In a major blow to the Biden administration’s efforts to improve the cybersecurity defenses of critical infrastructure, the Environmental Protection Agency will no longer require cybersecurity audits of U.S. water utilities through sanitary surveys.
In a letter to state drinking water administrators on Thursday, the EPA said litigation from Republican states and trade associations, which raised questions about the long-term legal viability of the initiative to regulate the cybersecurity of water utilities, drove the decision to rescind a March memorandum implementing the rule.
The announcement represents a major setback to the White House’s efforts to add more stringent cyber mandates to critical infrastructure sectors. The Biden administration’s National Cybersecurity Strategy described improving the digital defenses of critical infrastructure as a key priority.
Owners and operators of these systems are struggling to combat the deluge of ransomware and state-backed attacks and infiltration of the nation’s most sensitive networks. For critical infrastructure sectors, the consequences for a major cyberattack can be dire, and U.S. water utilities have been identified as particularly lacking in security.
“While the memorandum is being withdrawn due to litigation, improving cybersecurity across the water sector remains one of EPA’s highest priorities,” an EPA spokesperson said in a statement. “Cybersecurity represents a serious and increasing threat to drinking water and wastewater utilities.”
EPA said it encourages “all states to voluntarily review public water system cybersecurity programs to ensure that any vulnerabilities are identified and corrected, and assistance is provided to systems that need help.”
The decision to withdraw the EPA’s cybersecurity rule was first reported by the Messenger.
The withdrawal of the rule does not bode well for future efforts to harmonize regulations among the existing 16 critical infrastructure sectors. Many critical infrastructure sectors like water and wastewater lack cybersecurity regulations. Using a voluntary approach to regulate cybersecurity in these industries was described in the National Cybersecurity Strategy as resulting in “inadequate and inconsistent outcomes.”
Using the EPA to regulate the cybersecurity of water utilities represented a creative piece of policymaking by the Biden administration, but the effort to do so has been controversial from the start, with the water industry loudly opposing the use of EPA’s existing authorities to add cybersecurity regulations. Some experts questioned whether sanitary survey was the right tool to enforce cybersecurity mandates, as the process traditionally does not involve auditors who understand the complex nature of protecting industrial systems.
A month after the rule was issued, Missouri, Arkansas and Iowa sued to block the EPA from enforcing cybersecurity rules via sanitary checks. The U.S. Court of Appeals for the Eight Circuit stayed the measure from being implemented while it was litigated.
In a statement, the American Water Works Association and the National Rural Water Association — both of which were involved in the lawsuit causing the rule to be blocked — said they were “pleased with the decision and have renewed their call for a collaborative approach to cybersecurity measures in the water sector.”
The two trade groups renewed their call for a co-regulatory model inspired by the electric sector, which would give the EPA oversight and auditing authority of standards developed in collaboration with industry.