EPA says litigation from Republicans, water companies forced withdrawal of cybersecurity memo

The U.S. Environmental Protection Agency (EPA) has decided to rescind a memorandum establishing new cybersecurity guidelines for water systems across the country after Republican lawmakers and water companies filed a lawsuit against the measure.

First reported by The Messenger, the decision to withdraw the order was announced in a memo on Wednesday to State Drinking Water Administrators.

In a statement to Recorded Future News, an EPA spokesperson confirmed that the memorandum – handed down in March – was being withdrawn due to lawsuits filed by attorneys general in the States of Missouri, Arkansas, and Iowa as well as industry groups American Water Works Association (AWWA) and National Rural Water Association (NRWA).

“Today, EPA issued a memorandum withdrawing the March 3, 2023, interpretive memorandum, Addressing Public Water System Cybersecurity in Sanitary Surveys or an Alternate Process. While the memorandum is being withdrawn due to litigation, improving cybersecurity across the water sector remains one of EPA’s highest priorities,” a spokesperson said.

“Cybersecurity represents a serious and increasing threat to drinking water and wastewater utilities. EPA remains committed to using available tools and resources to help protect communities from the increasing number and severity of cyber-threats facing our nation’s water systems. EPA will continue to work with states, Tribes, and territories to protect the public from the threats created by cybersecurity incidents and support the efforts of water systems to adopt cybersecurity best practices. The Agency will continue to explore opportunities to lower cybersecurity risk for public water systems.”

The new rules – which would have added cybersecurity assessments to annual state-led Sanitary Survey Programs that evaluate water systems across the U.S. – were the first to come following the unveiling of the White House’s National Cybersecurity Strategy.

Due to concerns about getting any cybersecurity legislation through a divided congress, a key pillar of the strategy was augmenting existing rules to include cybersecurity. The EPA was the first agency to attempt this by adding cybersecurity to the existing sanitary surveys

But the rule quickly faced lawsuits from Republican lawmakers who claimed the cybersecurity improvements needed to pass the assessments would be too costly for suppliers. The lawmakers expressed concerns that water companies would simply pass the costs of cybersecurity protections on to customers.

The lawsuits were then backed up by two powerful industry groups — the AWWA and the NRWA — before the U.S. Court of Appeals for the 8th Circuit struck down the rule in July. At the time, the EPA said the ruling “undercuts EPA’s efforts to protect the safety of the nation’s drinking water from malicious cyberattacks.”

The lawmakers and industry groups used a range of arguments to take down the measures, arguing that the EPA did not have the authority to institute the rules and that the state authorities that administer the Sanitary Survey Program “lack the appropriate staffing, training and expertise to evaluate cybersecurity programs.”

On Thursday, an EPA spokesperson reiterated the driving factor behind the rule change, explaining that cyberattacks on drinking water and wastewater systems “occur frequently and are a significant threat to their operations.”

“EPA encourages all states to voluntarily review public water system cybersecurity programs to ensure that any vulnerabilities are identified and corrected, and assistance is provided to systems that need help. EPA will continue to support states, drinking water systems, and wastewater systems by providing that technical assistance in the form of cybersecurity risk assessments, subject matter expert consultations, and training,” they said.

“Most cybersecurity practices can be implemented at minimal cost. When there are costs, EPA supports investments in cybersecurity projects and assist systems as they apply for funding from the Drinking Water State Revolving Fund, Clean Water State Revolving Fund, Infrastructure Resilience and Sustainability Grant and other state and local sources.”

Greg Kail, director of communications at AWWA, defended the group’s work in shutting down the EPA effort and said they were looking for a system that resembled the electric sector, with a “tiered risk- and performance-based set of requirements.”

In a statement released by AWWA, the organization lauded its work in getting the cybersecurity rules removed, claiming the EPA did not follow a process allegedly put in place by Congress to address cybersecurity concerns for water systems under the Safe Drinking Water Act or the American Water Infrastructure Act.

“In addition to concerns about the legal process and legality of the rule, the water associations expressed concerns that the rule would create additional cybersecurity vulnerabilities for utilities, as sanitary surveys required in the rule have public notification requirements,” they said.

AWWA CEO David LaFrance said he was “pleased” but then acknowledged that “cyber threats in the water sector are real and growing, and we cannot let our guard down for even a moment.”

He urged the EPA to allow utilities to create their own requirements.

When asked whether the organizations were concerned whether they would face backlash from the public after the next cyberattack, AWWA spokesperson Kail said they provide utilities with resources to address cybersecurity gaps and are supporting legislation in Congress that would expand an existing U.S. Agriculture Department program for assessing the digital security of small water and wastewater utilities.

Ransomware gangs continue to relentlessly target water systems across the world. U.S. law enforcement agencies said ransomware gangs hit five U.S. water and wastewater treatment facilities from 2019 to 2021 — and those figures did not include three other widely reported cyberattacks on water utilities.

The move was not received well by cybersecurity experts, many of whom questioned the decision to let water utilities continue regulating themselves.

Recorded Future ransomware expert Allan Liska said the EPA made the best decision it could given the circumstances because they likely felt they would lose in court and did not want to waste more taxpayer resources on the effort.

“As for the Attorneys General and the interest groups that sued the EPA, I think their actions were short sighted and potentially dangerous. The regulation only required an assessment of threats and the EPA was willing to offer assistance in conducting the surveys,” Liska said.

“Everyone knows that there are serious weaknesses in our water infrastructure that need to be addressed and this was a good first step in better understanding the problem. There have already been 1/2 dozen publicly reported ransomware attacks against water systems over the last few years, it is only a matter of time before a ransomware group does something dangerous.”

Last month, the Cybersecurity and Infrastructure Security Agency (CISA) announced that it would be offering drinking water and wastewater systems free vulnerability scanning services. Water systems can get weekly automated scans that will provide a report on known vulnerabilities found on internet-accessible assets, week-to-week comparisons, and mitigations.

“Drinking water and wastewater systems are vital for our community’s wellbeing,” CISA said. “But they’re not immune to cyberattacks.”