[Senate Hearing 117-74]
[From the U.S. Government Publishing Office]



                                                         S. Hrg. 117-74

                ADDRESSING CYBERSECURITY VULNERABILITIES
              FACING OUR NATION'S PHYSICAL INFRASTRUCTURE

=======================================================================

                                HEARING

                               before the

                              COMMITTEE ON
                      ENVIRONMENT AND PUBLIC WORKS

                          UNITED STATES SENATE

                    ONE HUNDRED SEVENTEENTH CONGRESS

                             FIRST SESSION

                              __________

                             JULY 21, 2021

                              __________

  Printed for the use of the Committee on Environment and Public Works
  
  
               
               
               
               	   [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]  
  

        
        
        Available via the World Wide Web: http://www.govinfo.gov
               
               		       __________
               
               
                    U.S. GOVERNMENT PUBLISHING OFFICE
	       
45-752 			    WASHINGTON : 2021
               
               
               
               
               
.               
               COMMITTEE ON ENVIRONMENT AND PUBLIC WORKS

                    ONE HUNDRED SEVENTEENTH CONGRESS

                             FIRST SESSION

                  THOMAS R. CARPER, Delaware, Chairman
BENJAMIN L. CARDIN, Maryland         SHELLEY MOORE CAPITO, West 
BERNARD SANDERS, Vermont                 Virginia, 
SHELDON WHITEHOUSE, Rhode Island         Ranking Member
JEFF MERKLEY, Oregon                 JAMES M. INHOFE, Oklahoma
EDWARD J. MARKEY, Massachusetts      KEVIN CRAMER, North Dakota
TAMMY DUCKWORTH, Illinois            CYNTHIA M. LUMMIS, Wyoming
DEBBIE STABENOW, Michigan            RICHARD SHELBY, Alabama
MARK KELLY, Arizona                  JOHN BOOZMAN, Arkansas
ALEX PADILLA, California             ROGER WICKER, Mississippi
                                     DAN SULLIVAN, Alaska
                                     JONI ERNST, Iowa
                                     LINDSEY O. GRAHAM, South Carolina

             Mary Frances Repko, Democratic Staff Director
               Adam Tomlinson, Republican Staff Director
                            
                            
                            
                            
                            C O N T E N T S

                              ----------                              
                                                                   Page

                             JULY 21, 2021
                           OPENING STATEMENT

Carper, Hon. Thomas R., U.S. Senator from the State of Delaware..     1
Capito, Hon. Shelley Moore, U.S. Senator from the State of West 
  Virginia.......................................................     3

                               WITNESSES

Gallagher, Hon. Mike, U.S. Representative from the State of 
  Wisconsin......................................................     5
    Prepared statement...........................................     8
King, Hon. Angus, U.S. Senator from the State of Maine...........    10
    Prepared statement...........................................    12
Bhatt, Shailen, President and CEO, Intelligent Transportation 
  Society of America.............................................    15
    Prepared statement...........................................    18
    Response to an additional question from Senator Kelly........    32
Sullivan, John, Chief Engineer, Boston Water and Sewer Commission    34
    Prepared statement...........................................    36
    Response to an additional question from Senator Kelly........    45
Oberton, Sophia, Special Projects Coordinator, Delmar Public 
  Works Department...............................................    48
    Prepared statement...........................................    50
    Response to an additional question from Senator Kelly........    65
Pratt, Evan, Member, Government Affairs Committee, American 
  Public Works Association.......................................    68
    Prepared statement...........................................    71

                          ADDITIONAL MATERIAL

Letter to Senators Carper and Capito from the American Water 
  Works Association, July 21, 2021...............................   100

 
                   ADDRESSING CYBERSECURITY VULNERA-
          BILITIES FACING OUR NATION'S PHYSICAL INFRASTRUCTURE

                              ----------                              


                        WEDNESDAY, JULY 21, 2021

                                       U.S. Senate,
                 Committee on Environment and Public Works,
                                                    Washington, DC.
    The Committee, met, pursuant to notice, at 9:51 a.m., in 
room 406, Dirksen Senate Office Building, Hon. Thomas R. Carper 
(Chairman of the Committee) presiding.
    Present: Senators Carper, Capito, Cardin, Whitehouse, 
Markey, Padilla, Boozman, Sullivan, and Ernst.

          OPENING STATEMENT OF HON. THOMAS R. CARPER, 
            U.S. SENATOR FROM THE STATE OF DELAWARE

    Senator Carper. Good morning, everyone. I am pleased to 
join Senator Capito in calling this hearing to order.
    I want to thank each of our witnesses here today for your 
willingness to share your perspectives on cyber vulnerabilities 
that our infrastructure systems face.
    We are joined this morning by leaders who will discuss 
cyber vulnerabilities in our highways, our municipal drinking 
water, our wastewater, rural water systems, as well as inland 
waterway systems. A warm welcome to Sophia Oberton, to John 
Sullivan, to Shailen Bhatt, and to Evan Pratt.
    We are also delighted to be joined today by two of our 
colleagues, one former Governor colleague I served with as 
Governor for many years, our friend Angus King here in the 
Senate from Maine, and Representative Mike Gallagher.
    They serve as the Co-Chairs of the Cyberspace Solarium 
Commission, the bipartisan intergovernmental body created in 
2019 to develop a strategic approach to strengthen our defenses 
against cyber attack. Both Senator King and Representative 
Gallagher have provided invaluable leadership on the issue of 
cybersecurity. We are pleased to welcome them here this 
morning.
    Thank you both very much for joining us.
    I especially want to thank our Ranking Member Capito this 
morning for suggesting this hearing in the first place and for 
her work and the work of her staff in helping to put it all 
together.
    All of us gathered here today understand the importance of 
protecting our Nation's critical infrastructure, yet in the 
past year alone, we have witnessed several major cyber attacks 
that have hobbled critical systems across our country.
    Unfortunately, no government agency or industry is immune 
to attacks from the vast array of bad actors who seek to 
undermine our security and profit from our vulnerabilities. We 
face threats from unscrupulous individuals, from criminal 
enterprises, and antagonistic state actors 24 hours a day, 7 
days a week.
    It is unclear that many of our Nation's vital 
transportation and water systems face especially serious 
challenges in dealing with cybersecurity vulnerabilities.
    A 2019 report from FHA, the Federal Highway Administration, 
stated that, and I am going to quote them, ``The Department of 
Homeland Security considers the Transportation Systems Sector 
to be one of 16 critical infrastructure systems so vital to the 
United States that their incapacitation or destruction would 
have a debilitating effect on security, on national economic 
security, and our national public health and safety.''
    It is not hard to imagine how they came to that conclusion.
    If we look at our highways, our tunnels, our bridges, we 
can see that they are dependent on vast inter-operating 
computer systems, each with their own vulnerabilities to cyber 
attacks.
    We should also be increasingly concerned by the mounting 
cybersecurity challenges facing our Nation's drinking water and 
wastewater systems. According to a 2019 report by the American 
Water Works Association, cyber risk is the top threat--the top 
threat--facing the U.S. water sector today.
    Just 1 year earlier, the Department of Homeland Security 
and the FBI warned that the Russian government was specifically 
targeting the water sector and other critical infrastructure as 
part of a multi-stage intrusion campaign.
    Cyber vulnerabilities in our water systems represent unique 
national security challenges. A major breach in our water 
infrastructure system could jeopardize the safety of our 
drinking water and impair communities' ability to safely 
dispose of harmful waste, threatening human health.
    The cybersecurity of our inland waterways is yet another 
area that requires our attention. Approximately 15 percent of 
all domestic freight moves through our intra-coastal and inland 
waterway systems. The safeguarding of this system is vital, not 
only for economic activity, but also for effectively protecting 
our communities from flooding.
    These threats are large in scale and require widespread 
collaboration. I am looking forward to hearing from all of our 
distinguished witnesses today on how Federal and State agencies 
can work together with industry and community leaders to 
strengthen the cybersecurity of each of these vital parts of 
our infrastructure, but before we do that, let me offer some 
observations up front.
    There is no one size fits all solution to all of the 
different cyber threats facing our critical infrastructure 
systems. At the Federal level, we should build flexibility into 
our solutions so that State and local leaders have the tools 
they need to effectively address their unique cybersecurity 
challenges.
    At the same time, we must also recognize that many local 
government agencies and infrastructure systems face significant 
challenges in just fulfilling their core missions. Therefore, 
any Federal assistance in cybersecurity should be structured to 
help these entities remain focused on their core missions.
    Finally, I believe it is incumbent on us to recognize that 
cybersecurity is a long term, constantly evolving challenge. 
Addressing this challenge requires sustained Federal 
investment, not one time solutions.
    With that, I am happy to turn to our Ranking Member, 
Senator Capito, for her opening remarks. I want to thank her 
again, her and her staff, for coming up with this idea and 
helping to make it happen.
    Senator Capito.

        OPENING STATEMENT OF HON. SHELLEY MOORE CAPITO, 
          U.S. SENATOR FROM THE STATE OF WEST VIRGINIA

    Senator Capito. Thank you, Mr. Chairman.
    I want to thank all the witnesses that are here and thank 
my colleagues, Senator King and Representative Gallagher, for 
being here with us today.
    We look forward to hearing from you on the best ways to 
protect our physical infrastructure from cyber attacks. I think 
it is a very timely hearing, as we have seen attacks here in 
the last several months, how the Federal Government can partner 
with industry, State, and local partners, and what gaps we have 
that are leading to our vulnerabilities.
    This Committee has a leading role in ensuring the safety 
and security of our Nation's core infrastructure system, and we 
are committed to being a strong Federal partner in tackling the 
most challenging issues that cyber threats present.
    We must work together, and I think we will, on this issue 
to find solutions that will safeguard the whole of our core 
infrastructure, which include our water systems, our port and 
inland waterways, flood control infrastructure, highways, 
bridges, and tunnels.
    The speed of advancing technology and the improvements this 
has on our day to day lives of all Americans is extremely 
positive in a lot of ways. We are working toward a more modern 
and a more connected transportation system.
    This does, however, create a level of urgency for 
implementing strong cybersecurity measures. On our roads and 
bridges, vehicles and infrastructures are becoming more 
connected and smarter. With these types of advancements, 
increased data and access to that data can result in safety and 
privacy threats. It opens our transportation system up to 
vulnerabilities that didn't exist in the past.
    To help address these types of threats, our Committee 
passed the Surface Transportation Reauthorization Act of 2021, 
in which we expanded eligibilities under the National Highway 
Performance Program, NHPP, and the Surface Transportation Block 
Grant Program, STBGP--they all have little initials for 
everything--for cybersecurity protections, and added a 
requirement for the Federal Highway Administration to develop 
tools to assist transportation agencies in protecting and 
recovering from cyber incidents.
    I think it is important that we have the capacity. A lot of 
our local systems don't have the capacity to really meet these 
challenges and need some assistance.
    These provisions will help to protect our highways, 
bridges, and tunnels against emerging cyber threats and 
protecting our critical transportation infrastructure.
    Cyber attacks are also a growing threat to our water and 
wastewater systems. We have seen a growing number of these 
systems fall victim to these attacks, which have significant 
implication on public health and safety. These attacks are very 
scary for the public, when you think about your water system 
being invaded, when they occur and can leave us questioning the 
safety of our water systems.
    I am proud of the work this Committee has done so far to 
address cybersecurity vulnerabilities in drinking water and 
wastewater systems.
    The Drinking Water and Wastewater Infrastructure Act, which 
passed out of this Committee unanimously and was approved on 
the Senator floor by a vote of 89 to 2----
    Senator Carper. How much?
    Senator Capito. Eighty-nine to two, includes provisions 
that provide funding for protections against cybersecurity 
vulnerabilities to our water systems all around the country.
    Though I am proud of our work, there is more work to be 
done, and the Chairman talked about this. I look forward to 
hearing from our witnesses on the ways the Federal Government 
can act as a better partner in protecting our drinking water 
and wastewater systems from cyber attacks without costly 
mandates that can distract from the core mission of providing 
safe, reliable, and affordable water service to the American 
public.
    The physical infrastructure of our ports, inland waterways, 
and flood control systems are also potential targets for 
foreign adversaries and cyber criminals pursuing ransomware 
attacks. Hacking of these systems can harm our economy and pose 
threats to human life, property, and the environment.
    Providing the tools to the government agencies, industry 
partners, stakeholders responsible for protecting our critical 
infrastructure from cyber attacks is essential.
    Maintaining resiliency against cyber threats is also an 
ongoing and ever evolving process.
    As the Chairman said as well, and a little bit differently, 
but it is not a one and done event. We cannot put blinders on 
and think we have finished everything when we come to 
envisioning potential threats, because we know those threats 
change daily.
    Government agencies such as the Corps of Engineers have 
been partnering with other agencies and local communities to 
address cybersecurity for our infrastructure. We need to 
continue to support training exercises and information sharing 
between agencies to protect our critical infrastructure, such 
as the electrical grid, our water systems, transportation 
systems, and emergency response systems.
    I expect that the Committee will continue to include 
cybersecurity policies in our WRDA bill, which we are beginning 
work on, that is the never ending story water bill, and as we 
have in our transportation, drinking, and wastewater 
legislation.
    I look forward to hearing from our witnesses today about 
the best practices and key challenges facing the security and 
safety of our transportation systems and how we can work 
together toward protecting all Americans and that critical 
infrastructure through strengthened cybersecurity measures.
    Thank you, Mr. Chairman.
    Senator Carper. Thank you, Senator Capito. Well said.
    Now we are going to turn to our witnesses, our colleagues.
    We welcome our first panel, which is comprised of our 
distinguished colleagues, Representative Mike Gallagher, whom I 
don't know well.
    I am happy to see you again and welcome you today from the 
Badger State of Wisconsin.
    I will never forget, as a 17 year old freshman to Ohio 
State, I pledged to a fraternity, homecoming, we were playing 
Wisconsin at the homecoming football game. Football is a big 
deal at Ohio State, and we erected a two story high badger, a 
paper mache badger, in front of our fraternity, and I think I 
got to put the halo or something on top of it. I learned from 
an early day in my life what the Badger State was all about. 
Then we went out and crushed Wisconsin.
    [Laughter.]
    Senator Carper. No, I don't think so.
    Anyway, we are glad you are here and delighted that Angus 
is here.
    Senator King and I had the privilege of serving as 
Governors together, and it is great to be able to work here on 
all kinds of issues that are important to our country, 
especially this one.
    These two gentlemen currently serve as co-chairs of the 
Cybersecurity Solarium Commission, which was established by the 
2019 National Defense Authorization Act to develop a consensus 
national strategy to counter significant cyber attacks. Working 
together, Representative Gallagher and Senator King have 
provided crucial leadership in defending our Nation from cyber 
threats, and so we are very pleased that they could join us 
this morning to share their insights with us, so thank you 
both.
    I am going to ask Representative Gallagher, if you would 
lead off, and for Angus to follow in turn.
    Thank you both very much for joining us.

               STATEMENT OF HON. MIKE GALLAGHER, 
        U.S. REPRESENTATIVE FROM THE STATE OF WISCONSIN

    Representative Gallagher. Well, thank you, Chairman Carper 
and Ranking Member Capito. It is an honor to be here.
    I won't spend any time talking about my college fraternity 
experiences, because they all make me disqualified for office.
    [Laughter.]
    Senator Carper. It is a PG audience.
    Representative Gallagher. Exactly.
    It is also an honor to be here with my good friend and 
fellow Solarium co-chair, Senator Angus King, whom I've worked 
incredibly close to with on this project over the last few 
years, and really learned about the importance of securing our 
Nation's water supply from cyber attacks.
    In the course of our work, we paid special attention to our 
national critical infrastructure and the importance of securing 
that infrastructure from both criminal and nation state cyber 
threats.
    It is my observation and the commission's observation that 
the 16 critical infrastructure sectors are not equally equipped 
when it comes to cybersecurity. There are leaders, like the 
financial services sector, and there are, quite frankly, 
laggers. Despite the importance of our water systems, the water 
and wastewater infrastructure sector lags behind many of its 
peers, posing a risk to our public health and safety.
    In the report we submitted to Congress in March 2020, the 
commission concluded that water utilities remain largely ill 
prepared to defend their networks from cyber enabled 
disruption. As we've continued our work on approving the 
Nation's cybersecurity, bolstering the ability of the water 
sector to detect, prevent, and withstand cyber attacks has 
emerged as a crucial priority.
    Though 55 percent of utilities responding to a survey 
conducted by the Water Sector Coordinating Council rated 
cybersecurity as a high or top priority, the overall 
cybersecurity of our water sector remains immature.
    A 2016 National Infrastructure Advisory Council report 
highlighted the wide disparity in the technical capabilities 
and resources of water utilities across the country. Many of 
our Nation's nearly 70,000 community water and wastewater 
systems are small, publicly owned assets that are not equipped 
to deal with nation state threats. And the National 
Infrastructure Advisory Council has described the Federal 
support for the resilience of the water sector as ``fragmented 
and weak.''
    Municipalities have benefited greatly from the enhanced 
efficiency and quality brought by automated and remote systems 
for treating water supplies, but those same systems introduce 
new risks when not properly secured, as can often happen when 
budgets are tight and must be balanced.
    Investments in security can fall by the wayside. The Water 
Sector Coordinating Council reports that 38 percent of 
utilities dedicated less than 1 percent of their budget to the 
cybersecurity of information technology, and 44.8 percent 
allocated less than 1 percent of their budget to the 
cybersecurity of operational technology.
    This leaves the water sector vulnerable to nation state and 
criminal adversaries and insider threats and gives them the 
ability to disrupt our critical infrastructure.
    Against these threats, the water sector faces challenges 
ranging from maintaining awareness of threats to assessing 
risks to identifying and remediating vulnerabilities. A 
shortage of qualified cybersecurity professionals across the 
world compounds the problem, making it very difficult for 
resource strapped organizations to attract and retain the 
talent necessary to protect our drinking water and our public 
health systems.
    Earlier this year, for example, the city of Oldsmar, 
Florida, suffered a cyber attack in which malicious actors 
attempted to change the level of lye in the city's drinking 
water. Though the attack was quickly detected and stopped, the 
situation could have been disastrous.
    In another incident, a malicious cyber actor compromised a 
California water treatment plant, deleting crucial programs 
meant to treat drinking water. And in April, Federal 
prosecutors unsealed a grand jury indictment of a former 
employee of a Kansas water utility who remotely tampered with 
the utility's cleaning and disinfecting procedures. It was 
through sheer luck that none of these incidents affected 
customers.
    A more sophisticated adversary could impact the safety of 
thousands of Americans through a cyber attack on our water 
supply. Beyond the direct impact to drinking water, a cyber 
attack affecting the water supply could have cascading impacts 
for other critical infrastructure sectors that rely on clean 
and safe water to function properly. That is why it is 
considered a lifeline sector.
    These incidents underscore the importance of protecting our 
water systems and the need for more coordinated, consistent 
Federal action to ensure that water utilities have the people, 
processes, and technology necessary to protect our public 
health and safety. Investment in the sector's cybersecurity 
must match the importance of the sector to our national 
security, our economy, our public health, and our safety.
    With that, I just want to thank you again, Chairman Carper, 
Ranking Member Capito, and the members of this Committee for 
the opportunity to discuss this pressing issue with you today. 
We appreciate your attention to this matter, and with that, I 
would like to turn it over to my Cyberspace Solarium Commission 
Co-Chair, Senator Angus King.
    [The prepared statement of Representative Gallagher 
follows:]



[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]  



    Senator Carper. Thank you, Congressman.
    Senator King, please proceed.

                 STATEMENT OF HON. ANGUS KING, 
              U.S. SENATOR FROM THE STATE OF MAINE

    Senator King. I once appeared before a middle school group 
with my friend, Stephen King, the other King from Maine. A 
little girl raised her hand and said, ``Do you ever have 
nightmares?'' Stephen King's response was, ``No, I give them to 
you.''
    [Laughter.]
    Senator King. That is my job today, to give you a nightmare 
about the vulnerability of our water systems. This is an 
extremely dangerous situation.
    I believe that the next Pearl Harbor, the next 9/11, will 
be cyber. We are facing a vulnerability in all of our systems, 
but water is one of the most critical, and I think, one of the 
most vulnerable, and that is why Mike Gallagher and I thought 
it was important to come and talk to you today.
    We have to reimagine conflict. For a thousand years, we 
have thought of conflict and wars as army against army, navy 
against navy, battles out in some other place.
    Conflict now is almost entirely in the cyberspace area, 
focused on the private sector, on non-combatants, if you will. 
That is why we are in a different way of thinking about this 
kind of issue. We have to think about a new relationship 
between the government, particularly the Federal Government, 
and the private sector.
    Eighty-five percent of the targets in cyber space are in 
the private sector.
    In this country, I was on a panel recently with Kevin 
Mandia, who is one of the real private sector experts. He is 
the head of FireEye, the guy who really discovered the 
SolarWinds attack. He said we lived in a cyber glass house in 
this country.
    We are the most wired country in the world; that is good. 
But we are also the most vulnerable country in the world.
    North Korea, I don't think, has to worry too much about 
cyber attacks, because they don't have much in the way of 
connectivity.
    Everything in this country is connected, and water is a 
target. As Representative Gallagher just mentioned, we know of 
attacks in Florida, in California, in Kansas. There was a 
serious one in Israel recently. Wherever there is an automated 
system for controlling chemical flow, which there is in 
virtually all water systems, there is a vulnerability.
    Our adversaries, be they criminal syndicates or nation 
states, are never at rest, and Chairman Carper, in his opening 
statement, talked about how this has to be a sustained effort. 
There is no single solution. We have got to continue to up our 
game because our adversaries are upping their game.
    In terms of the water systems, we have good news and bad 
news. The good news is our systems are fragmented and 
scattered. In other words, it is not like the electric grid 
where an adversary could take down a whole region of a country. 
The bad news is because they are so fragmented, 70,000 of them, 
rarely do they have the wherewithal or the knowledge to fully 
protect themselves. So they can be picked off one at a time 
more easily than the grid, which has a high level of protection 
and a high level of sophistication.
    The Ranking Member knows all about what can happen when a 
water system goes bad, as it did in Charleston some years ago. 
It wasn't a cyber attack, but it was a kind of warning of what 
this can mean and how serious it can be for a community.
    So, what are the solutions? I should mention that our 
commission worked; we are still at work, we had our appalling 
44th meeting this past Monday, so we are still at it, trying to 
define what the solutions are.
    There are Federal solutions in terms of organization. We 
just appointed our first national cyber director 2 weeks ago. 
There are a lot of those things that are going on, but in an 
area like this, protection begins at the desktop.
    We could do everything right here in Washington, and 
goodness knows, we don't, but we could, but still be vulnerable 
if one official in one desk in Dubuque in the water office 
clicks on a phishing e-mail, then we are sunk, and that is the 
danger. There has to be a system of tech support through the 
Department of Agriculture, through your programs, tech support 
for these programs.
    There have to be standards, and there has to be testing. 
There has to be somebody who, if I were running a water system, 
I would hire an outside group to try to hack me to show whether 
or not I am vulnerable.
    Most CIOs say yes, boss, we are OK. I don't think we are, 
and the only way to determine that is by what is called 
penetration testing, which is actually hackers for hire, 
friendly hackers, to determine where your vulnerability lies.
    We need to talk about systemically important critical 
infrastructure and setting up an environment, in our report we 
called a joint collaborative environment where the private 
sector and the government can share information in real time 
with confidence and trust that will enable us to bring to bear 
the resources of the Federal Government and also to allow the 
private sector to have some liability protection if they are 
going to share information and have this relationship, because 
a week later doesn't work.
    To go back to the beginning, there is an incipient 
nightmare here, and it involves all sectors of our critical 
infrastructure. But water, I think, is probably the most 
vulnerable because of the dispersed nature of water systems in 
the country.
    So I commend this Committee for attending to this issue. I 
look forward to working with you as we try to work through the 
solutions and to have our game at the level of our 
adversaries'. This is a potential nightmare, but it is one that 
we can wake up from if indeed we wake up.
    Thank you, Mr. Chairman.
    [The prepared statement of Senator King follows:]
    
    
    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]  
    
    
    
    Senator Carper. We should pay you for coming and 
testifying. That was terrific. That was just terrific.
    Actually, we do pay you for coming and testifying.
    I would say to Congressman Gallagher, Senator Capito and I 
love working with your colleagues here on a lot of issues. 
Whenever I have the opportunity to cosponsor a bill with Angus, 
I always insist that his name goes first. That way people can 
describe the legislation as ``King Carper.''
    [Laughter.]
    Senator Carper. You think I am kidding.
    Senator King. I always talked about it with Tom Cotton, 
King Cotton.
    [Laughter.]
    Senator Carper. All right, gentlemen. I know you don't have 
anything else to do today. No, I know you have got a lot of 
other things to do. Thank you so much for your leadership on 
this and for taking time to kick us off this morning. Thank 
you.
    With that, I think our second panel is welcome to take your 
seats.
    I think I have had a chance to shake all of your hands this 
morning. Senator Capito and I have had a chance to personally 
welcome you.
    Some of you we know very well, Shailen, and others not as 
well, but we are delighted that you were able to find time in 
your schedules to join us.
    I will take a minute or two to introduce our witnesses.
    First, let me introduce Shailen Bhatt, who is not a native 
of Colorado. He is not a native of Delaware, but in the past, 
he has served as Secretary of Transportation for both of those 
States. We are grateful for his service.
    I know Hick, we call him Hick, Governor Hick, Senator 
Hickenlooper for whom you worked is grateful for your service.
    In addition to literally serving as a DOT head at two 
States, Shailen has also served as Associate Administrator at--
this is impressive; I learned some things I didn't know about 
Shailen--he served as Associate Administrator at the Federal 
Highway Administration. It mentions the Secretary of DelDOT, as 
well as the Executive Director of the Colorado Department of 
Transportation. The list goes on. I won't go through 
everything.
    Thank you for your extraordinary record of public service.
    Let me also introduce John Sullivan.
    Mr. Sullivan, good to see you. Chief Engineer for the 
Boston Water and Sewer Commission. Do you have a favorite 
baseball team?
    OK, thank you. Good. I think I know who it is.
    Mr. Sullivan is a 49 year veteran of the Commission.
    Is that true?
    Mr. Sullivan. Yes, that is correct. I am in my 50th year, 
and I re-signed up for 5 more.
    Senator Carper. I love that. Anyway, thank you for all 
those years of service. I understand you serve on a number of 
other boards, leading national and regional organizations 
dedicated to the advancement of water delivery systems and 
pollution control.
    Next, I want to introduce Ms. Sophia Oberton.
    Sophia, welcome. Public Works Department, Special Project 
Coordinator for the town of Delmar, Delaware. It sits right 
on--Ben Cardin knows, it sits right on the Delaware-Maryland 
line. Half of it is Delaware, and half of it is Maryland. We 
call it Delmar, the town too big for one State.
    Ms. Oberton. That is correct.
    Senator Carper. There you go. Delaware has a unique 
jurisdiction, with town departments that provide services to 
residents on both sides of the Delaware-Maryland State line.
    Ms. Oberton is a licensed water operator in both States who 
also serves as the Safety Coordinator for the town of Delmar.
    Welcome. Which side of the border do you live in?
    Ms. Oberton. I live on the Maryland side.
    Senator Carper. I am sorry.
    [Laughter.]
    Senator Carper. The lady's time has expired. Not really.
    Finally, I want to introduce Mr. Evan Pratt, the Water 
Resources Commissioner in Washtenaw--is it Washtenaw?
    Mr. Pratt. Washtenaw, that is correct. The first peoples' 
name.
    Senator Carper. Oh, good. Washtenaw County, Michigan as 
Commissioner. Mr. Pratt oversees a range of programs and 
services, including design, construction, and maintenance of 
county drains, as well as emergency flood response and 
maintenance of lake water levels, to name just a few of his 
many duties.
    Mr. Pratt is also the Chair of the Huron River Watershed 
Council Board of Directors and President of the Michigan 
Chapter of the American Public Works Association.
    One of my great thrills of my life was to throw the opening 
pitch at the Tiger Stadium the last week the Tigers played in 
Tiger Stadium.
    Mr. Pratt. I was at that game.
    Senator Carper. It was so exciting. I always wanted to be 
third baseman for the Tigers, and after I threw the pitch, I 
went over, and I stood on third base, and I said, this is mine, 
and they closed the stadium that week. It has been some years 
since they could have used me on third base, but not this year.
    Mr. Pratt. I spent 6 years drinking Mr. Sullivan's water, 
so I am kind of a Red Sox fan, as well.
    Senator Carper. That is good, that is good.
    We are grateful you are all here. We look forward to an 
enjoyable hearing and informative hearing, and one that will 
maybe excite and get us on the right path so we address these 
really significant challenges.
    Shailen, I am going to recognize you first for your 
statement, and then we will follow in order.
    Mr. Secretary, Shailen Bhatt.

  STATEMENT OF SHAILEN BHATT, PRESIDENT AND CEO, INTELLIGENT 
               TRANSPORTATION SOCIETY OF AMERICA

    Mr. Bhatt. Good morning, Chairman Carper, Ranking Member 
Capito, and members of the Committee. I am honored to be here 
today.
    On behalf of ITS America members working to secure 
transportation assets, thank you for recognizing the growing 
risk and making cybersecurity explicitly eligible in the 
Committee's FAST Act Reauthorization bill.
    For the past 100 years, surface transportation has 
primarily consisted of individual, independent vehicles 
traveling on asphalt. In other words, cars and trucks moving 
on, over, and through roads, bridges, and tunnels without the 
benefit of intelligent transportation technologies.
    Twenty years ago, in addition to causing a tragic loss of 
life, the 9/11 attacks were a wake up call that focused our 
attention on the vulnerabilities of U.S. infrastructure.
    When I was with the Kentucky Transportation Cabinet in 
2005, we had deployed sensors and CCTV to monitor critical 
roads and bridges. At that point, data was still largely siloed 
and fragmented, but soon, these transportation data systems 
converged. Shortly after that, connected vehicles, along with 
faster and more reliable broadband entered the equation.
    In the last decade, we have seen another convergence: The 
smartphones and other devices that have been so helpful in our 
daily lives were introduced into transportation. State and 
local transportation agencies began to modernize their 
informational and operational technologies, overlaying their 
physical infrastructure with a digital layer. They began to use 
real time data and predictive analytics to operate the systems 
with more efficiency and functionality, which led to safer 
roads.
    Today, we are on the cusp of a digital transformation in 
transportation. The Internet of Things, electric vehicles, V-
to-X, and other emerging connected vehicle technologies, 
autonomous and automated technologies, and mobility on demand.
    While advances have made the transportation system more 
connected than ever, this connectivity brings increased cyber 
risks, and these risks have the potential to threaten the 
system, the economy, and people's lives.
    In the last 3 years alone, we have seen a 900 percent 
increase in attacks focused on operational technology use in 
traffic management signaling systems across the country.
    ITS technologies are making our system safer and more 
efficient by moving people, data, and freight. They support the 
U.S. economy. We must, however, secure our critical 
infrastructure assets and manage the vulnerabilities that come 
with a more complex system. ITS technologies play a critical 
role across the country, in cities and suburban and rural 
areas, and not just with passenger traffic.
    Let me give you an example of the critical role technology 
plays in supporting our economy. Think about a truck delivering 
freight from South Carolina's Port of Charleston to West 
Virginia's capital city of Charleston. Traffic management 
software efficiently helps to drive or maneuver out of the port 
and through city traffic.
    Automated enforcement allows inspections to happen at 30 
miles per hour instead of the driver stopping. Smart truck 
parking helps the driver find a place to rest and maximizes his 
or her hours of service. Electronic logging devices collect 
those hours of service. GPS technology can adjust routing based 
on weather and traffic information.
    These are just a few of these examples of technologies that 
improve safety and efficiency, and they must all be 
safeguarded.
    Just as we have underinvested in roads, bridges, and 
tunnels over the last two decades, the same is true for 
cybersecurity. We have not made the necessary investments to 
protect our transportation system. Developing a resilient 
system begins with cybersecurity. We should take it just as 
seriously as we do with other industries.
    As a former DOT director for two States, I am very familiar 
with making tough choices about how to spend scarce resources.
    Public agencies must take an enterprise risk management 
approach by assessing and analyzing risks and making decisions 
accordingly. We recommend a more robust national transportation 
cybersecurity strategy to make the digital layer of our 
transportation system safer, much like how Vision Zero makes 
our fiscal infrastructure safer.
    We can do this by ensuring transportation agencies meet 
certain marks determined by the National Institute of Standards 
and Technology and the Center for Internet Security. We should 
treat cybersecurity like other safety programs, funded at 100 
percent and provide technical assistance and best practices. In 
addition, we should help rural transportation agencies and 
areas of persistent poverty or income inequality, and let's 
allow flexibility in how transportation funds are used to 
invest in future cybersecurity work force capacity.
    This is a critical opportunity. We have a playbook. If we 
provide the necessary resources, we can level the playing field 
and create a more safe and secure transportation network. We 
should give cybersecurity the same level of support that we 
give other safety programs. DOTs need resources to shore up 
their infrastructure.
    Thank you again for the opportunity to testify today. I 
look forward to answering any questions you may have.
    [The prepared statement of Mr. Bhatt follows:]
    
    
    
    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]  
    
    
    
    Senator Carper. Thank you, Secretary Bhatt.
    Now, we are going to turn to Mr. Sullivan to provide his 
testimony.
    Ms. Oberton, you are batting on deck.
    Go ahead, Mr. Sullivan.

          STATEMENT OF JOHN SULLIVAN, CHIEF ENGINEER, 
               BOSTON WATER AND SEWER COMMISSION

    Mr. Sullivan. Thank you, Chairman Carper, Ranking Member 
Capito, and members of the Committee. Thank you for the 
opportunity to testify on cybersecurity challenges facing the 
Nation's critical infrastructure.
    I am John Sullivan, Chief Engineer of the Boston Water and 
Sewer Commission. The commission is the largest and oldest 
water system of its kind in New England and provides drinking 
water and sewer services to more than 1 million people daily.
    Today, I am testifying on behalf of the Association of 
Metropolitan Water Agencies, or AMWA, which is an organization 
representing the Nation's largest publicly owned drinking water 
systems. AMWA's members collectively serve more than 156 
million Americans with quality drinking water.
    In addition to serving on the boards of AMWA and other 
State and national groups as well as on the Water Sector 
Coordinating Council, I also chair the Water Sector's 
Information Sharing and Analysis Center, better known as the 
WaterISAC.
    AMWA operates WaterISAC on behalf of the water sector. It 
is a non-profit organization established in 2002 by national 
water and wastewater associations at the urging of EPA and the 
FBI to provide utilities with critical information on physical 
and cybersecurity threats and best practices for prevention and 
response.
    WaterISAC members currently serve 203 million people across 
the United States. While EPA and Congress provided some funding 
to get the service up and running, today, member dues support 
100 percent of the WaterISAC's budget.
    We know that water utilities pose attractive targets for 
cyber attackers. We are all aware of the well publicized 
intrusion against the water utility serving Oldsmar, Florida, 
earlier this year. While utility staff immediately observed the 
breach and took corrective action to prevent any impacts to 
water quality or public health, it is easy to imagine how the 
outcome could have been much worse.
    The Boston Water and Sewer Commission had its own 
experience with a cybersecurity incident last year in the form 
of a ransomware attack. While it complicated day to day 
business and was costly to recover from, there was never any 
threat to public or environmental health due to precautions 
such as our business network being segregated from our control 
system. This is the best practice in any sector that uses 
industrial control systems, but this approach is not consistent 
across the sector's 50,000 drinking water systems and 16,000 
wastewater systems.
    With such a large universal water system across the 
country, many are bound to have a lack of understanding of 
these cyber best practices or a lack of expertise and equipment 
to implement them. This is where the WaterISAC can help.
    In Boston's case, the center was instrumental in our 
recovery from our incident, as it referred us to a firm 
specializing in ransomware incident response, which helped us 
navigate our way through the event. Expanding the reach of the 
WaterISAC would therefore enable more water systems to be 
better prepared to respond to their own incidents.
    As Congress thinks about new oversight of cybersecurity at 
water utilities and critical infrastructure more broadly, we 
support an approach that incorporates the advice of subject 
matter experts from the water sector, as well as lessons 
learned from other sectors. The nature of cyber threats is they 
are evolving, and a binding requirement that makes sense with 
today's technology could quickly become outdated in years 
ahead.
    Any regulatory oversight of the cyber sector and cyber 
activities must therefore remain as nimble as possible. One 
promising model for legislation could be found in the Energy 
Infrastructure Act approved by the Senate Energy and Natural 
Resources Committee last week. That proposal would encourage 
electric utilities to bolster their cyber preparations and 
would seek to increase participation in the Electricity 
Information Sharing and Analysis Center, WaterISAC's 
counterpart for the electric sector.
    A similar direction for the water sector would have EPA 
take steps to bolster water sector participation in the 
WaterISAC, especially among systems serving fewer than 100,000 
people. This would help us get threat information and best 
practices into the hands of more small systems across the 
country.
    In closing, I want to note that my written testimony offers 
some feedback on water sector cybersecurity provisions in 
Senate 914, the Drinking Water and Wastewater Infrastructure 
Act, approved by the Senate this spring. While AMWA believes 
these provisions were well intentioned, we have identified a 
number of issues that could prevent the proposal from working 
as envisioned in its current form. We would be happy to work 
with you to address these issues.
    Thank you for the chance to testify today, and I am happy 
to answer any questions.
    [The prepared statement of Mr. Sullivan follows:]
    
    
    
    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]  
    
    
    
    Senator Carper. Mr. Sullivan, thank you, and thank you for 
your extraordinary service. Forty-nine years, that is very 
impressive.
    Ms. Oberton, please.

  STATEMENT OF SOPHIA OBERTON, SPECIAL PROJECTS COORDINATOR, 
                 DELMAR PUBLIC WORKS DEPARTMENT

    Ms. Oberton. Good morning, Chairman Carper, Senator Cardin, 
and members of the Committee.
    I am Sophia Oberton, the Special Projects Coordinator with 
the Town of Delmar in Delaware and Maryland. We have a 
population of approximately 4,500 persons.
    I hold a Class 4 drinking water operators' license in both 
Delaware and Maryland. In addition to managing the town's 
public drinking water supply, I am also the town's Safety 
Coordinator.
    I am honored to testify here today on behalf of small and 
rural communities in the United States through my affiliations 
with Delaware, Maryland, and national rural water associations. 
I am joined by my mother, Mrs. Linda Anderson, and the Town of 
Delmar's Town Manager, Mrs. Sara Bynum-King.
    Senator Carper. Could your mother just raise her hand?
    Ms. Anderson, thank you. I was going to see if we could see 
her lips move when you spoke, but that would be a lie.
    [Laughter.]
    Senator Carper. She is wearing that mask.
    Ms. Oberton. Before getting into the substance of my 
comments, I want to personally thank Senator Carper and Senator 
Cardin for being such good friends and supporters of rural 
Delaware, Maryland, and rural USA. The rural and small town 
provisions in your recent legislation, DWWIA 2021, are very 
much appreciated.
    Senator Carper, you made us so proud when you chose to 
announce the legislation at Delaware Rural Water Association 
headquarters in Milford in April.
    The Town of Delmar would like to sincerely thank Congress 
for the funding we received under the American Rescue Plan Act. 
We received $3.7 million for the entire town. Much of this 
funding will be earmarked for water and sewer projects.
    My main messages here today regarding cybersecurity 
protection of small and rural communities' public drinking 
water infrastructure is, first, small communities only operate 
to serve the public interest. We are owned and governed by our 
local citizens through the elected local government. We only 
exist to serve the public and are eager to take all feasible 
and necessary actions to protect the cybersecurity of our 
public drinking water supplies.
    Second, most U.S. community water systems are small, like 
my Town of Delmar. Ninety-one percent of the country's just 
under 50,000 community water systems serve populations less 
than 10,000 persons. Eighty-nine percent serve populations less 
than 3,300 persons. That means approximately 90 percent of the 
country's public water supplies are smaller than my town, and I 
am about to explain the rudimentary nature of Delmar's water 
cybersecurity.
    However, any successful cyber attack on a small community 
that results in drinking water contamination would cause 
psychological panic in a national scale. This is why small 
communities believe that protecting our water supplies from any 
cyber attack is just as important as protecting large 
communities.
    In Delmar, we don't have a SCADA control system or 
interface with the Internet regarding our water infrastructure. 
On the other hand, we do have automated well pumps, 
disinfection injection, corrosion control technology, and 
pressure monitoring systems. If one of the water treatment 
technologies is not functioning properly, we receive an alarm 
message on our cell phone, and we must get to the appropriate 
part of the treatment facility to directly adjust the system.
    We want the Committee to know that when towns like Delmar 
need help in operating our water utilities, understanding new 
and complex Federal water requirements, receiving the required 
training to maintain our licenses, and learning about the 
latest cybersecurity practices, we call on our rural water 
associates and ask for assistance from their Circuit Rider 
technical assistance providers. These Circuit Riders will 
travel directly to our town and focus on our particular issue 
with our specific water utilities.
    Just this past April, a Circuit Rider from Delaware Rural 
Water and another from Maryland Rural Water came to Delmar and 
spent the entire day helping us complete the very complicated 
EPA mandated risk assessment. I can't imagine how many days 
this approximately 50 page assessment would have taken us to 
complete without the direct technical assistance of the Circuit 
Riders. We may have been forced to pay a consulting engineer to 
complete the assessment for us, which would likely cost over 
$10,000, a massive unplanned expenditure for a town our size.
    Our greatest threat identified within the EPA assessment is 
likely the physical disruption of the water supply. However, 
our most significant issue from our perspective is the lack of 
personnel to operate and maintain the public water supply, 
fulfill the mandatory compliance testing and reporting, and 
respond to the typical small scale emergencies in the water 
system, such as line breaks and leaks.
    We also need to replace our old and failing terracotta 
sewer lines, which are causing a severe I&I problem for the 
wastewater utility.
    The reality is that small towns have limited financial 
resources, which must be targeted to meet our greatest needs. 
Any cybersecurity program should be scalable, meaning it must 
recognize the complexity of water cybersecurity systems in 
small communities like Delmar is not remotely similar to a 
large community.
    In closing, Mr. Chairman, I want to thank you again on 
behalf of small and rural water communities for your continued 
help and assistance.

    [The prepared statement of Ms. Oberton follows:]


    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]      
    
    
    
    
    Senator Carper. What is I&I?
    Ms. Oberton. I&I is the inflow and infrastructure of water 
going into our sewer systems from manholes and our old 
terracotta pipes.
    Senator Carper. Thank you. Okey-doke.
    Thank you for your testimony. Thanks so much for joining 
us.
    Ms. Oberton. Thank you.
    Senator Carper. Senator Cardin, I am sure he will want to 
welcome you personally when he is able to join us in a little 
bit.
    I think that takes us to Mr. Pratt.
    Evan, we used to have a Congressman, a Senator named Evan, 
and a Governor named Evan Bayh. It is a great name, great 
calling.
    I am happy you are here. Welcome. Please proceed.

STATEMENT OF EVAN PRATT, MEMBER, GOVERNMENT AFFAIRS COMMITTEE, 
               AMERICAN PUBLIC WORKS ASSOCIATION

    Mr. Pratt. Thank you very much, Chair Carper, Ranking 
Member Capito, and members of the Committee.
    I am Evan Pratt. On behalf of the American Public Works 
Association and our more than 30,000 members across America, I 
do appreciate the opportunity to provide this testimony today 
with some wonderful peers at this important hearing on 
cybersecurity vulnerability for America's physical 
infrastructure.
    As background, I spent my career in public infrastructure. 
I have a fancy degree from MIT, and I have been a licensed 
engineer for 30 years.
    Senator Carper. What was your degree in? What was it, 
engineering?
    Mr. Pratt. Civil and environmental engineering.
    Senator Carper. We have a mechanical in our family from 
there.
    Mr. Pratt. Oh, there you go.
    Senator Carper. I can barely spell MIT. To have a kid go 
there is pretty amazing.
    Mr. Pratt. Just remember, it is TIM backward in the mirror.
    Senator Carper. That is great; that helps a lot.
    Mr. Pratt. Little mnemonic device, right?
    I am a frontline person. I currently serve as the Water 
Resources Commissioner for Washtenaw County, Michigan with 
about 370,000 people.
    But today, I am testifying on behalf of APWA, the only 
association to serve and represent all areas of public works, 
both public and private sector and providing expertise at the 
local, State, and Federal levels. A lot of smarter people than 
me, I would say.
    Cybersecurity is an increasingly important part of 
protecting our critical infrastructure assets and our citizens, 
and I am embarrassed to say today, I am here because I and many 
of my peers know we are behind on cybersecurity, and we need 
help from you.
    You are going to hear some things that Representative 
Gallagher said, and I don't think either of us hacked into our 
systems to steal our speeches, but boy, he had a lot to say, 
and he is right here.
    We are first responders in public works. We embrace our 
responsibilities on the front line preparing for, responding 
to, and recovering from disasters, all while protecting that 
critical infrastructure that is out there.
    I think you all understand critical infrastructures is the 
roads and the bridges, sewer plants, water plants, flood 
control devices, drainage systems, and of course, the cyber 
systems that are sometimes used as controls to operate these. 
For the purposes of today's hearing, I kind of want to focus on 
that area.
    We heard about the industrial controls in the water 
business. They are known as SCADA systems, which stands for 
Supervisory Control And Data Acquisition. We use this stuff to 
manage systems and to make decisions, so it is pretty important 
to a lot of systems.
    We all know flood control systems are critical, too, from 
mitigating severe weather, and it is essential for Congress to 
consider shared strategies to save our communities from 
potential attacks on these increasingly automated and connected 
systems.
    As we do appreciate, as many have thanked you, Congress can 
and has supported America's critical infrastructure through 
continued and flexible Federal funding, financing, and 
regulatory streamlining to help ensure that our agencies have 
the resources to protect against cyber crime.
    In 2016, 2017, I was part of a Governor's bipartisan task 
force to assess the condition and funding needs of all 
infrastructure in the State of Michigan using a RiskLens. To be 
clear, the overall purpose of the report was to bring that ROI 
that infrastructure brings right into focus, right to our State 
economy and to community quality of life, and that report is 
still used today, but there was not a single recommendation 
about cybersecurity, nor did we ever discuss it in talking 
about all the needs for infrastructure.
    The bottom line is, we are trying to play catch up right 
now, and again, I will talk a little bit later about where we 
could get help.
    As Sophia said, I have learned and observed since then. 
Cybersecurity is a big issue. On the one hand, not all 
utilities have remote sensing and controls. On the other, the 
wide range of SCADA solutions for the many who do may result in 
weak points when deployed, particularly with varied levels of 
agency cyber awareness that you have heard about today, and 
even more especially in the very common situation where 
agencies like mine can only meet their SCADA needs by stitching 
together several different tools, having homemade applications.
    And then there is the gentleman or lady who is on call at 
home, and they might be operating this from a bring your own 
device type of situation. My county will give people $80 a 
month for the phone, and you are on call, and you got to 
operate the system.
    That is how you are going to be doing it, so you can 
picture, there is a lot of, the more hand offs, the more 
fumbles, let's just say how that goes.
    At the end of the day, you have heard about the Nation 
having its fair share of attacks, whether it is SolarWinds, 
Colonial Pipeline, or other intrusions attacking those SCADA 
systems like Oldsmar and Post Rock, Kansas, that have been 
talked about today.
    I would just like to summarize the risk. You have heard 
about the 50,000 water systems, nearly 70,000 water and sewer 
plants across the U.S. I will say that again: That is 70,000. I 
don't know what .1 percent is of that, even though I got a 
fancy degree, but it is a number that affects people, like in 
Delmar. One of those goes bad, and as was mentioned, that can 
cause nationwide panic, just with one of those 70,000 systems, 
so there is a lot of vulnerability there.
    In closing, APWA recommends the following, and again, we 
appreciate this Committee has supported many of these things. 
First, the Federal Government must share threat information and 
provide inter-agency technical support, perhaps by establishing 
voluntary national cybersecurity guidelines, something to 
supplement the Water Rights Act that has been talked about.
    Second, let's standardize and utilize important tools to 
protect these critical areas, including SCADA systems. Third, 
comprehensive cybersecurity training for old guys like me and 
my peers is really essential. That is something that we need to 
have more of out there so the awareness is greater.
    Fourth, please continue to fully fund FEMA's Emergency 
Management Performance Grant Program. Fifth, let's encourage 
effective asset management strategies to help deliver best 
taxpayer value. That is why we use these controls, because we 
can more efficiently operate these systems and get more bang 
for the buck.
    Sixth, let's continue to ensure that cybersecurity is 
specifically eligible for all the funding this wonderful 
Committee provides. My agency has a history of more than 30 
revolving loan funds for resilience and flood control, water 
quality, infiltration, and all of that.
    Our seventh thing is to basically lift that cap on private 
activity bonds for water infrastructure and restore advanced 
refunding of tax exempt municipal bonds. This helps both local 
cybersecurity funding as well as taxpayers when we can get 
better interest rates.
    My last one that APWA requests is, I hope Congress 
continues to ensure State and local control regarding public 
works projects. Locals are experts on their community needs.
    We do thank this Committee for holding this important 
hearing and allowing me to provide testimony, and like everyone 
here has said, APWA stands by ready to help, however you need 
us.
    Thank you.
    [The prepared statement of Mr. Pratt follows:]
    
    
    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]  
    
    
    
    Senator Carper. That was great. Thank you so much, Mr. 
Pratt.
    Senator Capito is going to lead us off on our questioning, 
so shall we?
    Senator Capito. Thank you. Thank you, Mr. Chairman.
    Thank all of you. Very interesting.
    I want to start with just kind of a quick question to Ms. 
Oberton.
    You mentioned in your testimony that you hold a Class 4 
Drinking Water Operators License in Delaware and Maryland. Is 
there any cybersecurity training that goes along with obtaining 
one of those licenses?
    Ms. Oberton. None.
    Senator Capito. None.
    So there is a gap right there, and that is probably, I 
don't know, Mr. Bhatt, or maybe Mr. Pratt, do you know other 
licenses, other levels, is there ever any cyber training that 
goes along with any of the licensures?
    Mr. Pratt. I have gone to lots of training; I have given 
lots of training with various professional organizations. I 
have never attended a cybersecurity class, and I can't recall 
seeing one on an agenda. Perhaps they are out there, but it is 
not typically required in licensure situations that I am 
familiar with. I don't know everything, but it is rare today.
    Senator Capito. OK.
    Let me ask too, then, another basic question, Mr. Sullivan 
or Ms. Oberton, and Mr. Pratt would probably know this issue 
from operating local systems. If you were to see that a cyber 
attack is occurring, or you made note, you had the ransomware 
attack, right?
    Who do you go to first? Do you go to Homeland Security, do 
you go to your State? I know you went to your--I can't remember 
what the organization was that helped you solve your problem, 
but is there a response that is laid out for you to be able to 
react to something like that?
    Mr. Sullivan. Under AWEA, we had already had an emergency 
plan, should we be attacked. We received on all printers at 3 
o'clock in the morning, every printer printed out the 
ransomware demand of $2 million and told us that we were 
encrypted.
    We immediately shut down the entire system. We notified the 
FBI immediately; we notified the EPA; we notified our State.
    Senator Capito. FBI, EPA, and your State.
    Mr. Sullivan. We turned to the WaterISAC to say, we were 
just attacked. What do you do? Who are the experts?
    Because cyber is a different thing. None of us have trained 
in it. All of us know about it; we know about the threats and 
all that, but what to do?
    So, there are experts out there, and we were able to 
immediately contact the ISAC, who knew of companies that 
immediately came in and helped us bail out.
    Senator Capito. Ms. Oberton, if you were to get sent 
something, get something on your printer at 3 o'clock in the 
morning, who would you go to first?
    Ms. Oberton. I think we would contact our State and local 
governments. It is not necessarily like this gentleman said, 
Mr. Sullivan said, it is not directly laid out. It is not a 
training that we have had, or hopefully it is coming forward to 
let's know as a small and rural area.
    Senator Capito. Right, which is my entire State. Let me ask 
you this: You mentioned the Circuit Rider Program, which is 
great for our States.
    Ms. Oberton. Yes, absolutely.
    Senator Capito. Did they have any expertise, or did they 
bring anything to you on cybersecurity?
    Ms. Oberton. Not as of yet. But the tons of educational 
information, I am sure that is coming down the pipeline.
    Senator Capito. Yes.
    Mr. Pratt, do you have anything? Where would you go if you 
were attacked?
    Mr. Pratt. FBI first, and the WaterISAC, plus our State has 
some support in that area.
    I do want to echo what Representative Gallagher said, 
though. Many government agencies have historically viewed IT 
infrastructure as an optional buy out versus necessary 
investment. We are playing catch up, and that SCADA marketplace 
is much less mature on cybersecurity than say, I had it written 
down, the financial or medical software market.
    My county was hacked, not in our control systems, but they 
got in and got some HIPAA records from an internal type of 
pathway, and we have had a Chief Information Security Officer 
since that time. Fortunately, I was able to speak with him 
prior to coming here to get his insight on things.
    But FBI, WaterISAC, and State SSO Agency.
    Senator Capito. Mr. Bhatt, let's talk about transportation 
a little bit because I think, obviously, with autonomous 
vehicles and electric vehicles, I mean actually, I saw, I call 
it a lamppost. It was an enormous post that they were going to 
be installing along one of our major arteries, interstates, and 
my husband looked over, and he was like, what is on the top of 
that? It was some kind of sensor.
    I don't know what it was. It could have been a weather 
sensor; it could have been a who knows what, but it was 
something tied to the Internet. It was pretty obvious there. I 
think that we are going to see this more and more. It may have 
been something to sensitize when and how often the light went 
off and on or whatever.
    In transportation, where would a transportation facility 
go?
    Because I am the Ranking Member on Homeland Security, on 
the Appropriations Committee. There is an organization there, 
SISA, that is supposed to be helping all State and local in a 
lot of areas in terms of cybersecurity. We are putting a lot of 
money into that, because I think this could help our Circuit 
Riders, it could help our State and locals, it could help 
everybody.
    But where would you go in a transportation incident?
    Mr. Bhatt. So, I think that you have correctly identified 
the major vulnerabilities, and many vulnerabilities that exist, 
because as we introduce more of these sensor systems, active 
traffic management, VMS signs, variable message board signs, 
closed circuit television cameras, tolling systems, these are 
all potential vectors, or entry points.
    You want to delineate between operational technologies, 
vulnerabilities, like I just listed out, the IT, that is in 
there where somebody was opening up a phishing e-mail, and then 
all the data that is out there.
    Colorado DOT experienced a ransomware attack. The playbook 
there was to go to the State resources first, but it quickly 
became apparent that it was a state sponsored attack.
    So we had to bring in Federal resources from Colorado 
Springs, or they did; I was not there at that time, but from 
Colorado Springs and other places.
    So I think that that is one of the reasons for providing 
Federal support, to bring all of these States and other 
transportation agencies up to a level playing field, so no 
matter whether you are the most sophisticated State or one that 
is just discovering this, you kind of know exactly where to go.
    Senator Capito. Thank you.
    Senator Carper. Thank you.
    Senator Whitehouse, thanks for joining us.
    Senator Whitehouse. Thank you, Chairman.
    Thanks to all the witnesses for being here.
    Just a quick opening question. Ms. Oberton, what Federal 
standards must Delmar adhere to with regard to cybersecurity?
    Ms. Oberton. Whatever is put out there for us to follow. We 
don't have any specific standards at this point for 
cybersecurity.
    Senator Whitehouse. I think that is my point, thank you.
    Ms. Oberton. Yes.
    Senator Whitehouse. Mr. Sullivan, Boston Water, what 
Federal standards are you obliged to follow regarding 
cybersecurity?
    Mr. Sullivan. The only Federal requirement was we needed 
the follow AWEA, and we needed to self-certify that we looked 
at our systems, we came up with a plan. That is the only 
standards that I know of.
    Senator Whitehouse. Mr. Pratt, your county?
    Mr. Pratt. No mandates.
    Senator Whitehouse. I think that is a pretty open 
situation. My view of this is that the Federal Government, by 
and large, has done a pretty good job of defending its cyber 
systems. When there is a hack, it is a big one, because we have 
boatloads of info, but by and large, Federal agencies have been 
fairly good.
    The defense industrial base has done quite a good job at 
defending itself, because it is put under immense pressure by 
the Department of Defense to make sure that it does defend 
itself.
    The financial system is heavily regulated, and as a result, 
the financial system has done a very good job of defending 
itself.
    Local government has very mixed views. The Town of East 
Greenwich in Rhode Island sustained a ransomware hack, but it 
was prepared. They quickly shut down their systems. They had 
backups that were current that they could roll right in 
quickly. They had a disaster recovery plan, and it took a lot 
of work, but they were able to pay no ransom and get back up 
and operating and lose no data because they were prepared. Paid 
no ransom because they were prepared.
    One of the reasons they were able to do that was because 
another Rhode Island municipality had very bad luck, and it had 
to pay.
    Our Rhode Island State Police Cyber Unit did a very good 
job of going and banging on the doors of our 39 municipalities 
and saying, look guys, this just happened. Everybody has to be 
ready.
    So that change happened, and East Greenwich was ready and 
did a very, very good job.
    The worst place in the country that I can think of right 
now is privately owned critical infrastructure because they 
have successfully defended against being under anything other 
than the voluntary NIST Framework Program, which is totally 
voluntary.
    It is immensely frustrating to me, having worked in this 
space since my time on the Intelligence Committee a long time 
ago, that we have known about ransomware for over a decade, 
right? We have known that critical infrastructure was the prime 
target for cyber hackers for more than a decade.
    We spent billions of dollars to defend critical 
infrastructure through Homeland Security, through the 
Department of Defense and other places, and what did we get? We 
got a ransomware attack on critical infrastructure, and it 
succeeded. Why people didn't get fired over that, I do not 
know.
    But part of the deal has to be that we have got to be less 
reticent about a company's critical infrastructure, making sure 
that they are doing their job of defending themselves. We can't 
just have the Chamber of Commerce, the U.S. Chamber of Commerce 
come in here and say, no, we are against all this stuff, and 
roll over backward when it is critical infrastructure.
    So, you guys are kind of in the middle. You are not 
privately owned, but you are not much supported, either with 
resources or with regulations. I hope very much that in this 
Committee, we will start to develop things that will help you 
work through this, so you are more like East Greenwich when you 
get hit.
    It sounds, Mr. Sullivan, like you all did a pretty good job 
of getting back online.
    Mr. Sullivan. We did not pay any ransom. We immediately 
shut down. We didn't even communicate with them, and we sought 
the resources, but we had a plan already, because we were 
required to do that.
    The problem we have, we got the ransomware because an 
employee opened up an e-mail, despite the training we had, and 
it takes constant training. That is the biggest problem for the 
large utilities. Cybersecurity, the element of people watching 
out all the time. Everyone assumes that e-mail comes in, it 
looks good, let's open this attachment.
    Senator Whitehouse. You click the attachment, and suddenly 
they are in.
    Mr. Sullivan. Yes.
    Senator Whitehouse. Yes. If I could mention just one 
additional thing that doesn't really bear on this Committee, 
but I am hoping we can get it done bipartisan and maybe even by 
unanimous consent.
    Senator Graham, Senator Tillis, Senator Blumenthal and I 
have a bill to help with criminal enforcement of people who 
attack our critical infrastructure. It makes hacking qualify 
for a bunch of predicates, like RICO and money laundering, and 
so forth. It deals with bots and botnets. In my view, there is 
no good bot, and there is no good botnet, but the authority to 
go after them before they become----
    Senator Carper. Maybe a Shailen Bhatt?
    [Laughter.)
    Senator Whitehouse [continuing]. Before they become--sorry, 
B-O-T, not B-H-A-T-T--but the authority to go after them before 
they become actively harmful is unclear, and we need to fix 
that.
    We have a bunch of enhanced penalties that we could add 
once people go after critical infrastructure.
    I am hoping that is something that we can move quickly, 
unless there is some, like, botnet caucus out there that I 
haven't heard about.
    These are things that the Department of Justice has long 
asked for and it would provide some additional backstopping for 
all of you, because there is nothing like people going to jail 
to help knock behavior down.
    Thank you, Chairman, for drawing our attention to this.
    Thank you to the Ranking Member for making this a good 
bipartisan hearing, and I look forward to working with you all 
on this subject. Terrific witnesses.
    Senator Carper. Thank you, Senator Whitehouse. You spent a 
lot of time on this, and we appreciate it very much.
    Mr. Pratt, I think you shared with us eight or nine 
recommendations from the APWA. Did you do that in your 
testimony?
    Mr. Pratt. We will be providing those in writing. Are you 
saying you would like to hear them again?
    Senator Carper. No, no. You already went through them.
    Let me just ask of our other witnesses, I think that may be 
the first time I have heard those, are you all familiar with 
what he shared with us, the eight, I think there are eight APWA 
recommendations that were part of your testimony? I'm just 
asking if you are familiar with those recommendations.
    Maybe it is something you are familiar with, maybe not.
    Anybody?
    Ms. Oberton, is this something that has come to your 
attention?
    Ms. Oberton. No, not to my attention.
    Senator Carper. OK.
    Mr. Sullivan.
    Mr. Sullivan. I heard them, and I would like to add that 
there needs to be funding for the smaller systems. There is too 
much pressure between our problems with PFAS, with 
affordability issues, and the intensity of existing 
regulations. People can say they have a problem with their 
cyber. They need a way to fix them. The smaller ones have the 
biggest problems.
    Senator Carper. All right, thank you.
    Secretary Bhatt, is this something you have heard of?
    Mr. Bhatt. Yes. Obviously, from an APWA perspective, it is 
not a direct analog for transportation, but many of the same 
principles on the SCADA devices, when he was talking about the 
bring your own device, this is an issue that affects all of 
these industries.
    So as I was listening, I was thinking, there are a lot of 
items that we could also support from that as well for 
transportation.
    Senator Carper. Mr. Pratt, would you just walk through 
those recommendations, and I thought that they are very good.
    Mr. Pratt. I am happy to go through them one more time, 
just to note that our association president and our government 
affairs staff are here and have traded cards with each of the 
organizations that these folks represent. We totally understand 
that we want to be singing from the same hymnal.
    So, the first was to have the Federal Government sharing 
threat information and providing interagency technical support 
to local governments to enhance cybersecurity, perhaps by 
establishing voluntary national cybersecurity guidelines. That 
would help us with that certification and including public 
works folks and all these organizations and crafting those to 
supplement that WaterISAC.
    The second one was to standardize and utilize important 
tools to protect these critical assets, so we use that 
CyberLens to maybe get a little more consolidation in that 
SCADA industry. Third was comprehensive cybersecurity training 
for me and my peers. I believe this is essential, because 
again, this has been said. This is not a thing that no matter 
how good we are at our technical jobs, at physical 
infrastructure, this is just as new to us as any of you here. 
We all are trying to hire young staffers.
    Fourth, please continue to fully fund FEMA's Emergency 
Management Performance Grant Program. Fifth, let's continue to 
support asset management. So, that really is something that can 
be done with revolving loan funds. We want to deliver that best 
taxpayer value when we do make infrastructure investments, and 
we want to absolutely make sure that, my seventh one was 
related to that, that cybersecurity is fundable in any program 
that flows through this wonderful Committee.
    The sixth one was talking about that specifically, I guess, 
so I had those back to back. I am sorry. My seventh one was 
more related to taxpayer value. APWA does support lifting the 
cap on private activity bonds for water infrastructure and 
restoring the advanced refunding of tax exempt municipal bonds.
    Again, that will help give us a little bit better interest 
rates and provide a little more space for that cybersecurity 
piece of things. Whether that should be 2 percent or 1 percent, 
I am not an expert, but it needs to be something percent, 
right, when we invest in intelligence systems.
    My last one was just that we hope Congress continues to 
ensure State and local control regarding public works projects, 
because locals are experts on their community needs. I am very 
sympathetic to Senator Whitehouse's point of perhaps a little 
bit better checking on how we are doing with cybersecurity, and 
do we know what we are supposed to be doing. I appreciate the 
opportunity to restate that.
    Senator Carper. That was worth hearing again, and thank you 
for sharing it with us.
    Anybody want to react here, any of the other three 
witnesses want to react to anything that he has mentioned in 
those nine recommendations, please?
    Secretary Bhatt.
    Mr. Bhatt. Yes, in hearing them again, I think the one 
thing that jumped out at me that I think is shared from 
infrastructure from an infrastructure owner-operator 
perspective, as many of the transportation agencies are, was 
the comprehensive cyber training. We talk a lot about work 
force in transportation and making sure that we are training 
people to create a culture of cybersecurity within State DOTs 
and other transportation agencies.
    I think that is something that would be valuable to share 
across all organizations, because we are already tasking them 
to be responsible for whatever their core mission is. You can't 
just then say, in addition to that, also be mindful of 
cybersecurity. You have got to train that; you have got to 
create that culture, and so I think that was something that 
really resonated, as well.
    Senator Carper. Thank you.
    Any other reactions?
    Ms. Oberton, and then Mr. Sullivan.
    Ms. Oberton. In saying that, I would also just say that 
remember that rural water, these smaller communities, most 
don't have the opportunity to get the information.
    So making sure that we hit these small mom and pop 
communities, like the trailer parks and things, making sure 
that even though we say funding and low interest rates, they 
may not be able to afford that.
    So cybersecurity and training and everything that is 
necessary should be affordable to them, if not at a free cost, 
as our Delaware Rural Water, Maryland Rural Water, and National 
Rural Waters provide that training.
    Senator Carper. Good. Thank you.
    Mr. Sullivan, any thoughts?
    Mr. Sullivan. Yes. There are some excellent sources out 
there. SISA puts out unbelievable stuff. Yesterday, we were 
alerted that they put another item up on the Website about 
industrial control systems. The problem is people don't have 
time to go to all these sources and collect them all and see if 
it pertains to their particular system, which is the reason 
that I have been emphasizing the WaterISAC can collect all 
this. It partners with everybody: EPA, SISA, all Federal 
Government, all the associations.
    We can consolidate, and we can get it to the smaller 
systems, telling them what is important for them, because it is 
important that we weed out some of this extraneous stuff. There 
is so much information out there that our analyst could take a 
look at it, bring it down, and get it to them. We would just 
need funding so that we can get to these particular systems, 
because they can't afford to join the WaterISAC.
    Senator Carper. Thank you.
    We have been joined by Senator Padilla. He hails from a 
State, a big State where I used to live when I was in the Navy, 
and we are honored that he joined us in the Senate and on this 
Committee.
    Senator Padilla, you are right on time. Go ahead.
    Senator Padilla. Thank you, Mr. Chairman. I appreciate the 
discussion.
    I am going to continue in a minute, here, on the cyber 
theme that we are discussing right now, but just a little bit 
of a preface.
    As the former Secretary of State from California, I am all 
too familiar with the risks posed by cyber attacks and the 
importance of security and modernization of our critical 
infrastructure, whether it is voting systems or water systems, 
transportation systems, et cetera.
    Unfortunately, we are getting constant reminders of not 
just the importance, but the urgency with which we need to act.
    Just last month, a hacker accessed a computer system of a 
water treatment plant in California and deleted several 
programs that are designed and put in place to treat drinking 
water.
    Thankfully, the hack did not result in any harm to the 
public, but again, the most recent reminder of the importance 
and the urgency with which we need to act.
    SolarWinds was not that long ago, the Colonial Pipeline, on 
and on and on. We have begun the discussion, but if I can ask 
just Mr. Sullivan maybe, for a few more thoughts on what role 
should municipalities play in preparing their employees for 
this now constant stream of phishing e-mails and now texts, 
phishing text messages, other efforts to undermine security 
systems that are in place and what else the Federal Government 
can do.
    I heard you reference SISA. If there is anything else that 
they are not doing that you think they could or should be doing 
to add value for State and local governments or system 
operators, that would be helpful.
    Mr. Sullivan. I think the most important thing is that they 
have to play a role in testing with their own employees, what 
happens if we were attacked, if this is shut down. Who do you 
contact, how do you contact them.
    One of the things that goes on at our facility now is that 
randomly, each week, 20 employees get phishing e-mails from the 
IT department, and we test to see who hits them. Invariably, 
somebody opens up an e-mail, and they do very well at massaging 
them, making them look real. Some of them look like they are 
bank accounts, some of them look like you just won a prize, 
some of them, and yet people still fall for it.
    So, one of the things that has to be done is the culture 
that cyber is very important, and you can bring down an entire 
city if you are not careful.
    We also now limit what people can do at their computers. We 
used to be wide open. People would bring in their own USBs, 
hook them in, download. You can't do that anymore. We totally 
shut that off. We do not allow people to use their own private 
phones in order to access anything, which we used to before.
    That is shut down. You have got to use a commission; it has 
got double authentication on it. So we have really tightened it 
up.
    Senator Padilla. Even some of those latter dynamics, 
complicated by the COVID pandemic, with more remote working, 
for example, so whether it is a personal device versus an 
official device, how you are accessing private networks, et 
cetera.
    Cyber hygiene, constant training of employees, these 
tabletop exercises led by DHS in the election space, we found 
tremendously helpful and important.
    Like you are saying, running through simulation exercises, 
what if, what if, what if, so that staff, top to bottom is best 
prepared in the event of a threat or the event of an actual 
incident.
    I don't mean to cut you off, but I want to make sure to, in 
my limited time, raise a specific question as it pertains to 
some of the smaller and rural systems, particularly in the 
water in different parts of the country.
    Organizations like the Rural Community Assistance 
Corporation, which is a non-profit organization based in West 
Sacramento, provides training and technical assistance to 
Tribal and rural communities across California and in 13 other 
Western States. Small and rural water systems face particular 
challenges in operating water systems, since income from a 
small population of ratepayers may not be enough to cover the 
actual providing the water service itself, let alone a robust 
cybersecurity infrastructure.
    So, these challenges are obviously compounded by the 
drastic reduction in Federal funding in water infrastructure 
over the course of several years.
    Ms. Oberton, how can Congress ensure small and rural water 
systems are not left behind, and that under-served communities 
served by these systems are also protected from cyber threats?
    Ms. Oberton. I think by making sure that the information is 
out there. Again, I speak to the small, small rural areas like 
we live in. If we know it is there and the training is 
available and easily funded, then it won't be such a burden for 
our rural community.
    Sometimes, we have people that have a trailer park, like I 
spoke earlier. You have a community of 25 or 30 people, but 
they don't get the information like we get it.
    So it is very important that however we get it out there, 
those communities and our small communities are recognized. We 
do that through our Rural Water Associations.
    Senator Padilla. Mr. Chairman, I know my time has expired. 
If I could just squeeze in one more question about 
transportation.
    Senator Carper. No, I can't. I am sorry. I skipped over 
Senator Boozman, and I will come back to you soon, but he needs 
to be someplace else, so if you will just let.
    Senator Boozman. Mr. Chairman, it is OK; go ahead.
    Senator Carper. Are you sure?
    All right, go ahead. Just briefly please, thank you.
    Senator Padilla. I just want to recognize that continued 
research development and deployment of smart infrastructure and 
automated vehicle technologies has the potential to save lives, 
to reduce congestion and emissions, and improve equity and 
economic growth.
    When I was in the State Senate in California, I authored 
the law to provide for the safe operation of autonomous 
vehicles in California, but we have also seen an increase in 
connected transportation system raise new challenges, like 
cyber threats.
    As with other sectors, we must ensure that transportation 
agencies are equipped to handle these threats and prevent 
disruptions to critical infrastructure.
    Mr. Bhatt, given your experience as a State and Federal 
official, what resources do transportation agencies uniquely 
need to protect infrastructure from these threats and to 
promote a safer, cleaner, more efficient transportation system?
    Mr. Bhatt. Thank you, Senator Padilla. In fact, all of your 
words are consistent with the mission of our organization at 
ITS America, and in fact, the California Department of 
Transportation, CalSTA is a member. David Kim, Secretary Kim, 
sits on our board of directors.
    I think what is really important in terms of what is needed 
is just getting all of the States, all of the agencies up to 
the standards so that everybody is on a level playing field, 
because you can't have a vehicle, whether it is driven by a 
human or in the future, autonomous vehicles, drive from 
California to New York and go through 20 different 
jurisdictions and have 20 different protocols. So I think that 
what would be great from a Federal perspective is the funding.
    I have had lots of conversations with USDOT. I think they 
get the severity. The President had an executive order on 
cybersecurity. Committees like EPW are showing the importance 
of cybersecurity in infrastructure.
    I think there is the opportunity for leadership, and then 
providing the funding because State DOTs have so many other 
things that they have to do that you can't make cybersecurity 
one of the things that they have to pick between. You have got 
to provide the funding, and I really appreciate the efforts of 
this Committee to make that funding eligible.
    Senator Carper. Thank you, Senator Padilla.
    Senator Boozman, please excuse me for skipping over you. 
You are very kind. Thank you for being so gracious.
    Senator Boozman. Thank you. Oh, no, Mr. Chairman. I 
apologize for being late.
    Senator Carper. You are recognized for the next 30 minutes.
    [Laughter.]
    Senator Boozman. I apologize for being late and having to 
sneak out. There are about six hearings going on all at the 
same time right now, but thank you, Mr. Chairman, for having 
this really important, timely hearing.
    Senator Carper. I wish I could say it was my idea. It was 
actually Senator Capito's idea, so we are happy you are here.
    Senator Boozman. Well, it is a joint venture, as always.
    Mr. Sullivan, in your testimony, you stated that larger 
utilities with more resources have fewer challenges to 
implement cybersecurity practices, while many smaller utilities 
lack funding and expertise. In your opinion, is this an issue 
of a lack of resources and tools for small and medium systems, 
or is it a lack of awareness of the tools already available?
    Are there any recommendations to help promote available 
tools among the smaller providers who often have fewer 
resources, dollars, and people than the larger entities, or do 
we need to actually do something in addition?
    Mr. Sullivan. I think the biggest problem is the lack of 
awareness. I am not sure if the smaller systems; if they have a 
system that is running and working, and they hear someone else 
gets attacked, and they just say, who is going to attack me, 
but they don't know their vulnerability. They don't really know 
how it could be. So, lack of awareness is, I think, the biggest 
problem.
    Then, once they are aware of it, they need to be able to 
take a look at it, and say, what would it take for me to do it? 
It may be inexpensive, a couple of minor adjustments could be 
OK, but in many cases, I think people are dealing with legacy 
systems. They put them in, they work fine, there haven't been 
any patches to the industrial control systems. The devices have 
been sitting there. No one has looked at them for security 
purposes, and that is where the real problem lies, and I think 
we need to educate them, make them aware, and then, in some 
cases, get them funding to replace them.
    Senator Boozman. Very good.
    Mr. Pratt, how do you balance cybersecurity with 
functionality? What types of water resources infrastructure 
should be prioritized?
    Mr. Pratt. When I go through the pecking order, I think of, 
as far as the prioritization goes, I think of large holding 
ponds of contaminated water are probably a very high priority. 
Drinking water systems, sewage systems, and drainage and flood 
control are certainly important. That is the core of my 
operation.
    But the ability for that to cause harm to a wide range of 
people is somewhat limited because generally, the hazards are 
as related to weather as anything else.
    As to how to balance those, what I talk to my team about, I 
have about 725 miles of infrastructure, three dams, a whole 
bunch of other odds and ends that go along with that. I have a 
team of about a dozen people that work on that.
    What I talk to people about every day is, you need to 
decide what you are not going to do today because we don't have 
the bandwidth.
    Many of these small operations, that 89 percent that is 
very small utilities, you might have a single operator with a 
license who is the licensed operator for three of those 
facilities. That person is not there every day, and that person 
is relying even more when they have the opportunity on the 
remote side of things.
    As Mr. Sullivan said, being able to thin out, weed out, and 
provide a direct push of information to folks about stuff in 
their particular situation, that would be the most important to 
deal with cybersecurity is the most important thing I think, 
because it is really difficult to balance that. The pressures 
of day to day operations are difficult.
    I think the last thing I would say is regarding upping 
everybody's game. We have all mentioned the tens of thousands 
of agencies there, and you know, in cybersecurity, you don't 
have to be faster than the bear, you just got to be faster than 
everybody else.
    There are a lot of weak links, is the problem, and those 
links can be connected, and they all affect people, even if 
only one of 56,000 or 70,000 agencies, however many we want to 
say there are, public and private, just one of those, that can 
cause a real stir publicly that creates pressure, so there is 
the stick approach, but there is also the carrots.
    Asset management is an excellent way to ensure that local 
units of government who have pressure to not raise rates are 
looking to do regular investing and having a long range plan 
and having--what Canada does is, our friends at the Canadian 
public works, they gave out $180 billion to municipalities.
    They announced it in 2016, and these folks require you to 
be eligible for a grant to, No. 1, you have got to show how you 
are going to take care of the new stuff or the old stuff you 
are fixing. You have to stick to that plan, or you have to give 
that grant money back.
    My last point would be forgiveness for cybersecurity would 
be a wonderful thing to weave into all of the programs. Let's 
put a carrot out there, along with whatever sticks you folks 
think is necessary. I appreciate the question, sir.
    Senator Boozman. Thank you, and thanks to the panelists, 
and thank you, Mr. Chairman.
    Senator Carper. Thank you again for your patience and for 
being so gracious.
    Senator Cardin.
    Senator Cardin. Thank you, Mr. Chairman.
    Let me thank all four of our witnesses.
    I am very proud of the work of our Committee in providing 
the resources, and I appreciate the acknowledgements today, to 
allow our public works to have the capacity to respond to 
current challenges. We very much appreciate your testimony. We 
appreciate this hearing on cybersecurity challenges.
    I really want to, first, welcome Ms. Oberton to our 
Committee. Thank you for your service in Delmar, particularly 
on the Maryland side of that particular community.
    [Laughter.]
    Senator Cardin. I have a running battle with the Chairman. 
I really think that we should be calling it Mardel, but he will 
not allow us to change the name of the city.
    Thank you for being here.
    Ms. Oberton. Thank you for having me.
    Senator Cardin. I want to just talk a little bit about the 
challenges that we have in our rural communities in public 
works. You have mentioned some, but the rate base is 
challenging for people to be able to afford their water.
    You have a broadband access issue in rural communities.
    You have a climate change challenge that you are now trying 
to deal with, so as we talk about being able to deal with the 
challenges of cybersecurity or the challenges of these other 
issues, let's talk a little bit about the local capacity and 
how much it is important for partnerships with the State and 
Federal Government.
    Ms. Oberton. I think that we do very well with having those 
partnerships. I think that it would be more necessary for 
yourself and the Chairman and people to come down and see.
    I think what happens is, when we look at the larger 
positions, people don't see what is going on in our small 
towns, and to know and to walk through and get the feel of what 
we actually go through on a day to day basis.
    We, in small areas, you don't have enough employees to 
cover some of the day to day things that need to get done. We 
have to prioritize, and some things that need to get done get 
pushed back on the back burner, maybe because of funding, 
because we just don't have it.
    So I think that when you look at the local government, the 
State government, and the Federal Government, you need to come 
down off that chair and come see what is really going on in our 
areas and sit down and have conversations and know what the 
specific needs are, because each utility is different. Each 
utility is not the same. We don't offer the same, we don't do 
the same things. I think that is very important.
    Senator Cardin. I have visited the facilities in our rural 
areas, as well as the urban centers.
    As I look at current challenges, climate change has really 
presented a challenge for our water infrastructure. We have 
invested billions and billions of dollars to deal with the 
impact of climate change, whether it is storm runoff issues, 
erosion issues, pollution issues.
    In rural communities, the problems might be big, but your 
rate base, your rate group, is small. So, these issues become 
magnified in communities that don't have the same fiscal 
capacity as our larger jurisdictions have.
    Could you just share with us how you go about dealing with 
those types of challenges that are becoming more pronounced as 
we are dealing with the realities?
    Ms. Oberton. Well, we are grateful for the funding that you 
guys provide for us, and so we make it a priority to figure out 
what needs to happen first.
    Our I&I is first on the list because it is causing problems 
not only with our water, but also with the sewer, and that is 
where a lot of our money goes in.
    Trying to keep our rates down so our residents can be 
comfortable is a challenge, but when you have old terracotta 
pipes, you have to fix them, or you going to continue to have 
issues.
    I think funding is very important, and we are grateful for 
the funding that you guys have given us. It is absolutely 
necessary for small town communities like ourselves.
    Senator Cardin. Again, I want to thank all of our 
witnesses, and I can tell you, this Committee is very mindful 
of your challenges. We work together in a very strong 
bipartisan way, and we are going to continue to do that.
    Senator Carper. Thanks for joining us, Senator Cardin.
    We have been joined by Senator Markey.
    Senator Markey, I don't know if you know John Sullivan. 
There are several John Sullivans in Massachusetts, but this is 
an extraordinary person, and his years of service rival our 
own. That is saying a lot.
    Senator Markey. Thank you, Mr. Chairman. I will tell you 
something about the Sullivans. My mother is a Sullivan.
    Senator Carper. No.
    Senator Markey. Oh, yes. My mother always would say, the 
Sullivans are a superior, superior group of people, so Mr. 
Sullivan just reflects this whole tradition of superior 
Sullivans.
    She had an Uncle John Sullivan, and we may be related, 
although John Sullivan is not the most uncommon name in Boston, 
I would say. There are a lot of Jack Sullivans and Jake 
Sullivans and J.J. Sullivans, to distinguish all of themselves, 
but this Sullivan, just from his testimony thus far, is clearly 
superior.
    Senator Carper. He is good. He is first rate.
    Senator Markey. On the other hand, my mother was afraid 
that that had been watered down by the other side of the 
family, and she used to say that Eddie, your father and I, we 
are going to donate your brain to Harvard Medical School as a 
completely unused human organ. You are part Sullivan. Learn how 
to work smarter, not harder.
    So, Mr. Sullivan, and we might need a translator, so other 
people can understand what we are saying to each other, is it a 
matter of money? Do you just need money to be able to invest in 
the technologies which are needed to protect against cyber 
attacks?
    Mr. Sullivan. Well, Senator, there is money needed. 
However, the larger cities are able to, because of their work 
force and because of their rate base, they are able to take 
care of most of the issues that are facing them.
    What they need is more information, timely information. 
They need to know about the innovations others are using so 
that they can implement them, and also the larger, greater than 
100,000 cities.
    When you get down smaller, there are so many competing 
interests on the smaller groups, including the affordability 
issue that is on their rate base, that they have got to look 
at, is climate change more important now? Is it the flooding 
that is occurring, what about a wildfire? Where do I put my 
resources?
    Senator Markey. Can I ask a question? In this modern era, 
is it just part of the cost of doing business? In other words, 
there is Dickensian quality to the Internet. It is the best of 
technologies, and the worst of technologies, simultaneously.
    The best of technologies can like, make so much money that 
we have a race to go to outer space, amongst all the people who 
made a lot of money, but then you leave behind these unattended 
to problems, which also exist, which is the vulnerability of 
every device which we use and all these utilities.
    Do you think that our consciousness in the country has to 
just switch to the fact where, you get the benefits of it, on 
the one hand, as a municipality, but at the same time, you have 
to just up what you are willing to pay in order to protect 
against the sinister side of cyber space, or should the Federal 
Government be providing the funding, or State governments, to 
smaller communities, especially?
    Mr. Sullivan. I think we may be in a catch up mode because 
we all went to this great technology. It was wonderful in the 
1990s, and we could actually do more with less, because we 
could use technology. But no one worried about, is someone bad 
out there going to take me down with this?
    So, now we are in the point, yes, someone is going to take 
you down, and the catch up to the bigger cities, like I 
mentioned, have been taking care of their problems. The little 
ones are just stymied.
    First, they don't even know what the problems are, so we 
have got to get more resources to them and let them understand 
what is wrong, and some of them may need additional funds.
    I can't speak for every utility and how they would get it 
or what their infrastructure needs are, or the sewer overflow.
    Senator Markey. So, you are just saying, we have to provide 
the resources to those smaller communities?
    Mr. Sullivan. Yes.
    Senator Markey. And maybe ensure, on a regional basis, that 
this is an ongoing, educational process for those communities, 
so they are brought up to speed, and know that this risk is 
real, because we are deep into it now. All around the world, 
they can see what they can do to the Quabbin Reservoir, to 
other facilities, so thank you for that.
    Mr. Bhatt, I have a piece of legislation: The Security and 
Privacy In Your Car Act, or the SPICar Act. I have introduced 
that with Senator Blumenthal, and the Chairman has been good 
enough to include it in the surface transportation bill 
approved by this Committee. What that legislation does is it 
instructs the Federal Highway Administration to create a 
cybersecurity tool and appoint a cyber coordinator that will 
help transportation authorities identify, detect, protect 
against, and respond to, and recover from cyber incidents.
    Do you support that legislation moving forward and passing 
this year so that the Federal Highway Administration has that 
instruction and those tools to begin to implement?
    Mr. Bhatt. Yes, Senator Markey. I know you have been very 
passionate on this issue, and to me, I think the whole tone and 
tenor of this hearing is about the need for Federal leadership 
in cybersecurity.
    So, to the extent that Federal Highways has more resources, 
the only caveat I would say is just making sure that whatever 
USDOT or Federal Highways is doing is tied in with DHS to make 
sure that they are all working in coordination.
    Senator Markey. Thank you. I was the Chair of the Energy 
and Environment Subcommittee in the House back in 2009, 2010. 
The FBI, CIA, they all came to me. They said, we have a great 
vulnerability in our utility sector. We can be attacked at any 
time.
    So I worked with Congressman Upton. We got the bill passed 
and on the floor to mandate that utilities had to update. 
Mandates, OK, and we could give them some assistance.
    What happened here, over in the Senate, a single Senator, 
actually from Arizona, just put a hold on that bill and killed 
it. That was, now, 11 years ago. Otherwise, we would have 
already had a mandate out there that utilities would have to do 
something about this.
    My own belief is that it is not a new issue. The CIA and 
FBI wouldn't have been coming to me in 2009 if it was a new 
issue. They said their hair was on fire 12 years ago, OK?
    So, it is an issue that just hasn't had the funding or 
attention paid to it, and actually, I started with just looking 
at the utilities. They just don't like the cost of doing it.
    It is not like it is some mystery that they are the only 
ones who don't read the front page and say, these facilities 
are vulnerable, China or Iran or North Korea are attacking 
them. It is all out there in the public domain.
    So I just think it becomes kind of the job of the 
government to say, you have to do it. We will help to fund it 
for you, but otherwise, we are going to have a catastrophe.
    I am so glad that we are having this hearing, and I thank 
you, Mr. Chairman, for including in the surface transportation 
bill my SPICar legislation. I hope we can get that deal out on 
the floor in the next week or so, because I think those tools 
are going to help, especially in the automotive sector, where 
these things are just computers on wheels, and the Internet is 
now in the red light. It is in all the traffic control systems.
    There are so many pathways in now, to kind of disrupt our 
way of life, and as people drive these autonomous vehicles, 
just some kid sitting on his bed wants to just start playing 
games, he won't have to be on an overpass anymore, throwing a 
rock at a car. You just do it from sitting in a car, sitting in 
his living room, and create a disaster.
    So I thank you, Mr. Chairman, for your help in including 
that legislation.
    Thank you.
    Senator Carper. I am happy to do it. Thank you.
    SPICar, I like that. SPICar.
    I have some questions I want to ask now, and I think 
Senator Capito may have an additional question or two, and then 
I think we are going to wrap at that point in time.
    Coming back to Secretary Bhatt, a question with respect to 
interoperability and cybersecurity. As I am sure you are aware 
from your experience both at the State level in Colorado and 
Delaware and at the Federal level of transportation, when 
looking to address a national problem, there is no one size 
fits all solution.
    In your testimony, you state that a national strategy that 
extends to State and local transportation agencies will be the 
key to helping address some, not all, but some of these 
vulnerabilities.
    My question would be, given that every State and local 
agency is not on the same level of technical expertise, as we 
have been reminded here today, as well as the financial 
capability, how do you suggest that we get just about everybody 
to agree to a baseline that will not prevent an inoperability 
between systems already in place?
    Mr. Bhatt. Thank you, Senator, and again, I really 
appreciate the Committee's focus on this issue.
    I think that there are efforts underway in this space. We 
have talked about USDOT and their focus, AASHTO has a committee 
on transportation system security and resilience and also 
transportation system operations that is trying to bring 
everybody up to a baseline. From a Federal perspective, based 
on my experience, the way I would approach this would be to 
say, let's make the funding 100 percent eligible from a Federal 
perspective, as we do for many of the safety programs.
    Then the playbook that I would recommend is the NIST 
Framework for all of the stakeholders. Their framework for 
cybersecurity talks about identifying the threats to your 
system, protecting against those vulnerabilities, detecting 
attacks on your system, responding to them, and then 
recovering.
    We have heard, even, on the water side how folks have been 
able to respond quickly if they have got the proper backups, if 
they have got segmentation of their systems.
    So I think the simple answer is to have all of these 
agencies by a date come back and say, yes, we have adopted the 
NIST Framework.
    You have to walk before you run, and that would get 
everybody walking, and then we can kind of have a level playing 
field.
    Senator Carper. All right. Good, thank you.
    Mr. Sullivan, a question for you, if I could. If the 
Federal Government provided funding assistance to support the 
Water Information Sharing and Analysis Center's operations, 
WaterISAC, what expanded services would the center be able to 
offer?
    Mr. Sullivan. Well, we would work with our partner 
agencies, the EPA, et cetera, to identify all the agencies that 
needed us, all the water utilities, et cetera. We already work 
with them and the partners with SISA, et cetera. We would take 
that information they have and boil it down so it is 
understandable to our audience.
    They put out a ton of information all over the place, a 
plethora of information on IT. We would take it and make it so 
that people would understand how it impacts their system.
    With that knowledge, we would do additional training. We 
would have the training that is available already through 
either national associations that we could publicize that to 
them, because not every operator knows all of this is out 
there, so we would centralize it, put it to them through daily 
alerts, weekly alerts, monthly.
    In addition, we have a huge library of all types of 
information, including chemical analysis, and what do you do 
when. We would be able to direct resources when there was a 
response that could call the ISAC, and we could put them in 
touch with subject matter experts.
    Senator Carper. All right, thank you.
    A question, if I could, for all of you, all of our 
witnesses, dealing with cross-modal integration. As we have 
seen and heard in this hearing today, cybersecurity is not an 
issue that exists in one, singular place or in one specific 
mode of transportation. How do we ensure that, as we look to 
address these ever growing vulnerabilities, we do so in a way 
that addresses all modes of infrastructure, including 
transportation?
    Secretary Bhatt, would you go first on this one, and then 
we will ask the others to comment, if they wish?
    Mr. Bhatt. Yes. I think that that is part of the challenge 
in transportation and for all of these different agencies is, 
we have historically been very silent.
    So, our buses are part of our transit systems. Our trains 
are part of our rail system. Our highways operate 
independently, and the problem is, as you get into this IOT 
environment, the cameras that are providing feeds into a 
transportation management center are also receiving signals 
from buses that are relying on traffic signals, to move to 
optimize that bus route. You have got micromobility coming in, 
scooters and automated vehicles.
    So it is incredibly important that, and again, this is part 
of the discussion we have had with USDOT is, how do you bring 
in all of these disparate modes.
    The ITS Joint Program Office is providing a lot of 
leadership in this space, but it is critical that we do not 
view this as mode by mode, but as a system of systems, and I 
think that that is really critically important to these 
efforts.
    Senator Carper. All right, thank you.
    Any of our other witnesses want to comment on this 
question? You don't have to, but if you would like to, go 
ahead.
    Mr. Pratt.
    Mr. Pratt. I just have a comment to just make an analogy, 
just kind of looking around at maybe our average age profile. I 
remember when it you wondered if the printer was going to print 
the thing. When they first had printers, and the software 
didn't talk to each other, and everything was all goofed up.
    So I just kind of want to bring that down to the more 
simple analogy of, eventually, that got figured out, and now my 
computer is going to automatically find the nearby printer, let 
me know which ones.
    It is getting those sort of protocols and standardization 
where, even if we have got a ramshackle set of connections of 
five different pieces of software, their ability to connect 
securely to each other quickly without the users having to be 
some sort of brilliant IT scientist. That is the direction, and 
that is where we need to head.
    I believe, like the transportation systems in my 
neighborhood is the American Center for Mobility. One of their 
primary missions, it is a Federal testing center to attempt to 
provide more and more standardization.
    IT is, the fellows there and the ladies there have like, 
well, geez, the headlight thing is in a different place on 
every car. Good luck with getting all the computer stuff to 
work out.
    Just a more plain spoken way of trying to say for all of 
us, just back in the day of printers. We need to get in that 
direction where the software is going to figure it out, but we 
are also secure. I think that second part is a lot trickier 
than it was in the day of printers.
    Senator Carper. Anyone else before I yield to Senator 
Capito?
    Mr. Sullivan. One real comment would be, the water systems 
are all independent. We all use the same equipment; we all do 
the same type of work, and similar, but we don't interconnect 
like your electrics, like your communications, like your 
transportation systems across the board. We deal in a turf and 
a territory individually.
    But we need standards so that we all know how we all should 
be taking care of our same types of equipment. We don't 
necessarily have those exacting standards. The bigger companies 
do; the bigger cities do, but the smaller ones, they don't know 
what the standards are.
    Senator Carper. All right.
    Senator Capito, go right ahead, and then I am going to ask 
one or two more questions, and we will be done.
    Senator Capito. Yes, thank you.
    Thank you all very much. I think this has been a great 
hearing and eye opening in some ways, because of the 
challenges, but also some of the gaps.
    We know this is an issue that is going to grow. It is not 
like it is going to shrink and go away. We know it is going to 
grow, so I thank you for being in the arena.
    I did say, I thought, Mr. Pratt, when you went to the 
average age of the folks in the room, one of the concerns that 
I have had and that we have actually in our water bill is the 
next generation work force. For some reason, this career, which 
I think is very obviously, Mr. Sullivan has been in it for a 
very long time, holds a lot of promise to raise your family 
with and to have great expertise and respect, as you all do in 
your community. But for some reason, our younger generation is 
not getting in there. I know in our State of West Virginia, a 
lot of people are aging out. They want to retire, but to find 
replacements has been really, really difficult.
    So I am hoping that by shining a light on how folks have 
managed their systems for so long, because I think Ms. Oberton 
said 70,000 rural water systems, I mean, that is a lot of 
people. That is a lot of jobs.
    I just have one question of Mr. Bhatt. I had to step out a 
bit, so I don't know if this got addressed in any way.
    Obviously, we have got a lot of big Internet companies that 
gather a lot of data. That is a subject for a whole, bigger 
debate. I am not asking you to have that debate. I was just 
wondering if there are any ideas on the table to partner with 
some of these private technology entities to be able to help 
meet the challenges, not just on prevention, but also on 
detection and other areas of cybersecurity. Are you aware of 
any of those?
    Mr. Bhatt. Yes, Senator Capito, and I think one thing on 
the work force piece. I think this is incredibly important, 
because State DOTs, I remember in my time having to struggle to 
compete for mechanics, because we would pay a certain wage, and 
private sector companies would pay more. Well, that problem is 
exacerbated on the technology side, and I think this idea of 
creating these work force cultures is really important, and I 
would look forward to working on that.
    From a large Internet perspective, we have Google and AWS 
that are members of ITS America.
    What used to happen was, sort of like in the printer day, 
you were talking about one device. Now, you introduce the 
cloud, and something that Mr. Pratt said, the more hand offs, 
the more fumbles.
    I think that is critical to working with those partners to 
ensure that as data is going from a vehicle to the 
infrastructure up to the cloud, back, and lots of hand offs, 
working with those technology partners to ensure that all 
levels and layers are secure is really important.
    Senator Capito. All right. Thank you.
    I am going to go vote.
    Senator Carper. Do you want to make any closing statements 
on this hearing?
    Senator Capito. No, I just thank you, Mr. Chairman, and you 
all. I think this has been a really good hearing, and we will 
just have to keep the conversation going.
    Senator Carper. Amen. Thanks again to you and your staff 
for bringing up the idea and for making it real.
    One last question, if I could, for Mr. Pratt. One of the 
things you said was more hand offs, more fumbles. People say to 
me, well, my wife will say to me, what did you learn today at 
this hearing? I got a great line from a guy from Michigan.
    Mr. Pratt. Actually, the term would be knock ons, but since 
nobody else here probably plays rugby, I just went with the old 
football thing. Thank you, sir.
    Senator Carper. Mr. Pratt, it is clear that the challenges 
on cybersecurity vary from large communities to smaller 
communities.
    As I said earlier, too, I think, to Mr. Sullivan, even 
within community categories, a one size fits all approach may 
not be the best way to effectively manage and to address 
cybersecurity threats.
    My question to you, Mr. Pratt, would be, aside from 
funding, what primary role should the Federal Government play 
in addressing cybersecurity so that the solutions are flexible, 
but also effective?
    Mr. Pratt. You have hit the nail on the head, certainly. 
Flexibility, but we have got a lot of variety and diversity out 
there, so how do we get standardization at the same time as 
flexibility?
    I am going to go with two most important things off of that 
list that we provided. One is that clearing house type of 
concept that Mr. Sullivan has talked about. How can we help 
filter so that rural water really has got something that is 
cleaned up that they can push out to folks, and at the same 
time, agencies that are working more on the large scale have 
messaging that is more tailored to them, and then it is that 
training.
    How do we get the training to acknowledge some of that need 
for standardization and having people recognize that we are in 
the process of moving forward? The thing about working with the 
private sector, I think the companies have quit calling me.
    But the market is so dispersed in the water infrastructure, 
it is a low barrier to entry, to start up, to do electronic 
sensing and controls.
    So I would say my first 5 years in office, I probably got 
two or three calls a week from various different companies 
about hey, would you buy our doohickey to help you do that 
what, measure things, monitor things, control things. So I am 
sure I heard from a good 50, 60 different companies. It is a 
very fractured market, is my point.
    Senator Carper. All right, thank you.
    I am just going to ask, sometimes I do when we have a 
minute or 2 at the end of a hearing, I will ask the panel is 
there one thing that you would like to add or really reiterate? 
Just very briefly, one more thing. You can come back to 
something that you have already said yourself or heard someone 
else say that you think is worth repeating, just something you 
would like to underline, put an exclamation point behind.
    Ms. Oberton, would you do that, please?
    Ms. Oberton. I just think that it is very important that 
the training and the accessibility for the rural areas for the 
cybersecurity be a top priority because we make up the majority 
of the water systems across the country.
    Senator Carper. OK, thank you, ma'am.
    Mr. Sullivan.
    Mr. Sullivan. I know you have heard me say it many times 
that we need to get to the WaterISAC to be the central. I want 
to reiterate that the WaterISAC was formed for physical 
security problems in 2002. We then developed all hazards, and 
now we are working deeper in cyber. So anybody that joins it 
gets not only the cyber issues, but they get all the hazard and 
all the climate change issues and everything else. It is all 
available already, and we have it selected just for the water 
and wastewater systems.
    Senator Carper. Thank you, sir.
    Secretary Bhatt, the last closing thought.
    Mr. Bhatt. I would say that the transportation system in 
the United States was what allowed us to ``win the 20th 
century,'' and there are a lot of negotiations now about a 
generational investment that you all are trying to make.
    I think cybersecurity is an incredibly important part of 
ensuring that this digital confluence of physical 
infrastructure and digital overlay is secure so that we can 
have 21st century infrastructure that helps us win the 21st 
century.
    Senator Carper. Mr. Pratt, one last thing you would like to 
emphasize.
    Mr. Pratt. I am going to echo Mr. Sullivan, that WaterISAC 
is wonderful. It is an association of associations. It does 
connect somewhat at the Federal level, but a little bit more 
input in that direction would really help.
    I say, my county is 370,000, but it is 40 percent rural. I 
can ride a bicycle 15 minutes from where I live in Ann Arbor 
any direction and be in a cornfield, so we have several rural 
operators in our area. I made the note of, I need to reach out 
to all those folks about the WaterISAC, because it has got 
great stuff for them.
    Senator Carper. Thank you all. I presume you all have 
stores called Home Depot not too far from where you live. Their 
ad campaign for years was, you can do it; we can help.
    When I think of responsibilities that we have, the people 
we are privileged to serve and represent across the country, it 
is a shared responsibility. The Federal Government can't do 
everything. It can't be all on the States; it can't be all on 
the local governments or school districts. It can't be all on 
non-profits and so forth.
    But you can do it; we can help.
    When you think about what the Federal Government might be 
doing a little better job at, we might want to put some 
emphasis to be a good partner.
    What comes to mind, just briefly, Mr. Pratt?
    Mr. Pratt. As a Federal Government partner, I am going to 
take a little bit of a different tack and go back to the asset 
management piece of things and start to, you know, it would be 
great to see asset management as a lot more carrot there, and 
having that whole cybersecurity is a part of keeping your stuff 
in good shape.
    Whether you have leaky pipes or bumpy roads or signals that 
aren't optimized, at the end of the day, asset management is a 
mindset that requires quite a bit of training, just like 
cybersecurity, but it is really no different than having that 
maintenance schedule for your car. Everybody does the oil 
changes, but a lot of people say, well, that brake job is a 
lot. How long can I wait?
    But it seems like America's infrastructure has been treated 
like, I am going to buy a car, and I will drive it until the 
brakes fail, and then we will see what happens next.
    That is really the situation we are in. So encouraging that 
asset management mindset and helping us develop work force in 
that area is one of the best things I believe the Federal 
Government could do, and Federal Governments in most of the 
commonwealth countries are a good 5 to 10, 15 years ahead of 
the U.S. in that.
    Senator Carper. All right, thank you. Thank you.
    Secretary Bhatt.
    Mr. Bhatt. I would say that one thing that the Federal 
Government is really good at doing is focusing attention on 
issues and then providing resources.
    So, to me, this hearing, the efforts going on with the 
Administration and other committees, it is an ability to bring 
focus, and then an ability to bring funding.
    I think that making the cybersecurity eligible is a great 
first step. Now we need to identify funds so that these 
organizations that have to make tough choices don't have to 
choose between cybersecurity and potholes and other things, so 
asset management, incredibly important.
    But if you want the cybersecurity, that is what the Federal 
Government can play a critical role in.
    Senator Carper. OK, thank you.
    Mr. Sullivan, how can we better help at the Federal level?
    Mr. Sullivan. I believe all of us have the same goal, and 
that is to improve the lives of the American people. The water 
utilities are there to protect the public health of the 
American people, and we have a responsibility to do what we 
can. We are a little bit behind the eight ball, and right now, 
we need to do catch up.
    So what we need is a little more guidance on the rules, so 
we have a set of rules across the board. Not regulations that 
you must mandate, because they are going to be outdated by the 
time we pass them, because the technology is moving faster than 
we are. What we need is a little more guidance like that, and 
funding where it is needed.
    There is a responsibility at the local level to do what you 
can do, but some people don't have the resources. So we could 
work with the Federal Government and partner with everyone, as 
we should on all things we do.
    Senator Carper. Thank you.
    Ms. Oberton.
    Ms. Oberton. I think the Federal Government could help with 
providing us with more Circuit Riders, that type of assistance 
that can be targeted toward the cybersecurity and focus that 
specifically to each water community for the rural areas.
    Senator Carper. Say that last sentence again.
    Ms. Oberton. Say again?
    Senator Carper. Just repeat your last sentence.
    Ms. Oberton. Having more Circuit Riders come out to train 
us on the cybersecurity and it be specific for our particular 
needs.
    Senator Carper. Thank you. I want to thank you for coming 
today.
    I want to thank your mom for having your back, and Mr. 
Sullivan, Secretary Bhatt, and Mr. Pratt, thank you. Thank you 
all.
    I want to thank Senator Capito again, and her team, for 
working with my team and others to plan for this hearing and to 
hold this hearing.
    I want to thank you for your time and for your testimony 
today.
    I said earlier, cybersecurity is a constantly evolving 
challenge, much like climate change, no silver bullet, no 
single policy or one time solution to address the cyber threats 
to our Nation's critical infrastructure.
    I like to say there is no silver bullet, but a lot of 
silver BBs. Some are bigger than others, but my hope is that 
today's hearing will shed some light on the urgent need to 
protect our physical infrastructure and will help spur further 
action as we consider infrastructure legislation.
    Just a little bit of final housekeeping. I would like to 
ask unanimous consent to submit for the record a number of 
reports and articles relating to today's hearing.
    Hearing no objection, so ordered.

    [The referenced information follows:]
    
    
    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]  
    
    
    
    
    Senator Carper. Additionally, Senators will be allowed to 
submit questions for the record through close of business on 
August the 4th. We will compile those questions. We will send 
them out to our witnesses, and we ask our witnesses to reply by 
August 18th, which was my mother's birthday, and her mother's 
birthday. How about that?
    Last thing I would say, my mother was a deeply religious 
woman, and she was always reminding my sister and I to take 
seriously the admonition of Matthew 25, which starts off with, 
when I was thirsty, did you give me to drink?
    When you guys are up at the heavenly gates and trying to 
get in and talking to Saint Peter, and he says, what did you do 
about making sure people had some healthy water to drink and so 
forth, you can say, we did a pretty darned good job, and he 
will let you in.
    Thank you all.
    With that, this hearing is adjourned.
    Thank you.

    [Whereupon, at 11:53 a.m., the hearing was adjourned.]

                                 [all]