US EPA Nixes Cybersecurity Assessments of Water SystemsAgency Acts in Response to Lawsuit by Missouri, Arkansas and Iowa Attorneys General
The Biden administration is backing down from an attempt to make cybersecurity a component of federally mandated safety assessments of water systems, months after federal judges ordered the Environmental Protection Agency to halt those efforts.
The EPA invoked powers earlier this year under the Safe Drinking Water Act to make the security of operational technology a factor in periodic assessments, which the agency calls "sanitary surveys" (see: US EPA Regulates Public Drinking Water for Cybersecurity).
The move attracted opposition from the attorneys general of Missouri, Arkansas and Iowa, as well as industry lobbying groups American Water Works Association and the National Rural Water Association. In response to an April lawsuit initiated by the three states that accuses the EPA of exceeding its authority, the U.S. Court of Appeals for the 8th Circuit in July stayed the EPA's order.
The EPA now has decided to rescind the cybersecurity component of water system safety assessments in an Oct. 11 memo that cites the ongoing litigation. "EPA continues to believe that adopting cybersecurity best practices at public water systems is essential to providing safe and reliable drinking water," wrote Assistant Administrator Radhika Fox. "EPA encourages all states to voluntarily engage in reviewing public water system cybersecurity programs within the sanitary survey."
Iowa Attorney General Brenna Bird sounded a less rueful note, stating Friday that the cybersecurity mandate would have caused water bills to increase "with no benefit."
In a statement to The Washington Post, Anne Neuberger, deputy national security adviser for cybersecurity and emerging technology, said the Biden administration will pursue legislation explicitly authorizing the EPA to make cybersecurity an element of water safety.
Worries that hackers could tamper with drinking water gained newfound urgency after city officials in Oldsmar, Florida, in 2021 stopped an attacker from mixing dangerous levels of lye into municipal pipes. City officials at the time stressed that redundant checks in the system would have prevented contaminated water from reaching the public (see: Hacker Breached Florida City's Water Treatment System).
Still, mounting and unavoidable networking functions embedded within operational technology have raised alarms that hacking ranging from the life-threatening to the mischievous could still affect water supplies. Another commonly cited water system hacking incident involves a man formerly employed by a rural Kansas water district serving about 10,000 people who pleaded guilty in 2022 to tampering after he had used still-active credentials for a remote desktop application to shut down the facility.
The EPA rules were part of a Biden administration push to layer on cybersecurity mandates by using existing authorities (see: Biden Administration Ramps Up Cybersecurity Requirements).