the United States.
Sullivan’s testimony noted that despite WaterISAC member utilities serving about 60% of the U.S. population, thousands of smaller water systems are not members. This was attributed in part to these systems’ lack of resources or awareness. He asserted that, with federal assistance, more water systems could join WaterISAC to gain insights into cyber threats and get access to post-incident support. Sullivan’s testimony also highlighted WaterISAC’s support of his own utility’s response to a ransomware incident.
Both Cyberspace Solarium Commission representatives emphasized the importance of protecting the water and wastewater sector from malicious actors. Rep. Gallagher urged “more coordinated, consistent federal action to ensure that water utilities have the people, processes, and technology necessary to protect our public health and safety,” while Sen. King asserted the federal government “must do a better job of assessing national risk and working with the entities that own and operate infrastructure” and stated federal support for WaterISAC could “enhance the overall cyber readiness and resilience of the sector.”
Chairman Tom Carper (D-Del.) stated that meeting current challenges “requires sustained federal investment, not one-time solutions,” and that the federal government “should build flexibility into our solutions so that state and local leaders have the tools they need to effectively address their unique cybersecurity challenges.” EPW Ranking Republican Shelley Moore Capito (R-W.Va.) said she expected the testimony would help identify “ways the federal government can act as a better partner in protecting our drinking water and wastewater systems from cyberattacks, without costly mandates that can distract from the core mission of providing safe, reliable, and affordable water service to the American public.”
The hearing came as the Cyberspace Solarium Commission is developing a new report on cybersecurity in the water and wastewater sector and drafting potential cybersecurity legislation. These are expected to be released in August 2021.
A recording of the hearing and written testimony from each witness are available online.