House Subcommittee Holds Hearing On Water Sector Cybersecurity

On May 21, the House Committee on Science, Space and Technology’s Environment Subcommittee held a hearing on “Applying Science to Secure U.S. Water Systems from Cyber Threats.” Subcommittee Chair Scott Franklin (R-Fla.) opened the hearing by discussing the growing cyber threats facing water systems as they digitize operational technology, the potential consequences of disruptions to water supplies, and the need for more resources to modernize systems. Ranking Member Gabe Amo (D-R.I.) echoed these concerns, and noted that EPA, as the sector risk management agency (SRMA), is understaffed and lacks resources to address the sector’s extensive cyber challenges.

David Hinchman, Director, IT & Cybersecurity at the U.S. Government Accountability Office testified on conclusions from GAO’s recent report: Critical Infrastructure Protection: EPA Urgently Needs a Strategy to Address Cybersecurity Risks to Water and Wastewater Systems. The report identified gaps in EPA’s assessment of cybersecurity risks and recommended that the agency develop a national cybersecurity strategy and evaluate the sufficiency of its legal authorities to carry out its cybersecurity responsibilities.

Additional witnesses included Virginia Wright, Cyber-Informed Engineering Program Manager at the Idaho National Laboratory, and Joshua Corman, Executive in Residence for Public Safety and Resilience, Institute for Security and Technology, who both emphasized the importance of cyber-informed engineering to mitigate the largest consequences of cyberattacks. Nicole Tisdale, Founder & Principal at Advocacy Blueprints, focused her testimony on the cybersecurity needs and challenges of rural communities.

During questioning, members questioned witnesses about whether the EPA has sufficient authority and resources to carry out its role as the SRMA and if the existing Risk and Resilience Assessments and Emergency Response Plans adequately address cyber risks. Members also discussed what additional research is needed to strengthen sector cybersecurity and how the sector can work with the private sector, including vendors and AI companies, to prevent attacks on operational technology.

The hearing comes as members of Congress have demonstrated an increasing interest in water cybersecurity practices and preparedness. AMWA continues to engage with lawmakers on this topic and is working to advance several legislative proposals to help water systems improve their cybersecurity posture, without imposing burdensome new regulations.