EPA Turns Off Taps on Water Utility Cyber Regulations

EPA Turns Off Taps on Water Utility Cyber Regulations

October 18, 2023 at 02:02PM

The EPA has withdrawn its rules requiring cybersecurity assessments for water utilities due to legal challenges. Experts warn that this leaves the water sector vulnerable to cyberattacks, which could have serious public health and safety consequences. The EPA is now encouraging utilities to voluntarily conduct risk assessments and provide user training. However, critics argue that including cybersecurity checks in sanitary surveys would be too costly and burdensome. It is suggested that a combination of regulations and voluntary measures, along with improved industry education, is necessary to address the cybersecurity risks in the water sector.

The Environmental Protection Agency (EPA) has withdrawn rules that would have mandated cybersecurity evaluations for water utilities. The rules required water systems to include a cybersecurity evaluation for operational technology (OT) and industrial control systems (ICS) during sanitary surveys. However, industry groups and Republican lawmakers challenged the rules, arguing that the EPA did not have the right to amend existing rules without public comment or legislative approval. The American Water Works Association (AWWA) and the National Rural Water Association (NRWA) also won a petition to stop the rules from going into effect. Despite the withdrawal of the rules, cybersecurity experts warn that the public water sector remains at risk for cyberattacks. Threats to water utilities have increased, with water supply and sewage companies being among the most targeted critical infrastructure industries. Cybercriminals and hacktivists have demonstrated the ability to access and manipulate OT systems, potentially compromising the safety and availability of drinking water and wastewater systems. Although the EPA is now focusing on voluntary measures, experts emphasize the need for long-term vision and multiple courses of action to secure water infrastructure. They recommend that utilities take advantage of the EPA’s offer for voluntary risk assessments and prioritize cybersecurity awareness programs. Additionally, regulatory bodies should provide guidance and support to organizations in addressing common cybersecurity challenges.

Full Article