The U.S. Environmental Protection Agency (EPA) has rescinded its plan to improve cybersecurity within the water utilities sector following legal challenges by water associations that described the plan’s measures as costly and flawed.
The cybersecurity rule, introduced in March, was immediately challenged by the American Water Works Association (AWWA) and the National Rural Water Association (NRWA), which joined the states of Missouri, Arkansas and Iowa in asserting that the EPA does not have the authority to force cybersecurity assessment responsibilities onto states and local water suppliers.
A court ordered a stay on the cybersecurity rule in July after three state attorneys general filed a petition to review it. Now, the EPA is urging operators to voluntarily assess the security of their systems.
“EPA encourages all states to voluntarily engage in reviewing public water system cybersecurity programs within the sanitary survey or an alternate process to ensure that deficiencies are corrected, and potential public health impacts are minimized,” states a new EPA memorandum. “EPA will continue to support both states and water and wastewater systems by providing technical assistance in the form of cybersecurity risk assessments, subject matter expert consultations, training, and funding.”
Subscribe to our Newsletter!
The latest environmental engineering news direct to your inbox. You can unsubscribe at any time.
Following the release of surveys and reports that showed many U.S. water utilities have not adopted basic cybersecurity best practices and are at risk, the EPA introduced the concept of states conducting periodic cybersecurity audits of water and wastewater treatment plants.
The EPA rule also came on the heels of several high-profile hacking incidents in recent years.
But, a number of water associations said the cybersecurity rule for the sector was rife with issues, and lacked funding support for smaller utilities. Some industry leaders had instead been advocating for a regulatory model similar to that of the energy sector, with oversight from EPA.
“AWWA is pleased that EPA has decided to withdraw its cybersecurity rule,” announced AWWA CEO David LaFrance in a statement. “We also recognize that cyber threats in the water sector are real and growing, and we cannot let our guard down for even a moment. Strong oversight of cybersecurity in the water sector remains critical. We urge U.S. Congress and EPA to support a co-regulatory model that would engage utilities in developing cybersecurity requirements with oversight from EPA.”
The water associations expressed concern that the cybersecurity rule could create new vulnerabilities for the sector, particularly when it comes to facility audits that would have public notification requirements.
Additionally, the water associations stated that the rule would have required cybersecurity reviews by state regulatory agencies that “lack expertise and resources for cybersecurity oversight,” announced a joint statement from the AWWA and NRWA.
“Together AWWA and NRWA represent community water systems of all sizes and have been actively involved in advocating for solutions to address cybersecurity while keeping their members’ perspectives in mind. This is the first time they have partnered together at this scale on national policy,” the statement continues.
The EPA said it would continue to provide new cybersecurity training it had announced with the rule. It created a Cybersecurity Technical Assistance Program for the water sector that allows states and facilities to submit questions or request to consult with a subject matter expert regarding cybersecurity. It also created a water utilities cybersecurity checklist.