The Environmental Protection Agency (EPA) has decided to withdraw its plan that would have required states to assess the cybersecurity and integrity of public water system programs. The agency still recognizes the importance of cybersecurity protective measures for the public water industry, but the decision to withdraw the plan was made in response to lawsuits from GOP-led states.
In March, the EPA released a memo along with the proposed rules, highlighting the potential risks of cybersecurity attacks on water and wastewater systems. These attacks have the potential to disable or contaminate the delivery of drinking water to consumers and critical facilities like hospitals. Despite the EPA’s offer to provide training and technical support for implementing cybersecurity surveys, the proposal faced opposition from both GOP state attorneys and trade groups.
Republican state attorneys argued against the proposed policies, stating that the new inspections could overwhelm state regulators. The attorneys general of Arkansas, Iowa, and Missouri filed lawsuits against the EPA, claiming that the agency did not have the authority to set these requirements. As a result, the EPA’s proposal was temporarily blocked in June.
While it remains uncertain if any cybersecurity regulations will be implemented to protect the public moving forward, the EPA has expressed its commitment to working with the industry to reduce cybersecurity risks in water systems. The agency encourages all states to voluntarily review the cybersecurity of their water systems, noting that proactive actions could mitigate potential public health impacts in the event of a hack.
The need for increased cybersecurity measures in government entities and public agencies has become evident in recent high-profile cyberattacks. The SolarWinds hack in 2020 exposed government records, and the Colonial Pipeline ransomware attack in 2021 temporarily disrupted operations for the oil pipeline system. These incidents have highlighted the vulnerability of government entities and public agencies to malicious actors.
In response, the Biden administration has initiated a national strategy focused on establishing public-private alliances to address cybersecurity challenges. The strategy aims to shift the burden of cybersecurity onto organizations that are best positioned to reduce risks for the entire nation.
While the EPA’s plan to require states to assess the cybersecurity of public water system programs has been withdrawn, the importance of cybersecurity measures in protecting critical infrastructure remains a top priority. Water systems play a vital role in providing clean and safe water to communities, and ensuring their cybersecurity is essential for public health and safety.
Moving forward, it is crucial for government agencies, public entities, and private organizations to collaborate and implement robust cybersecurity measures to protect critical infrastructure. This includes conducting regular assessments, implementing preventive measures, and establishing incident response plans to mitigate the impact of cyberattacks.
The EPA’s decision to withdraw the plan does not diminish the significance of cybersecurity in the water industry. It should serve as a reminder for all stakeholders to remain proactive in addressing cybersecurity risks and working towards resilient and secure water systems. By prioritizing cybersecurity, we can better protect our communities and ensure the reliable delivery of clean and safe water to all.