EPA Calls Off Cyber Regulations for Water Sector

Cyber Security Threat Summary:
The Environmental Protection Agency will no longer require cybersecurity audits of U.S. water utilities through sanitary surveys. “In a letter to state drinking water administrators on Thursday, the EPA said litigation from Republican states and trade associations, which raised questions about the long-term legal viability of the initiative to regulate the cybersecurity of water utilities, drove the decision to rescind a March memorandum implementing the rule” (Cyber Scoop, 2023). The decisions comes as a surprise considering the White House’s efforts to add more stringent cyber mandates to critical infrastructure sectors.

“While the memorandum is being withdrawn due to litigation, improving cybersecurity across the water sector remains one of EPA’s highest priorities,” an EPA spokesperson said in a statement. “Cybersecurity represents a serious and increasing threat to drinking water and wastewater utilities.” EPA said it encourages “all states to voluntarily review public water system cybersecurity programs to ensure that any vulnerabilities are identified and corrected, and assistance is provided to systems that need help.”

Ransomware actors have increasingly targeted critical infrastructure entities as a means to capitalize on large and quick ransom payments, as seen in the Colonial Pipeline attack. There are concerns about state-sponsored actors looking to infiltrate data from sensitive networks, or utilizing destructive malware. This year, security researchers discovered new industrial control system malware, dubbed “CosmicEnergy,” which they say could be used to disrupt critical infrastructure systems and electric grids.

Security Officer Comments:
Some are skeptical of the EPA’s decision to withdraw the cybersecurity rule. Many critical infrastructure sectors lack cybersecurity regulations. Using a voluntary approach to regulate cybersecurity in these industries was described in the National Cybersecurity Strategy as resulting in “inadequate and inconsistent outcomes.”

On the other side, many felt the EPA’s authority to add cybersecurity regulations was controversial. “Some experts questioned whether a sanitary survey was the right tool to enforce cybersecurity mandates, as the process traditionally does not involve auditors who understand the complex nature of protecting industrial systems” (Cyber Scoop, 2023).

“A month after the rule was issued, Missouri, Arkansas and Iowa sued to block the EPA from enforcing cybersecurity rules via sanitary checks. The U.S. Court of Appeals for the Eight Circuit stayed the measure from being implemented while it was litigated.” (Cyber Scoop, 2023).

“In a statement, the American Water Works Association and the National Rural Water Association — both of which were involved in the lawsuit causing the rule to be blocked — said they were “pleased with the decision and have renewed their call for a collaborative approach to cybersecurity measures in the water sector.” (Cyber Scoop, 2023).

Both trade groups have called for a co-regulatory model which is currently used by the electricity sector. In this model, the EPA would have oversight and auditing authority of standards developed in collaboration with industry. Others have expressed concerns of the EPA being up to the task of protecting that nation’s water and wastewater systems, and have suggested creating a new Department of Water to take on the task.