On January 31, at a hearing in Washington, D.C.,  before the Environment, Manufacturing, and Critical Materials Subcommittee of the U.S. House Committee on Energy and Commerce, the American Water Works Association (AWWA) testified about a collaborative approach to cybersecurity oversight in the water sector.

The hearing was titled “Ensuring the Cybersecurity of America’s Drinking Water Systems” and included experts from water organizations across the United States. Kevin Morley, AWWA federal relations manager, testified on behalf of the association, which represents 50,000 water professionals throughout North America and beyond.

“Strong cybersecurity measures are essential to ensuring a cyber incident does not threaten public health. Water systems need resources and regulatory oversight designed to mitigate the potential risks from cyberattacks around the clock, every day of the year. This means we need to act now,” Morley said.

Morley testified that a combination of regulatory and nonregulatory actions is necessary to tackle the cyber threats facing water systems. AWWA has recommended congressional action to support a new cybersecurity governance framework in the water sector that leverages the technical knowledge of utilities, cybersecurity experts, and regulators to implement a comprehensive cybersecurity risk management strategy. This model, authorized by federal legislation, would create an independent, nonfederal entity to lead the development of cybersecurity requirements using, in part, subject matter experts from the water sector. Federal oversight and approval of requirements would be provided by the U.S. Environmental Protection Agency, which already regulates drinking water and wastewater utility operations.

This collaborative approach builds on a similar model that has already been successfully applied in the electric sector. The recommendation also aligns with calls for greater public-private collaboration included in the National Cyber Strategy.

“The diverse nature of water utilities requires a tiered framework that recognizes the technical challenges facing the sector and sets reasonable cybersecurity requirements that focus on practical, protective, and implementable solutions,” Morley said.

In addition to establishing a sound oversight model, Morley shared three essential areas of collaboration that could enhance cybersecurity in the water sector. These areas include:

• Overcoming the digital divide
• Threat information sharing
• Vulnerability mitigation and technical assistance