The U.S. Environmental Protection Agency (USEPA) rescinded its 2023 Cybersecurity Rule in October due to a lawsuit in the State of Missouri. The States of Missouri, Iowa, and Arkansas teamed with the American Water Works Association (AWWA) and the National Rural Water Association (NRWA) to challenge the regulation. The new rule, announced in March, would have required States to include cybersecurity when conducting periodic audits of water systems that are called sanitary surveys.
The AWWA and NRWA cited concerns the public notification requirements for the sanitary surveys would create additional cybersecurity vulnerabilities for utilities. In addition, the water industry organizations expressed concerns that the rule would require cybersecurity review by State regulatory agency personnel who may lack expertise to assess and provide cybersecurity oversight. The U.S. Court of Appeals for the Eighth Circuit granted a stay on the Cybersecurity Rule on July 12, two months before USEPA officially withdrew the rule on October 11.
“AWWA is pleased that EPA has decided to withdraw its cybersecurity rule,” said David LaFrance, AWWA CEO, in a news release. “We also recognize that cyber threats in the water sector are real and growing, and we cannot let our guard down for even a moment. Strong oversight of cybersecurity in the water sector remains critical. We urge U.S. Congress and EPA to support a co-regulatory model that would engage utilities in developing cybersecurity requirements with oversight from EPA.”
Though USEPA rescinded the rule, the regulatory agency has several cybersecurity tools and resources available for public water systems. In addition, AE2S has developed cybersecurity best practices for control systems that water utilities may find useful. Jason Schuler, AE2S Senior Information Technology (IT) Technician / Cybersecurity Specialist, and Mike Chorne, AE2S I&C Senior Specialist, are resources for information about the most common types of attacks and how to keep a water system safe. If you have questions, please contact Jason Schuler about cybersecurity concerns for utilities.