Connect with us

Hi, what are you looking for?



Bipartisan Bill Proposes Cybersecurity Funds for Rural Water Systems

A new bill proposes to increase cybersecurity funding for rural water systems by $7.5 million dollars per year.

Free vulnerability scanning for water utilities

A new bill proposes to increase cybersecurity funding for rural water systems by $7.5 million dollars per year. It’s not a lot of money for part of the critical infrastructure, but it’s better than nothing for an area that misses out on other funding.

The bill was announced June 5, 2023. “Congressman Don Davis (NC-01), along with Representatives Zachary Nunn (IA-03), Angie Craig (MN-02), and Abigail Spanberger (VA-07), members of the U.S. House Committee on Agriculture, introduced the Cybersecurity for Rural Water Systems Act of 2023.”

The bill (PDF) is a simple amendment that adds $7.5 million per year to existing legislation and states that the new money provided for each year from 2024 through 2028 “shall be used to provide cyber security technical assistance.”

The Oldsmar incident, where it was first reported that a hacker gained remote access to systems at the water plant in Oldsmar (Florida) and attempted to elevate levels of a certain chemical to a point where it could put the public at risk of being poisoned, is an example of the need for improved cybersecurity. While the incident did raise the alarm, recent reports on the incident claim that it was not at the hands of an outside hacker, but rather an employee that mistakenly clicked on the wrong buttons before alerting management of the error. GCN cited former Oldsmar City Manager Al Braithwaite who described it as a “non-event” that was resolved in two minutes. 

“The reality is that Iowa’s water supply could be devastated by a single cyberattack right now, so improving the cybersecurity of our water systems must be a top priority,” said Rep. Nunn. “Unfortunately, the changes that are needed to keep our water supply safe are often cost prohibitive for smaller rural communities. This bipartisan bill will provide critical resources and funding to prevent cyberattacks so that all Iowans can rest easy at night knowing our water supply is safe.” 

The big questions are whether the new bill is correctly targeted, and whether it provides enough funds to make a difference. 

“This bill focuses on very specific and small water utilities that serve less than 10,000 customers… (Oldsmar wouldn’t necessarily meet the requirements for this funding avenue.) The proposed bill allocates $7.5M annually for 5 years to assist these utilities with cybersecurity issues through ‘technical assistance’ under the USDA’s Circuit Rider program,” Ron Fabela, CTO at Xona Systems, told SecurityWeek. “This bill looks to creatively utilize the USDA [US Dept of Agriculture] program to assist small water utilities in improving their security posture.”

Advertisement. Scroll to continue reading.

Mike Hamilton, CISO at Critical Insight, adds, “This bill appears to be attempting to cover the fiscal gap created by the new mandates from the EPA to perform a cybersecurity assessment as part of their periodic sanitary survey. This is very similar to the Coast Guard mandating that maritime ports must perform a similar assessment as part of the ‘facility security plan’, which has also been in place for a long time.”

The bill, he continues, “appears to be more of a leveling for the sake of rural private sector water operators that cannot participate in the state, local cyber grant program. It’s an interesting tactic that looks like it’s trying to avoid rate hikes to pay for required controls in rural areas where rate hikes would be very unwelcome.”

But is it enough? “Funding is a key challenge and considering the focus of this bill on only the very small water utilities it may be seen by some as a ‘drop in the bucket’ from a national strategy perspective, but is critical dollars to the receiving organizations,” comments Fabela.

“It’s not remotely enough,” says Hamilton. “If this is the size of the purse, they’re going to have to do some risk-based prioritization as to who gets funds.” Although there is no water grid that can cause cascading problems over large portions of the country, disruption would still be problematic.

“Water sources are generally geographically nearby,” explains Hamilton. “However, disrupting water does cause cascading failures. For example, manufacturing requires a lot of water, hospitals can’t function without water. An attack would not affect other water plants, but it would affect a broad region.”

This funding is important, but probably insufficient for all cybersecurity needs. Rural water will still need to protect itself as best it can. How? “By relegating all personal use of the internet to a personal device while on premise of a water (waste, dam, etcetera) utility,” suggests Hamilton. “By carefully managing remote access; keeping operational technologies updated and patched; and monitoring the OT environment with 24/7/365 eyes on events – and a good incident response plan.”

Learn More at SecurityWeek’s ICS Cyber Security Conference
The leading global conference series for Operations, Control Systems and OT/IT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.
ICS Cybersecurity Conference
October 23-26, 2023 | Atlanta

Related: Unpatched Security Flaws Expose Water Pump Controllers to Remote Hacker Attacks

Related: EPA Mandates States Report on Cyber Threats to Water Systems

Related: Water Tank Management System Used Worldwide Has Unpatched Security Hole

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...


Wago has patched critical vulnerabilities that can allow hackers to take complete control of its programmable logic controllers (PLCs).


Otorio has released a free tool that organizations can use to detect and address issues related to DCOM authentication.


Cybersecurity firm Forescout shows how various ICS vulnerabilities can be chained for an exploit that allows hackers to cause damage to a bridge.

Cybersecurity Funding

Internet of Things (IoT) and Industrial IoT security provider Shield-IoT this week announced that it has closed a $7.4 million Series A funding round,...


More than 1,300 ICS vulnerabilities were discovered in 2022, including nearly 1,000 that have a high or critical severity rating.