EPA Withdraws Cybersecurity Requirements for Water Systems
The Environmental Protection Agency in March ordered states to begin assessing the cybersecurity of their public water systems, a part of the Biden Administration’s multi-pronged effort to shore up the protections around the country’s critical infrastructure operations.
Seven months later, the agency is withdrawing the order in the wake of a legal challenge filed by a handful of states and water associations in federal court.
In a memorandum issued earlier this month, EPA Assistant Administrator Radhika Fox noted that in July a federal appeals court stayed the agency’s requirement while the litigation continued. Now the requirement is removed from the agency’s program supervising public water systems and the EPA is urging operators to voluntarily assess the security of their systems.
“EPA continues to believe that adopting cybersecurity best practices at public water systems is essential to providing safe and reliable drinking water,” Fox wrote in the one-page memo. “Cybersecurity attacks on water and wastewater systems occur frequently and are a significant threat to their operations. … EPA will continue to support both states and water and wastewater systems by providing technical assistance in the form of cybersecurity risk assessments, subject matter expert consultations, training, and funding.”
The American Water Works Association (AWWA) and National Rural Water Association (NRWA), which had joined the lawsuit filed by Missouri, Iowa, and Arkansas, applauded the EPA’s decision to rescind the requirement and said they were open to working with the agency to address cybersecurity concerns.
“AWWA is pleased that EPA has decided to withdraw its cybersecurity rule,” AWWA CEO David LaFrance said in a statement. “We also recognize that cyber threats in the water sector are real and growing, and we cannot let our guard down for even a moment. Strong oversight of cybersecurity in the water sector remains critical.”
LaFrance said Congress and the EPA should create a “co-regulatory model that would engage utilities in developing cybersecurity requirements with oversight from EPA.”
A Focus on Critical Infrastructure
The Biden Administration has made shoring up cybersecurity in 16 critical infrastructure sectors – including communications, chemicals, healthcare, energy, financial services, and IT – a priority, particularly in the wake of ransomware attacks on Colonial Pipeline and JBS Foods in 2021 that threatened the country’s fuel and food supplies.
When issuing the requirement in March that public water systems include cybersecurity in their periodic system audits, the EPA noted the patchwork nature of the many systems in the United States – a report last year by a Senate committee found there are about 153,000 systems that provide potable drinking water to 80% of Americans – and the fact that many increasingly rely on electronic tools to operate, many of which are now vulnerable to cyberattacks.
“Today, [public water systems] are frequent targets of malicious cyber activity, which has the same or even greater potential to compromise the treatment and distribution of safe drinking water as a physical attack,” Fox wrote at the time.
In 2021, an ex-employee of the Post Rock Rural Water District in Kansas was federally charged with remotely access the water system and shutting it down. The same year, someone access the water system in Oldsmar, Florida, and tried to poison it by raising the sodium hydroxide levels to more than 100 times the normal amount.
Challenged in Court
However, in challenging the requirement in court, the three states argued that the EPA was overreaching its authority by mandating such requirements on state- or locally-run systems and that the rule was inconsistent with a process established by Congress to address cybersecurity concerns for water systems under the Safe Drinking Water or American Water Infrastructure acts.
The agency “appears to believe that ‘cooperative federalism’ means EPA issues orders and States must fall in line – or else,” the states’ attorneys general argued in their filing. “EPA’s six-page checklist and sixteen new ‘significant deficiencies’ exemplify its unlawful tradition of creating new legal obligations and labeling them guidance. … EPA’s new rule thus intrudes on States’ sovereignty.”
NRWA CEO Matt Holmes commended the EPA’s decision to withdraw the requirement, noting that “we understand this was not taken lightly and involved much debate. Cybersecurity remains an important issue for our sector, and we are eager to collaborate with EPA in the future to address cybersecurity in the water industry.”
