EPA flushes water supply cybersecurity rule after losing legal fight with industry, states

American public water systems could be safe from cybercriminals and spies — we may not actually know until these systems are compromised, now that the Environmental Protection Agency has pulled the plug on a rule requiring US states to conduct cybersecurity evaluations after being sued by Republican states and water industry groups.

This week the EPA sent a memo [PDF] to state drinking water administrators saying it had "chosen to rescind" an earlier cybersecurity rule, and cited a lawsuit as the reason for its decision.

In March, the EPA began requiring states to evaluate the cybersecurity of their public water systems' operational technology environments.

The EPA cited increasing cyberattacks against water utilities in multiple states, including the Oldsmar, Florida attempted poisoning, and noted that many of these systems "have failed to adopt basic cybersecurity best practices and consequently are at high risk of being victimized by a cyber-attack."

A month later, state attorneys general of Arkansas, Iowa, and Missouri sued the EPA to stop the rule. The American Water Works Association and National Rural Water Association later joined the lawsuit, which argued the EPA didn't have the authority to issue the new regulation without Congressional approval. 

"EPA's new rule thus intrudes on states' sovereignty," according to the complaint [PDF].

In July, an appeals court temporarily blocked [PDF] the federal agency from enforcing the security audit.

In its memo sent to states on Wednesday, the EPA said it "continues to believe that adopting cybersecurity best practices at public water systems is essential to providing safe and reliable drinking water."

Cyberattacks on water and wastewater plants pose "a significant threat to their operations," and as such the agency hopes that states will "voluntarily engage in reviewing public water system cybersecurity programs," it added. 

Blow to Biden's cybersecurity strategy

In addition to dealing a blow to efforts to secure the nation's drinking water, the court's decision and EPA's response may be a setback for the White House's efforts to protect critical infrastructure from nation-state attacks and other cyberthreats like ransomware.

The US National Cybersecurity Strategy, also released in March, centers on five "pillars," the first of which focuses on defending US critical infrastructure and enforcing minimum cybersecurity requirements.

• EPA orders US states to check cyber security of public water supplies
• Someone tried to poison a Florida city by hijacking its water treatment plant via TeamViewer, says sheriff
• US-Canada water org confirms 'cybersecurity incident' after ransomware crew threatens leak
• Pushers of insecure software in Biden's crosshairs

This includes enforcing minimum cybersecurity requirements in critical sectors — but if this attempt by the EPA to improve water systems' cybersecurity is any indication, it looks like it will be an uphill battle.

Industry groups applauded the EPA's rule reversal, while acknowledging that threats against the sector are growing.

"AWWA is pleased that EPA has decided to withdraw its cybersecurity rule," American Water Works Association CEO David LaFrance said in a statement. "We also recognize that cyber threats in the water sector are real and growing, and we cannot let our guard down for even a moment."

LaFrance added that cybersecurity oversight across the industry "remains critical," and urged Congress and the environmental agency to "support a co-regulatory model that would engage utilities in developing cybersecurity requirements with oversight from EPA." ®