EPA withdraws cyber audit requirement for water systems
A technician monitoring control systems at a water treatment plant in Eagle Pass, Texas. The EPA recently backed away from a plan to require water systems to report on cybersecurity measures as part the agency's sanitary survey requirements. Brandon Bell/Getty Images
The agency asserted that it still “remains committed” to helping states protect their water systems, despite legal challenges to its formal mandate.
The Environmental Protection Agency announced on Wednesday its withdrawal of earlier guidance aimed at fostering strong cybersecurity protocols within the nation’s water system infrastructure, meaning states will no longer need to adhere to audit requirements for the cybersecurity of their public water systems.
The withdrawal stems from ongoing litigation between the states of Missouri, Arkansas and Iowa and the EPA, where the U.S. Court of Appeals for the Eighth Circuit ordered a halt of the memorandum’s enforcement in July.
Despite the change in policy direction, the agency said that its cybersecurity posture remains “one of the EPA’s highest priorities” and that cyber attacks “remain a significant threat” to water system operations.
“EPA remains committed to using available tools and resources to help protect communities from the increasing number and severity of cyber-threats facing our nation’s water systems,” the agency said in a press release. “EPA will continue to work with states, Tribes and territories to protect the public from the threats created by cybersecurity incidents and support the efforts of water systems to adopt cybersecurity best practices.”
Modernizing and updating all federal agencies’ cybersecurity strategies was first issued as a policy goal in the Biden administration’s 2021 Executive Order on national cybersecurity.
Earlier in April, the nonprofit American Water Works Association, issued a statement supporting the three states’ challenge of the audits, but also said it hopes to find a solution to implement effective cybersecurity protocols within the water sector.
“AWWA agrees with the April 17 petition filed by the states of Missouri, Iowa and Arkansas that points out EPA’s proposed cybersecurity approach is not only unwise, but legally flawed,” the statement said. “Many state primacy agencies lack both the resources and technical expertise to evaluate and address cybersecurity issues. Further, state laws do not protect sensitive information collected through sanitary surveys, and if publicly shared, that information could expose water system vulnerabilities.”
Despite the legal interruption of sanitary surveys, the EPA said that it encourages all states to voluntarily review public water system cybersecurity programs to proactively identify potential network vulnerabilities.
“EPA will continue to support states, drinking water systems, and wastewater systems by providing that technical assistance in the form of cybersecurity risk assessments, subject matter expert consultations, and training,” the agency said.