EPA Withdraws Proposed Cybersecurity Rule for Public Water Systems

In an age of increasing interconnectivity, safeguarding critical infrastructure against cyber threats is a growing concern. Over the last two decades, public water systems have increasingly relied on electronic systems to enhance the efficiency of their drinking water facilities, inadvertently introducing new vulnerabilities to cyber threats. To address this growing challenge and bolster the security of our nation’s water systems, the United States Environmental Protection Agency (EPA) introduced a rule in March 2023. The EPA’s Cybersecurity Rule was conceived as a regulatory framework aimed at strengthening the cyber defenses of critical infrastructure facilities, including public water systems, to ensure the identification and rectification of substantial cybersecurity deficiencies. However, on October 11th, the EPA withdrew the rule amidst ongoing legal challenges and public reaction.

The Latest Developments

Subsequent to the rule’s release in March, the states of Missouri, Arkansas, and Iowa filed a legal petition with the U.S. Court of Appeals for the Eighth Circuit in April 2023. Their petition contested the EPA’s imposition of cybersecurity mandates on critical infrastructure. These states argued that these measures constituted federal overreach into state affairs and would place significant financial burdens on small and rural public water systems. In July 2023, the U.S. Court of Appeals granted a request from the American Water Works Association (AWWA) and the National Rural Water Association (NRWA) to suspend the implementation of the EPA’s Cybersecurity Rule until the ongoing legal challenge was resolved.

In response to these ongoing legal and public concerns, the EPA issued a memorandum on October 11th, officially withdrawing the EPA’s Cybersecurity Rule. Although the rule is no longer in effect, the EPA encourages all states to voluntarily assess their public water system cybersecurity programs to identify and rectify vulnerabilities, offering assistance to systems in need.

Planning for the Future

Even though the proposed rule has been withdrawn, it is likely that new regulations and legislation aimed at addressing these concerns will emerge in a world increasingly dependent on potentially vulnerable technology. Consequently, public water systems should continue to stay informed about regulatory requirements related to cybersecurity and be proactive in preparing for potential future regulations.

For further guidance on navigating the evolving landscape of cybersecurity in public water systems and understanding its potential impacts on your facility, we encourage you to contact U.S. Water. Additionally, for more information and resources on this subject, please visit the USEPA site dedicated to Cybersecurity for the Water Sector.