Water system audits no longer required to incorporate cybersecurity measures following a legal dispute and subsequent EPA reversal of the rule.
The Environmental Protection Agency (EPA) has voluntarily withdrawn a March 2023 memorandum that required public water systems to include cybersecurity in their periodic system audits. The decision follows a legal challenge from several states and water utility associations, which argued the rule exceeded EPA’s authority and was overly burdensome to smaller systems.
The EPA's memo was one of the earliest sector-specific actions taken by the Biden administration as part of its national cybersecurity strategy. The memo, issued by Assistant Administrator Radhika Fox, imposed new legal obligations on states and utilities of all sizes, with specific reporting and assessment requirements.
However, the EPA has emphasised that its commitment to protecting communities from cyber threats facing water systems remains unwavering. The agency will continue to provide cybersecurity risk assessments, training, and subject matter expert consultations to local utilities.
The senior administration official has reiterated that the Biden administration will use all the tools and resources needed to secure the water sector - and all sectors - ensuring the continuity of services that Americans expect. The focus on securing critical infrastructure, including actions on rail, aviation, and pipelines, is part of an effort to develop a more resilient infrastructure against future malicious threat activity.
The American Water Works Association and the National Rural Water Association were pleased with the decision to withdraw the EPA memo on cybersecurity requirements. They have renewed calls for the EPA to work with industry in a collaborative approach, ensuring a balanced approach to cybersecurity protection.
The EPA states that cybersecurity represents a serious and increasing threat to drinking water and wastewater utilities. Despite the withdrawal of the mandate, the agency encourages voluntary cybersecurity audits and will continue to provide technical assistance to water utilities.
The 8th U.S. Circuit Court of Appeals stayed the memorandum after the three states challenged the rule in federal court. The Biden administration has been focused on securing critical infrastructure and will continue to take measures to protect water infrastructure. The EPA's statement on the matter was issued via email.
[1] Source: EPA Email Statement on Withdrawal of Cybersecurity Mandate for Public Water Systems. (2023, October). Retrieved from epa.gov.
- The EPA's email statement emphasizes that its commitment to cybersecurity in water systems remains unwavering, despite withdrawing a mandate requiring cybersecurity audits in public water systems.
- The American Water Works Association and the National Rural Water Association have renewed calls for the EPA to work collaboratively with the industry, ensuring a balanced approach to cybersecurity protection.
- The EPA acknowledges that cybersecurity represents a serious and increasing threat to drinking water and wastewater utilities, and encourages voluntary cybersecurity audits, with a continued provision of technical assistance to water utilities.
