Bipartisan Infrastructure Package: Drinking Water and The Grid

CISA, Cyber Crime, Cybersecurity, Data Protection, data security, DHS, FY 2022, Ransomware, Technology, Telecommunications, United States 13 Minutes

Subscribe to my newsletter, The Wavelength, if you want the content on my blog delivered to your inbox four times a week before it’s posted here.

Recently, the Senate passed the “Infrastructure Investment and Jobs Act” (H.R.3684), sending the bill to the House. This bill is teeming with technology funding and policy, the likes of which could alter United States (U.S.) policy in a number of realms for years to come. We looked at the broadband provisions in the last issue (see here), and today, we will examine the provisions and funding related to drinking water systems, the electric grid, and related technology.

The Senate included language and funding to address the vulnerabilities turned up by this year’s high-profile attack of a Florida drinking water facility. This sort of attack and the vulnerabilities many water facilities around the globe have is not new, for there was an attack in 2000 in Australia. Nonetheless, this year’s attack caught the attention of U.S. policymakers. The following provisions were largely pulled from the Senate Environment and Public Works Committee’s “Drinking Water and Wastewater Infrastructure Act of 2021” (S.914).

In Division E “Drinking Water and Wastewater Infrastructure,” the U.S. Environmental Protection Agency (EPA) is tasked with establishing the “Midsize and Large Drinking Water System Infrastructure Resilience and Sustainability Program” under which the agency “shall award grants to eligible entities for the purpose of—

  • increasing resilience to natural hazards and extreme weather events; and
  • reducing cybersecurity vulnerabilities.

Those public water facilities eligible for such grants are those that serve a population of 10,000 or more. It bears emphasis this program appears to merely be authorized at $50 million a year over the next five fiscal years with no funds actually appropriated. This would be presumably up to the Appropriations Committees to address in annual bills.

The EPA would also need to “carry out a study that examines the state of existing and potential future technology, including technology that could address cybersecurity vulnerabilities, that enhances or could enhance the treatment, monitoring, affordability, efficiency, and safety of drinking water provided by a public water system.” After reporting to Congress, the EPA must establish a competitive grant program “for the purpose of identifying, deploying, or identifying and deploying technologies” that are advanced, including those pertaining to cybersecurity.

Public water systems that serve 100,000 and fewer people are eligible to apply, and the federal share is capped at 90% of costs. $10 million is authorized for each of the next five fiscal years but again not appropriated.

A new section is added to the “Safe Drinking Water Act” (42 U.S.C. 300g et seq.): “Cybersecurity Support For Public Water Systems.” The EPA must coordinate with the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) in developing “a prioritization framework to identify public water systems (including sources of water for those public water systems) that, if degraded or rendered inoperable due to an incident, would lead to significant impacts on the health and safety of the public.” Within nine months of enactment, the “[EPA], in coordination with [CISA] and using existing authorities of the [EPA] and [CISA] for providing voluntary support to public water systems and the Prioritization Framework, shall develop a Technical Cybersecurity Support Plan for public water systems.” And yet, the section goes out the way to stress that nothing in this new program shall compel a public water system to comply with any EPA technical support. So, again, a voluntary program that offers increased resources and focus on cybersecurity that critical infrastructure owners and operators are free to disregard.

The EPA would moreover need to establish a new “Clean Water Infrastructure Resiliency and Sustainability Program” in order to “award grants to eligible entities for the purpose of increasing the resilience of publicly owned treatment works to a natural hazard or cybersecurity vulnerabilities.” Municipalities and state agencies can apply for funds and “shall use the grant funds for planning, designing, or constructing projects (on a system-wide or area-wide basis) that increase the resilience of a publicly owned treatment works to a natural hazard or cybersecurity vulnerabilities.” The EPA cannot pay for more than 75% of the project except for public water systems that serve 10,000 or fewer people and other criteria at which point the federal share can be as high as 90%. $25 million a year for five fiscal years is authorized but not appropriated for this new program.

The EPA must “develop best practices that may be implemented by State, Tribal, and local governments with respect to the collection of batteries to be recycled in a manner that—

  • to the maximum extent practicable, is technically and economically feasible for State, Tribal, and local governments;
  • is environmentally sound and safe for waste management workers; and
  • optimizes the value and use of material derived from recycling of batteries.”

$10 million would be made available for this program.

The EPA would need to stand up a program “to promote battery recycling through the development of—

  • voluntary labeling guidelines for batteries; and
  • other forms of communication materials for battery producers and consumers about the reuse and recycling of critical materials from batteries.”

And the EPA would receive $15 million for the voluntary labeling guidelines program.

There are numerous Department of Energy (DOE) technology provisions, most of which relate to the cybersecurity of the U.S. electric grid.

DOE would need to establish a new program for states to draft and implement State Energy Security Plans. Additionally, DOE can provide financial assistance for states “for the development, implementation, review, and revision of a State energy security plan that—

  • assesses the existing circumstances in the State; and
  • proposes methods to strengthen the ability of the State, in consultation with owners and operators of energy infrastructure in the State—
    • to secure the energy infrastructure of the State against all physical and cybersecurity threats;
    • to mitigate the risk of energy supply disruptions to the State; and
    • to enhance the response to, and recovery from, energy disruptions; and
    • to ensure that the State has reliable, secure, and resilient energy infrastructure.

Governors must submit annual reports that meet the department’s requirements, any necessary revisions to her state energy security plan and certification as to the need for these revisions. DOE and DHS are permitted to provide technical assistance to states.

The second section of the energy part of the bill deals with cybersecurity and supply chain risk management.

The DOE must establish a program to enhance grid security through public-private partnerships in coordination with DHS and “the heads of other relevant Federal agencies, State regulatory authorities, industry stakeholders, and the Electric Reliability Organization” (i.e. the North American Electric Reliability Corporation) as DOE sees fit. DOE and its partners must carry out a program:

  • to develop, and provide for voluntary implementation of, maturity models, self-assessments, and auditing methods for assessing the physical security and cybersecurity of electric utilities;
  • to assist with threat assessment and cybersecurity training for electric utilities;
  • to provide technical assistance for electric utilities subject to the program;
  • to provide training to electric utilities to address and mitigate cybersecurity supply chain management risks;
  • to advance, in partnership with electric utilities, the cybersecurity of third-party vendors that manufacture components of the electric grid;
  • to increase opportunities for sharing best practices and data collection within the electric sector; and
  • to assist, in the case of electric utilities that own defense critical electric infrastructure (as defined in section 215A(a) of the Federal Power Act (16 U.S.C. 824o–1(a))), with full engineering reviews of critical functions and operations at both the utility and defense infrastructure levels—
    • to identify unprotected avenues for cyber-enabled sabotage that would have catastrophic effects to national security; and
    • to recommend and implement engineering protections to ensure continued operations of identified critical functions even in the face of constant cyber attacks and achieved perimeter access by sophisticated adversaries.

DOE must report to Congress one year after enactment on the cybersecurity of electricity distribution systems. DOE is also charged with safeguarding any information it collects or is provided that could endanger the U.S. electric grid. Consequently, this information cannot be disclosed not even for Freedom of Information Act (FOIA) requests.

The DOE will establish a voluntary Energy Cyber Sense program in conjunction with DHS and the other federal agencies. This new program will be developed “to test the cybersecurity of products and technologies intended for use in the energy sector, including in the bulk-power system” and including “industrial control systems and operational technologies, such as supervisory control and data acquisition systems.” DOE must maintain a database of these products and the test results that “are integrated with Federal vulnerability coordination processes.” The agency will provide technical assistance to remedy vulnerabilities in tested products and technology. DOE must develop guidance based on its testing for the electric sector on buying products and technology and consider incentives to drive the use of the testing results in how products and technology are designed and built. Finally, if the DOE reasonably foresees the disclosure of information related to this program could jeopardizes the physical or cybersecurity of the energy sector, she can exempt such information from FOIA and other public disclosure laws.

The Federal Energy Regulatory Commission (FERC) must “conduct a study to identify incentive-based, including performance-based, rate treatments for the transmission and sale of electric energy subject to the jurisdiction of the Commission that could be used to encourage—

  • investment by public utilities in advanced cybersecurity technology; and
  • participation by public utilities in cybersecurity threat information sharing programs.”

One year after this study is finished, FERC must “establish, by rule, incentive-based, including performance-based, rate treatments for the transmission of electric energy in interstate commerce and the sale of electric energy at wholesale in interstate commerce by public utilities for the purpose of benefitting consumers by encouraging” investment in advanced cybersecurity technology and the participation of public utilities in “cybersecurity threat information sharing programs.” FERC may also provide other incentives to reduce risks to defense critical electric infrastructure and “facilities of small or medium-sized public utilities with limited cybersecurity resources.”

The DOE must establish the “Rural and Municipal Utility Advanced Cybersecurity Grant and Technical Assistance Program” “to provide grants and technical assistance to, and enter into cooperative agreements with, eligible entities to protect against, detect, respond to, and recover from cybersecurity threats.” This new program’s objectives are:

  • to deploy advanced cybersecurity technologies for electric utility systems; and
  • to increase the participation of eligible entities in cybersecurity threat information sharing programs.

The entities eligible for this program are

(A) a rural electric cooperative;

(B) a utility owned by a political subdivision of a State, such as a municipally owned electric utility;

(C) a utility owned by any agency, authority, corporation, or instrumentality of 1 or more political subdivisions of a State;

(D) a not-for-profit entity that is in a partnership with not fewer than 6 entities described in subparagraph (A), (B), or (C); and

(E) an investor-owned electric utility that sells less than 4,000,000 megawatt hours of electricity per year.

DOE should prioritize grants and technical assistance to those entities with limited cybersecurity resources or own assets critical to the bulk power system or own defense critical electric infrastructure.

$250 million would be appropriated in $50 million chunks for each of the next five years.

DOE must carry out a program to enhance grid security to achieve the following (i.e., the “Cybersecurity for the Energy Sector Research, Development, and Demonstration Program”):

  • to develop advanced cybersecurity applications and technologies for the energy sector—
    • to identify and mitigate vulnerabilities, including—
      • dependencies on other critical infrastructure;
      • impacts from weather and fuel supply;
      • increased dependence on inverter-based technologies; and
      • vulnerabilities from unpatched hardware and software systems; and
    • to advance the security of field devices and third-party control systems, including—
      • systems for generation, transmission, distribution, end use, and market functions;
      • specific electric grid elements including advanced metering, demand response, distribution, generation, and electricity storage;
      • forensic analysis of infected systems;
      • secure communications; and
      • application of in-line edge security solutions;
  • to leverage electric grid architecture as a means to assess risks to the energy sector, including by implementing an all-hazards approach to communications infrastructure, control systems architecture, and power systems architecture;
  • to perform pilot demonstration projects with the energy sector to gain experience with new technologies;
  • to develop workforce development curricula for energy sector-related cybersecurity; and
  • to develop improved supply chain concepts for secure design of emerging digital components and power electronics.

$50 million a year is appropriated annually for five fiscal years.

The DOE would be given the discretion to develop and execute a cyber-resilience program to test agency response capabilities and coordination with the National Laboratories and other agencies. DOE could also investigate enhanced threat sharing with the Intelligence Community and other purposes designed to foster greater cyber-resilience. $50 million would be appropriated annually for the next five fiscal years.

DOE would need to put in place “an advanced energy security program to secure energy networks, including…electric networks…natural gas networks; and…oil exploration, transmission, and delivery networks.” The goal of this program is “to increase the functional preservation of electric grid operations or natural gas and oil operations in the face of natural and human-made threats and hazards, including electric magnetic pulse and geo-magnetic disturbances.” This program would also be authorized for annual appropriations of $50 million for the next five fiscal years.

DOE may, in its discretion, require any recipient of funds for the aforementioned programs to

  • …submit…a cybersecurity plan that demonstrates the cybersecurity maturity of the recipient in the context of the project for which that award or other funding was provided; and
  • establish a plan for maintaining and improving cybersecurity throughout the life of the proposed solution of the project.

The Senate then addresses supply chain issues, a policy area that has come to the fore in Washington following a number of recently successful supply chain attacks. The United States Geological Survey (USGS) would need to establish an Earth Mapping Resources Initiative “to accelerate efforts to carry out the fundamental resources and mapping mission of the” USGS. The DOE must “through an agreement with an academic partner, the design, construction, and build-out of a facility to demonstrate the commercial feasibility of a full-scale integrated rare earth element extraction and separation facility and refinery.” There are provisions directing the Department of the Interior to speed up the review of permitting for critical mineral production on federal lands.

The Senate sponsors are also interested in shoring up and fostering U.S. production of advanced batteries, a field in which the PRC is far ahead of the U.S. The Biden Administration conducted a review of U.S. supply chains, including a focus on advanced batteries, and then launched a number of initiatives based on its findings such as “immediate actions [the DOE] will take to make the U.S. more competitive in the battery market.”

On the heels of the White House’s actions, the DOE would be required to “establish within the Office of Fossil Energy a program, to be known as the “Battery Material Processing Grant Program” to make grants

  • to ensure that the United States has a viable battery materials processing industry to supply the North American battery supply chain;
  • to expand the capabilities of the United States in advanced battery manufacturing;
  • to enhance national security by reducing the reliance of the United States on foreign competitors for critical materials and technologies; and
  • to enhance the domestic processing capacity of minerals necessary for battery materials and advanced batteries.

The DOE would make grants to the following entities:

  • to carry out 1 or more demonstration projects in the United States for the processing of battery materials; (at least $50 million per grant)
  • to construct 1 or more new commercial-scale battery material processing facilities in the United States; (at least $100 million per grant) and
  • to retool, retrofit, or expand 1 or more existing battery material processing facilities located in the United States and determined qualified by the Secretary (at least $50 million per grant.)

$3 billion is appropriated for the “Battery Material Processing Grant Program” in $600 million amounts for each of the next five fiscal years.

In addition, the DOE will be tasked with establishing “within the Office of Energy Efficiency and Renewable Energy a “Battery Manufacturing and Recycling Grant Program,” the purpose of which “is to ensure that the United States has a viable domestic manufacturing and recycling capability to support and sustain a North American battery supply chain. Grants would be given to eligible entities:

  • to carry out 1 or more demonstration projects for advanced battery component manufacturing, advanced battery manufacturing, and recycling; (at least $50 million per grant)
  • to construct 1 or more new commercial-scale advanced battery component manufacturing, advanced battery manufacturing, or recycling facilities in the United States; (at least $100 million per grant)and
  • to retool, retrofit, or expand 1 or more existing facilities located in the United States and determined qualified by the Secretary for advanced battery component manufacturing, advanced battery manufacturing, and recycling (at least $50 million per grant.)

$3 billion is appropriated for the “Battery Material Processing Grant Program” in $600 million amounts for each of the next five fiscal years.

For both programs, DOE is to give priority in making grants to eligible entities located and operating in the U.S., owned by a U.S. entity, using U.S. or North American intellectual property and content, whether it will foster job creation in low and moderate income communities, helps replace jobs lost from the fossil fuels fields, partnership with Tribal entities, and the effect on greenhouse gas emissions, among others.

The ”Infrastructure Investment and Jobs Act” directs the DOE to “continue to carry out the Lithium-Ion Battery Recycling Prize Competition, an already existing program, and authorizes and appropriates $10 million to conduct Phase III.

The DOE would be tasked with establishing another battery program. The agency would need to “award multiyear grants to eligible entities for research, development, and demonstration projects to create innovative and practical approaches to increase the reuse and recycling of batteries, including by addressing” some of the following, among other considerations:

  • recycling activities;
  • the development of methods to promote the design and production of batteries that take into full account and facilitate the dismantling, reuse, recovery, and recycling of battery components and materials;
  • strategies to increase consumer acceptance of, and participation in, the recycling of batteries;
  • the extraction or recovery of critical minerals from batteries that are recycled;

$60 million would be authorized for this program, and the federal share of projects can be no more than 50%.

DOE would be mandated to award $50 million in “grants, on a competitive basis, to States and units of local government to assist in the establishment or enhancement of State battery collection, recycling, and reprocessing programs.”

DOE would administer a new “Battery Recycling and Second-Life Applications Program” that is, “a program of research, development, and demonstration of—

  • second-life applications for electric drive vehicle batteries that have been used to power electric drive vehicles; and
  • technologies and processes for final recycling and disposal of the [aforementioned] devices

The bill explains the purposes of this new program:

  • To improve the recycling rates and second-use adoption rates of electric drive vehicle batteries.
  • To optimize the design and adaptability of electric drive vehicle batteries to make electric drive vehicle batteries more easily recyclable.
  • To establish alternative supply chains for critical materials that are found in electric drive vehicle batteries.
  • To reduce the cost of manufacturing, installation, purchase, operation, and maintenance of electric drive vehicle batteries.
  • To improve the environmental impact of electric drive vehicle battery recycling processes.

$200 million is appropriated for this program.

Finally, the Department of Energy must submit to Congress “a report that assesses using digital tools and platforms as climate solutions, including—

  • artificial intelligence and machine learning;
  • blockchain technologies and distributed ledgers;
  • crowdsourcing platforms;
  • the Internet of Things;
  • distributed computing for the grid; and
  • software and systems.”

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2021. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Photo by Greg Rakozy on Unsplash

Photo by Shivam Garg on Unsplash

Published by Michael Kans

An attorney who specializes in technology policy, law, and politics with other areas of expertise.

Published

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s