A new bill proposes to increase cybersecurity funding for rural water systems by $7.5 million dollars per year. It is not a lot of money for part of the critical infrastructure and is an insult to all taxpayers living in rural areas. The EPA budget for 2023 is nearly $12 billion. The bill was announced on 05 June 2023. “Congressman Don Davis (NC-01), along with Representatives Zachary Nunn (IA-03), Angie Craig (MN-02), and Abigail Spanberger (VA-07), members of the US House Committee on Agriculture, introduced the Cybersecurity for Rural Water Systems Act of 2023.”
The bill is a simple amendment that adds $7.5 million per year to existing legislation and states that the new money provided for each year from 2024 through 2028 “shall be used to provide cyber security technical assistance.”
The Oldsmar incident, where it was first reported that a hacker gained remote access to systems at the water plant in Oldsmar (Florida) and attempted to elevate levels of a certain chemical to a point where it could put the public at risk of being poisoned, is an example of the need for improved cybersecurity. While the incident raised the alarm, recent reports claim that it was not at the hands of an outside hacker but rather an employee that mistakenly clicked on the wrong buttons before alerting management of the error. GCN cited former Oldsmar City Manager Al Braithwaite, who described it as a “non-event” resolved in two minutes.[1]
See: https://redskyalliance.org/xindustry/water-is-worth-fighting-for
“The reality is that Iowa’s water supply could be devastated by a single cyberattack right now, so improving the cybersecurity of our water systems must be a top priority,” said Rep. Nunn. “Unfortunately, the changes that are needed to keep our water supply safe are often cost prohibitive for smaller rural communities. This bipartisan bill will provide critical resources and funding to prevent cyberattacks so that all Iowans can rest easy at night knowing our water supply is safe.”
The big questions are whether the new bill is correctly targeted and provides enough funds to make a difference. “This bill focuses on very specific and small water utilities that serve less than 10,000 customers… (Oldsmar wouldn’t necessarily meet the requirements for this funding avenue.) The proposed bill allocates $7.5M annually for 5 years to assist these utilities with cybersecurity issues through ‘technical assistance’ under the USDA’s Circuit Rider program,” Ron Fabela, CTO at Xona Systems, said,“This bill looks to utilize the USDA creatively [US Dept of Agriculture] program to assist small water utilities in improving their security posture.”
This bill appears to be attempting to cover the fiscal gap created by the new mandates from the EPA to perform a cybersecurity assessment as part of their periodic sanitary survey. This is very similar to the US Coast Guard mandating that maritime ports must perform a similar assessment as part of the ‘facility security plan’, which has also been in place for a long time. The bill appears to be more leveling for rural private sector water operators that cannot participate in the state, local cyber grant program. It is an interesting tactic that looks like it’s trying to avoid rate hikes to pay for required controls in rural areas where rate hikes would be very unwelcome.
This funding is important but probably insufficient for all cybersecurity needs. Rural water will still need to protect itself as best it can by carefully managing remote access, keeping operational technologies updated/patched, and monitoring the OT environment with 24/7 eyes on events and a good incident response plan. Another unrealistic plan, rural communities cannot attract and pay for the cyber-threat talent required to protect critical infrastructure.
This article is presented at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225, or feedback@redskyalliance.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
[1] https://www.securityweek.com/bipartisan-bill-proposes-cybersecurity-funds-for-rural-water-systems/
Comments