The Environmental Protection Agency (EPA) has withdrawn its cybersecurity mandates for public water systems following legal challenges. This decision comes after federal judges ordered the EPA to halt its efforts to include cybersecurity in federally mandated safety assessments for water systems.
Description
The Biden administration had issued an interpretive memorandum in March 2023 [3], requiring water systems to conduct cybersecurity assessments as part of routine sanitary surveys and address any vulnerabilities found [3]. However, this initiative faced opposition from several states and industry lobbying groups [5], leading to a lawsuit and a stay on the EPA’s order [5]. As a result of ongoing litigation, the EPA ultimately decided to drop the cybersecurity component of water system safety assessments [5].
Instead [5], the EPA will now encourage states to voluntarily review cybersecurity programs within the existing sanitary survey framework [5]. The Biden administration plans to pursue legislation that explicitly authorizes the EPA to include cybersecurity as an element of water safety [5]. The EPA believes that adopting cybersecurity best practices is crucial for ensuring the safety of drinking water [1]. To support states and water systems [1], the EPA will provide technical assistance, training [1], and funding [1] [4]. The EPA has also considered adding cybersecurity requirements to permits for wastewater utilities [2].
The American Water Works Association (AWWA) and National Rural Water Association (NRWA) support the EPA’s decision and are willing to collaborate with the agency to address cybersecurity concerns [1]. AWWA CEO David LaFrance suggests the development of a co-regulatory model with oversight from the EPA to establish cybersecurity requirements for utilities [1]. The National Association of Clean Water Agencies (NACWA) has expressed concerns about both approaches and will continue to work with the EPA and water sector associations to find practical solutions [2].
The memorandum was criticized for potentially making sensitive security information public [4]. Industry groups supported the EPA’s decision but acknowledged the growing threats against the sector [4]. The memorandum aimed to add cybersecurity assessments to annual state-led Sanitary Survey Programs for water systems [4]. However, the lack of funding for infrastructure upgrades and cybersecurity measures poses a challenge [4]. The EPA suggests that water systems can apply for funding from various sources [4].
Conclusion
Overall, improving water systems’ cybersecurity will be an uphill battle [4], as water issues are typically handled by the states [4]. The withdrawal of the EPA’s cybersecurity mandates has significant implications for the safety and security of public water systems. While the EPA will continue to provide support and resources, the voluntary nature of cybersecurity assessments may hinder progress. Collaboration between industry groups, water associations [1] [2], and the EPA will be crucial in finding practical solutions and establishing effective cybersecurity requirements for utilities. The ongoing threats against the sector highlight the urgent need for comprehensive cybersecurity measures and adequate funding for infrastructure upgrades. Legislation that explicitly authorizes the EPA to include cybersecurity as an element of water safety will be an important step forward in ensuring the protection of drinking water.
References
[1] https://securityboulevard.com/2023/10/epa-withdraws-cybersecurity-requirements-for-water-systems/
[2] https://www.nacwa.org/news-publications/clean-water-current-archives/clean-water-current/2023/10/18/epa-withdraws-drinking-water-cybersecurity-memo
[3] https://www.mondaq.com/unitedstates/environmental-law/1377860/challenges-to-epa39s-water-facility-cybersecurity-mandates-successful
[4] https://www.linkedin.com/pulse/withdrawal-epa-cybersecurity-memorandum-steven-hoch
[5] https://cybermaterial.com/biden-withdraws-water-system-cybersecurity/
