Attacks and Vulnerabilities
Critical infrastructure
News
Utilities: Energy & Power, Water, Waste

EPA withdraws controversial cybersecurity memorandum amid legal battle with states, water associations

October 16, 2023
EPA withdraws controversial cybersecurity memorandum amid legal battle with states, water associations

The U.S. Environmental Protection Agency (EPA) has withdrawn its March 2023 cybersecurity memorandum, which urged states to assess the cybersecurity of operational technology (OT) within public water systems during sanitary surveys or other state initiatives. Citing ongoing litigation (State of Missouri, et al v. U.S. EPA), the agency has decided to retract the interpretive memorandum.

“This memorandum conveyed EPA’s interpretation that existing regulations required states to include an evaluation of the cybersecurity of operational technology during their audits of public water systems, termed sanitary surveys, or through an equivalent alternate process,” Radhika Fox Assistant Administrator for the EPA’s Office of Water, wrote in a memorandum published last week. “On July 12, 2023, the U.S. Court of Appeals for the 8th Circuit stayed the memorandum under the litigation. Today’s action to rescind the memorandum means that this interpretation is now withdrawn from EPA’s public water system supervision program. EPA continues to believe that adopting cybersecurity best practices at public water systems is essential to providing safe and reliable drinking water.” 

Fox outlined that cybersecurity attacks on water and wastewater systems occur frequently and are a significant threat to their operations. 

“EPA encourages all states to voluntarily engage in reviewing public water system cybersecurity programs within the sanitary survey or an alternate process to ensure that deficiencies are corrected, and potential public health impacts are minimized,” according to Fox. “EPA will continue to support both states and water and wastewater systems by providing technical assistance in the form of cybersecurity risk assessments, subject matter expert consultations, training, and funding.”

The Biden-Harris Administration has prioritized cybersecurity, releasing the National Cybersecurity Strategy in March, with a focus on ensuring resilience in critical infrastructure. The Strategy will guide the agency’s work moving forward in partnership with the sector to lower cybersecurity risks to clean and safe water.

Following the EPA action, the American Water Works Association (AWWA) and National Rural Water Association (NRWA) announced that they ‘are pleased with the decision and have renewed their call for a collaborative approach to cybersecurity measures in the water sector.’

AWWA and NRWA joined the States of Missouri, Arkansas, and Iowa in a legal challenge to the rule on behalf of their memberships. They pointed out that the rule was not consistent with the process Congress put in place to address cybersecurity concerns for water systems under the Safe Drinking Water Act or the American Water Infrastructure Act and was not issued with the proper public engagement required by the Administrative Procedures Act.

In addition to concerns about the legal process and legality of the rule, the water associations expressed concerns that the rule would create additional cybersecurity vulnerabilities for utilities, as sanitary surveys required in the rule have public notification requirements. Finally, the rule would have required cybersecurity reviews by state regulatory agencies that lack expertise and resources for cybersecurity oversight. 

The U.S. Court of Appeals for the Eighth Circuit granted a stay on July 12, two months before EPA withdrew the rule.

“AWWA is pleased that EPA has decided to withdraw its cybersecurity rule,” David LaFrance, AWWA CEO, said. “We also recognize that cyber threats in the water sector are real and growing, and we cannot let our guard down for even a moment. Strong oversight of cybersecurity in the water sector remains critical. We urge U.S. Congress and EPA to support a co-regulatory model that would engage utilities in developing cybersecurity requirements with oversight from EPA.”

“This is a major announcement for rural water and wastewater systems as EPA’s decision to rescind the Cybersecurity Rule is released,” according to Matt Holmes, NRWA CEO. “NRWA commends EPA for making the right call as we understand this was not taken lightly and involved much debate. Cybersecurity remains an important issue for our sector, and we are eager to collaborate with EPA in the future to address cybersecurity in the water industry.”

Together AWWA and NRWA represent community water systems of all sizes and have been actively involved in advocating for solutions to address cybersecurity while keeping their members’ perspectives in mind. This is the first time they have partnered together at this scale on national policy.

AWWA, NRWA, and other water organizations continue to strongly advocate for the implementation of cybersecurity best practices at drinking water and wastewater utilities. Several resources that AWWA has developed, in collaboration with partners, facilitate utility review of potential vulnerabilities based on the National Institute of Standards and Technology (NIST) Cybersecurity Framework.

In August, the U.S. President’s National Infrastructure Advisory Council (NIAC) highlighted challenges for water utilities in recruiting, training, and retaining workers. The agency noted that a significant portion of the current water sector workforce is nearing retirement, and the sector’s technological advancements and evolving regulatory landscape necessitate a more specialized workforce.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
MITRE's CREF Navigator aligns with DoD's CMMC to boost cyber resilience in defense industrial base
MITRE’s CREF Navigator aligns with DoD’s CMMC to boost cyber resilience in defense industrial base
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
RMC
Risk Mitigation Consulting acquires Securicon, boosting cybersecurity and mission assurance offerings
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation