September 2021 Vol. 76 No. 9
Washington Watch
Washington Watch: Infrastructure Bill Includes Increased Spending on Water, Sewers
By Stephen Barlas, Washington D.C. Editor
The Senate infrastructure legislation provides major funding boosts to the drinking water and clean water state revolving funds (DWSRF/CWSRF), but congressional passage of the bill depends, apparently, on whether Congress also passes a second, $3.5-trillion “social infrastructure” bill demanded by progressive Democrats in the House.
The infrastructure bill allocates $11.7 billion over five years appropriated to each of the DWSRF and CWSRF and $11.7 billion over five years appropriated for lead service line replacement (through the DWSRF). Those SRF numbers work out to approximately $1 billion more a year for each fund than what Congress has appropriated each year for the past decade. For example, in fiscal year 2020 Congress appropriated $1.126 billion for the DWSRF.
The money to replace lead drinking water lines is, however, less than what President Biden and some Democrats had been demanding, which was initially $45 billion.
In addition to the funds for water infrastructure, the bill also allocates $65 billion for broadband access to areas in the U.S., mostly rural areas, without access. The largest chunk of that is through a broadband equity, access and deployment program. With that, $42 billion is being distributed as grants to the states that would competitively award subgrants for qualifying broadband infrastructure, mapping and adoption projects.
Water infrastructure trade groups, such as the Association of Metropolitan Water Agencies, had wanted the infrastructure bill to pick up the provisions in the Drinking Water and Wastewater Infrastructure Act (DWWIA) of 2021 which the Senate passed in April. That bill had even higher funding levels, reaching $3.2 billion a year for both funds in fiscal 2025 and 2026, except that they were “authorizations,” meaning Congress would have had to appropriate the money separately as it has in the infrastructure bill. The DWWIA also had numerous policy changes and new grant programs, with regard to water infrastructure projects.
“Ideally, we would have liked the infrastructure bill to fully fund the $35 billion worth of drinking water and wastewater authorizations included in DWWIA, and we know multiple senators were fighting for that outcome. But we also don’t want the’ perfect to be the enemy of the good,’ and the infrastructure bill does include many positive aspects,” said Dan Hartnett, chief advocacy officer for legislative and regulatory affairs, AMWA.
Steve Dye, legislative director, Water Environment Federation, said that the House will increase the dollars for water infrastructure above the Senate numbers and that those higher appropriations will make it into a final bill signed by President Biden.
INGAA Questions Pipeline Cybersecurity Mandates
The ransomware attack on the Colonial Pipeline in May continues to have federal regulatory reverberations reflected in
the first-time safety and operation mandates published by the Department of Homeland Security (DHS) in July. But members of Congress, who view gas and oil pipelines as dangerously vulnerable to cyberattacks, appear to be underwhelmed by the DHS mandates, which come from its subagency, the Transportation Security Administration (TSA). A second directive in May was simply non-enforceable guidance.
A top TSA official told a Senate committee that the pipeline industry had input into the new mandates issued on July 19. But the Interstate Natural Gas Association of America (INGAA) doesn’t appear particularly happy with them.
According to a spokeswoman, “In this instance, TSA used emergency authority to implement a significant new set of regulations without the usual notice-and-comment procedures, and INGAA anticipates that improvements to the TSA directive will be necessary to maximize its efficacy and practicality.
“INGAA believes that the directive issued last week would be improved by providing pipeline operators more ability to base their cybersecurity protections on individual pipeline systems’ specific configurations and risks.”
Some in Congress feel the directive doesn’t go far enough. At hearings in the Senate Commerce, Science and Transportation Committee, on July 27, Chairman Sen. Maria Cantwell (D-Wash.) said the DHS directives were a step in the right direction, but more regulation is needed.
The July directive requires owners and operators of TSA-designated critical pipelines that transport hazardous liquids and natural gas to implement a number of protections against cyber intrusions. These would include mitigation measures to protect against ransomware attacks and other known threats to information technology and operational technology systems, develop and implement a cybersecurity contingency and recovery plan, and conduct a cybersecurity architecture design review.
David Pekoske, administrator of the TSA, told the Senate committee that TSA consulted with industry on the security directive and took its comments into consideration, including updating it to incorporate some of the feedback received. No one from industry appeared at those hearings.
Cantwell implied that the DHS needed additional requirements on pipelines, some of them based on a report from the Government Accountability Office (GAO).
“The GAO report shows the use of incomplete information for security risk assessments and aged protocols for responding to security incidents, as well as many of the workforce issues that we have previously addressed in this committee,” she explained.
At the hearings, Leslie Gordon, acting director of homeland security and justice, GAO, complimented the TSA for correcting most of the shortcomings the GAO had identified in two recent reports. But she underlined two weaknesses that were still evident. One was incomplete information for pipeline risk assessments. GAO identified factors that likely limit the usefulness of TSA’s risk assessment methodology for prioritizing pipeline security reviews.
The second was aged protocols for responding to pipeline security incidents. The TSA still uses its 2010 Pipeline Security and Incident Recovery Protocol Plan, which is very light with regard to cybersecurity. TSA has started to correct those shortcomings, but has not completed that job, according to the GAO.
At hearings across the Capitol on the same day as the House Energy & Commerce Committee, top Republican Rep. Fred Upton (MI) pointed out that not enough pipeline executives have the required clearance level needed to access DHS information and data.
FERC Commissioner Neil Chatterjee, whose formal term ended in August, answered, “There is no question that is a problem.” He went on to say that if a missile had taken out the Colonial Pipeline, “we would have clearly recognized that as an act of terrorism and known how to respond accordingly. Our mindset is not there yet.”
While members of the House, Senate, and FERC (which has no authority over pipeline cybersecurity) feel the DHS needs to go further, the agency is staffing up in an effort to increase pipeline oversight. Pekoske ran through the TSA’s expansion of its pipeline cybersecurity personnel, from six to 39 full-time employees, since the passage of the TSA Modernization Act in October 2018.
Further, in fiscal year 2020, TSA established and trained a 20-member field-based pipeline security assessment team (PSAT), which is comprised of credentialed transportation security inspectors (TSIs) located around the nation, in order to expand TSA’s support and engagement capacity with pipeline owners and operators. Eight members from the PSAT team and TSA headquarters have completed comprehensive cybersecurity training provided by Idaho National Labs.
Comments