The Environmental Protection Agency (EPA) withdrew its memo this week that required states to include cybersecurity audits of U.S. water utilities through sanitary surveys.
In a letter sent to State Drinking Water Administrators on Wednesday, the EPA said its decision to rescind the cyber regulations for the critical infrastructure sector follows Republican lawmakers and water companies filing a lawsuit against the measure.
The EPA first announced the new guidelines for water companies in March, immediately following the release of the Biden-Harris administration’s National Cybersecurity Strategy. Republican lawmakers and water companies quickly filed a lawsuit against the measure, noting that the EPA’s new requirements would be too costly for suppliers, and that they would pass those costs along to consumers.
“EPA issued a memorandum withdrawing the March 3, 2023 interpretive memorandum, Addressing Public Water System Cybersecurity in Sanitary Surveys or an Alternate Process,” the agency told MeriTalk in an emailed statement. “While the memorandum is being withdrawn due to litigation, improving cybersecurity across the water sector remains one of EPA’s highest priorities.”
However, in July, the U.S. Court of Appeals for the Eighth Circuit stopped the EPA’s interpretation from being in effect during the litigation. The action to rescind the memorandum means that this interpretation is now withdrawn from EPA’s public water system supervision program.
The new rules would have added cybersecurity assessments to annual state-led Sanitary Survey Programs that evaluate water systems across the U.S. A key pillar of the White House’s new cyber strategy was augmenting existing rules to include cybersecurity. The EPA was the first agency to attempt this by adding cybersecurity to the existing sanitary surveys.
The EPA is encouraging all states to voluntarily review public water system cybersecurity programs to ensure that any vulnerabilities are identified and corrected, and assistance is provided to systems that need help. The agency said it will continue to support states, drinking water systems, and wastewater systems by providing technical assistance in the form of cybersecurity risk assessments, subject matter expert consultations, and training.
Most cybersecurity practices can be implemented at minimal cost, the agency noted. When there are costs to doing so, EPA said it supports investments in cybersecurity projects and assists systems as they apply for funding from the Drinking Water State Revolving Fund, Clean Water State Revolving Fund, Infrastructure Resilience and Sustainability Grant, and other state and local sources.
“Cybersecurity represents a serious and increasing threat to drinking water and wastewater utilities,” the agency told MeriTalk. “EPA remains committed to using available tools and resources to help protect communities from the increasing number and severity of cyber-threats facing our nation’s water systems.”
“EPA will continue to work with states, Tribes, and territories to protect the public from the threats created by cybersecurity incidents and support the efforts of water systems to adopt cybersecurity best practices,” it continued, adding, “The Agency will continue to explore opportunities to lower cybersecurity risk for public water systems.”
The President’s National Infrastructure Advisory Council recently made a broad call for the water sector to have its own cabinet-level agency, like the Departments of Energy and Transportation.
Decades of chronic underfunding and underinvestment have impacted the condition, reliability, and resiliency of the nation’s critical water infrastructure, the council said. A Department of Water would be tasked with making appropriate budget requirements and priorities needed to increase the resilience of water from physical and cyber threats.
