The US Environmental Protection Agency (EPA) has withdrawn cybersecurity rules for public water systems due to lawsuits filed by states and non-profit water associations.
The EPA announced in March that it would require states to report on cybersecurity threats in their public water system audits. The agency offered to provide guidance and technical know-how, but did mention any financial assistance.
Soon after the new cybersecurity requirements were announced, the attorney generals of Missouri, Arkansas and Iowa took legal action to challenge the EPA’s memo, arguing that meeting the new requirements would put a significant financial burden on small towns.
The American Water Works Association (AWWA) and the National Rural Water Association (NRWA), non-profit organizations that each have tens of thousands of members, joined the lawsuits, questioning the legality of the requirements. A court ordered the EPA in July to pause the new rules while the case was being tried.
“In addition to concerns about the legal process and legality of the rule, the water associations expressed concerns that the rule would create additional cybersecurity vulnerabilities for utilities, as sanitary surveys required in the rule have public notification requirements. Finally, the rule would have required cybersecurity reviews by state regulatory agencies that lack expertise and resources for cybersecurity oversight,” AWWA and NRWA said in a press release issued last week after the EPA withdrew the rules.
Organizations in the water sector have often been targeted in attacks in recent years, including their operational technology (OT) systems, and AWWA and NRWA say they “recognize that cyber threats in the water sector are real and growing”. On the other hand, they ask for a “collaborative approach to cybersecurity measures in the water sector”.
The US government has been taking steps to improve cybersecurity in the water sector. A bill announced this summer aims to increase cybersecurity funding for rural water systems.
In addition, the cybersecurity agency CISA recently announced offering a free vulnerability scanning service to water utilities to help them protect drinking water and wastewater systems against cyberattacks.