Analysis
Attacks and Vulnerabilities
Critical infrastructure
News
Regulation, Standards and Compliance
Threat Landscape
Utilities: Energy & Power, Water, Waste

US Court pauses EPA Cybersecurity Rule for AWWA, NRWA water utility members

July 17, 2023
US Court pauses EPA Cybersecurity Rule for AWWA, NRWA water utility members

A U.S. Court of Appeals for the Eighth Circuit granted last week a request from the American Water Works Association (AWWA) and the National Rural Water Association (NRWA) to stop the U.S. Environmental Protection Agency’s (EPA) Cybersecurity Rule from going into effect until the current case challenging the rule has been decided. The move applies to all AWWA and NRWA members nationwide and comes as the public wasn’t given the opportunity to comment on EPA’s proposed approach before the rule was issued. By granting a stay, the court has prevented these risks to members while it reviews the legality of EPA’s rulemaking process.

AWWA and NRWA joined the States of Missouri, Arkansas, and Iowa in a legal challenge to the Cybersecurity Rule due to concerns about the legal process and legality of the rule, and concerns that the rule may create additional cybersecurity vulnerabilities for members. There were also concerns that states do not have appropriate resources, laws, rules, or procedures in place to adhere to the rule requirements. 

Specifically, in the absence of a viable primacy agency implementation framework, water systems were at risk of violations for which they are unable to prepare. There is also the risk that the cybersecurity vulnerabilities of these systems would be publicly available because they are being done through sanitary surveys, which could be accessed by malicious actors.

“AWWA is pleased the court recognized the importance of halting the Cybersecurity Rule for our utility members as it reviews the legality of the rulemaking process,” David LaFrance, AWWA CEO, said in a media statement last Thursday. “AWWA strongly supports efforts to strengthen cybersecurity in the water sector, but the Sanitary Survey Program is not the right tool for the job. We are grateful our viewpoint will be heard by the court and look forward to working together with EPA and others on a smart path forward.”

“NRWA commends the court for issuing this stay preventing EPA from enforcing the Cybersecurity Rule until it is determined if it has been lawfully implemented,” according to Matthew Holmes, NRWA CEO. “While NRWA fully supports efforts to strengthen cybersecurity in small communities across the country, enforcing this regulation is not the best way to help small and rural systems, and could have costly and unnecessary consequences.” 

The court move is a reaction to the memorandum issued in March by the EPA that calls upon states to evaluate the cybersecurity of operational technology (OT) used by a PWS (public water system) when conducting sanitary surveys or through other state programs. The document explains various approaches to include cybersecurity in PWS sanitary surveys or other state programs. Additionally, the EPA is also providing extensive guidance, training, and technical assistance to help states and PWSs increase resilience to cybersecurity incidents.

The two water agencies did not respond to Industrial Cyber’s request to provide comment on the court move.

In May, credit rating agency Fitch Ratings identified that the EPA’s requirement for all PWS to incorporate cyber risk and resiliency in their periodic reviews will impose an additional regulatory and financial burden, which could be ‘onerous for smaller systems and systems with minimal existing cyber infrastructure.’ The agency further expects that the requirement could have a significant effect on water utilities’ capital expenditure budgets, and margins would be pressured if systems are unable or unwilling to pass on the added costs to customers through rate increases.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

Related

68 software manufacturers commit to CISA's Secure by Design pledge for enhanced product security
68 software manufacturers commit to CISA’s Secure by Design pledge for enhanced product security
Cyble detects critical vulnerabilities in CyberPower PowerPanel Business Software used in critical infrastructure
Cyble detects critical vulnerabilities in CyberPower PowerPanel Business Software used in critical infrastructure
Cyolo, Dragos partner to unveil holistic secure remote access offering for critical infrastructure
Cyolo, Dragos partner to unveil holistic secure remote access offering for critical infrastructure
Dnsmasq
New Siemens Simatic Automation Workstation to offer streamlined factory control
Nozomi, Mandiant extend alliance to boost threat detection and response for global critical infrastructure
Nozomi, Mandiant extend alliance to boost threat detection and response for global critical infrastructure
National Cybersecurity Strategy Implementation Plan (V2)
US administration updates National Cybersecurity Strategy Implementation Plan to meet growing challenges
Forescout analyzes 90,000 unknown vulnerabilities, risk blind spots that live in the wild
Forescout analyzes 90,000 unknown vulnerabilities, risk blind spots that live in the wild
Two new MITRE programs central to strengthening cyber defense work on building global cyber capacity
MITRE Federal AI Sandbox to assist with AI experimentation and prototyping capability for US government agencies
Dragos integrates with CrowdStrike Falcon next-gen SIEM for threat detection in OT networks
Dragos integrates with CrowdStrike Falcon next-gen SIEM for threat detection in OT networks
Claroty details ‘blind spot’ in traditional vulnerability management for CPS assets, debuts new solution
Claroty details ‘blind spot’ in traditional vulnerability management for CPS assets, debuts new solution