EPA turns off taps on water-utility cyber regulations

The Environmental Protection Agency last week withdrew rules governing cybersecurity standards for the public water sector, after industry groups and Republican lawmakers brought litigation on the issue. But cybersecurity experts warn that public safety and health is at risk without cyber improvements in the sector, as cyberattacks threaten to flow freely.

The now-defanged rules were established in a March 3 interpretive memorandum (PDF), and they would have required water systems to include a cybersecurity evaluation for operational technology (OT) and industrial control systems (ICS) during any sanitary survey.

The Sanitary Survey Program requires periodic, mandated onsite reviews of the water source, facilities, equipment, operation, and maintenance of a system to make sure that it can produce and distribute safe drinking water. The cyber dimension is an augmentation of the existing rule that the EPA added, thus circumventing the usual, politically charged rulemaking process for introducing new regulation.

According to Mike Hamilton, CISO of Critical Insight, the augmentation is “just a requirement to assess each environment and provide those results to the EPA,” adding that the ask is “truly not hard or expensive to meet.” The exercise would allow the federal government to determine the extent to which support (through grants, for example) should be allocated, he says, and “more importantly, the aggregate results would identify areas of systemic vulnerability that could be addressed as a priority.”

However, others in the political and policymaking world disagree on the need for the requirements as they were proposed — specifically three state attorneys general and a pair of industry groups.

EPA Blowback From Industry, Conservatives

The sanitary surveys aren’t going away, but including cybersecurity checks within them is a bridge too far, argued Republican lawmakers, who quickly mounted a multistate legal challenge to the augmentation of the Sanitary Survey Program, arguing that the EPA has no right to simply amend existing rules without a public comment period or legislative approval.

They also argued that the cost of considering cybersecurity as part of sanitary checks would be prohibitive — although estimates as to the cost of the reviews have not been made public.

“Rather than cleaning up our water, the federal government is hurting Iowa’s small towns,” said Iowa Attorney General Brenna Bird, in a statement made in April after joining the litigation. “At a time of soaring inflation, where it’s hard enough to make ends meet, the federal government insists on making Iowans’ water bills more costly. We’re going to hold the Biden Administration accountable and protect Iowans’ pocketbooks.”

The American Water Works Association (AWWA) and the National Rural Water Association (NRWA) meanwhile in July won a petition to the US Court of Appeals for the Eighth Circuit to stop the cybersecurity rules from going into effect until the litigation was complete.

“NRWA commends the court for issuing this stay preventing EPA from enforcing the Cybersecurity Rule until it is determined if it has been lawfully implemented,” said NRWA CEO Matthew Holmes in a statement at the time. “While NRWA fully supports efforts to strengthen cybersecurity in small communities across the country, enforcing this regulation is not the best way to help small and rural systems, and could have costly and unnecessary consequences.”

To read the complete article, visit Dark Reading.