The EPA is withdrawing its plan to require states to assess the cybersecurity and integrity of public water system programs. While the agency says it continues to believe cybersecurity protective measures are essential for the public water industry, the decision was made after GOP-led states sued the agency for proposing the rule.
In a memo that accompanied the new rules in March, the EPA said that cybersecurity attacks on water and wastewater systems “have the potential to disable or contaminate the delivery of drinking water to consumers and other essential facilities like hospitals.” Despite the EPA’s willingness to provide training and technical support to help states and public water system organizations implement cybersecurity surveys, the move garnered opposition from both GOP state attorneys and trade groups.
Republican state attorneys that were against the new proposed policies said that the call for new inspections could overwhelm state regulators. The attorney generals of Arkansas, Iowa and Missouri all sued the EPA – claiming the agency had no authority to set these requirements. This led to the EPA’s proposal being temporarily blocked back in June.
While it’s unclear if any cybersecurity regulations will be put in motion to protect the public moving forward, the EPA said it plans to continue working with the industry to “lower cybersecurity risks to clean and safe water.“ It encourages all states to “voluntarily review” the cybersecurity of their water systems, nothing that any proactive actions might curb the potential public health impacts if a hack were to take place.
Ever since the highly publicized Solarwinds hack in 2020 that exposed government records and the 2021 Colonial Pipeline ransomware attack that temporarily shut down operations for the oil pipeline system, it’s been abundantly clear that government entities and public agencies are hackable and prime targets for bad actors. The Biden administration has initiated a national strategy focused on public-private alliances to shift the burden of cybersecurity onto the organizations that are “best-positioned to reduce risks for all of us.”