EPA says court decision to ban new rule ‘undercuts’ cybersecurity efforts

The U.S. Environmental Protection Agency is criticizing a decision by a federal appellate court to place a temporary hold on a new rule that would add cybersecurity assessments to audits of public water systems.

A spokesperson for the EPA told Recorded Future News on Friday that the agency was “disappointed” by the order and said the decision “undercuts EPA’s efforts to protect the safety of the nation’s drinking water from malicious cyberattacks.”

The EPA issued the rule in March, alongside the release of the National Cybersecurity Strategy, hailing the effort as the first of many initiatives from the federal government to implement broader cybersecurity protections in critical industries. The regulations added cybersecurity assessments to annual state-led Sanitary Survey Programs that evaluate water systems across the U.S.

But the rule quickly faced lawsuits from Republican attorneys general in Iowa, Arkansas and Missouri, who claimed the cybersecurity improvements needed to pass the assessments would be too costly for suppliers, who in turn would pass the costs on to customers. The lawsuits were backed up by two powerful industry groups — the American Water Works Association (AWWA) and the National Rural Water Association (NRWA)

First reported by the Washington Post, the U.S. Court of Appeals for the 8th Circuit struck down the new rule this week, providing no explanation for the ruling beyond a one-sentence confirmation approving the motion for a stay.

The EPA is committed to the new rule as part of its mission to protect the public, the spokesperson said.

“Cybersecurity threats to the water sector are real, and EPA is committed to using its authorities to advance cybersecurity and reduce the possibility of cyber threats impacting the delivery of clean, safe water,” the spokesperson said.

“EPA is dedicated to addressing the challenge of cybersecurity and using all available tools to lower risk for the nation's drinking water systems. We are also committed to working with our partners as we have for over 20 years to increase the water sector’s resilience.”

The spokesperson reiterated that the National Cybersecurity Strategy focused heavily on ensuring that the country’s critical infrastructure is more resilient to cyberattacks and said the EPA would continue to use the strategy as a guide moving forward.

Several officials at the EPA said in March that ransomware has become a significant concern, including incidents that “shut down critical treatment processes, locked up control system networks behind ransomware, and disabled communications used to monitor and control distribution system infrastructure like pumping stations.”

U.S. law enforcement agencies said ransomware gangs hit five U.S. water and wastewater treatment facilities from 2019 to 2021 — and those figures did not include three other widely reported cyberattacks on water utilities.

An issue of cost?

The three state attorneys general argued that the rules were “burdensome” and would impose “significant costs” on small and rural public water systems. They also claimed the EPA did not have the authority to issue the rules.

Iowa Attorney General Brenna Bird said the new rule would force water systems with a population as small as 25 Iowans to pay to upgrade their cybersecurity systems and face large costs.

Bird said the law being used by the EPA — the Safe Drinking Water Act — contained exceptions for public water systems serving fewer than 3,300 residents.

“Rather than cleaning up our water, the federal government is hurting Iowa’s small towns,” Bird said. “At a time of soaring inflation, where it’s hard enough to make ends meet, the federal government insists on making Iowans’ water bills more costly. We’re going to hold the Biden Administration accountable and protect Iowans’ pocketbooks.”

Greg Kail, director of communications for AWWA, said that while there is broad agreement within the water sector that cybersecurity is an issue and regulatory oversight is needed, the survey programs changed by the new EPA rules “are not the appropriate oversight mechanism.”

When asked why, Kail said the state authorities that administer the Sanitary Survey Program “lack the appropriate staffing, training and expertise to evaluate cybersecurity programs.”

“State primacy agency staff are not qualified to assess the cyber readiness of a water system. Federal and state law does not protect information collected through sanitary surveys by state sanitary survey programs from being made public,” he said.

“If, for instance, a state discloses that a water system has a particular vulnerability, the information would be very valuable to bad actors looking for an easy target, opening the system up to attack. A ‘simple checklist’ mindset to cybersecurity will not have the desired effect of advancing cybersecurity readiness.”

Some companies, he said, have concerns about the costs associated with “restructuring, training, and hiring at states to support expansion of sanitary surveys to include cybersecurity.”

Any new spending on preparing for state surveys could “pull water system resources away from recognized cybersecurity priorities within individual systems,” he claimed.

“There is also concern that water systems will spend time and resources addressing cybersecurity issues that are inappropriately prioritized by state sanitary survey reviews (due to state’s lack of familiarity with cybersecurity implementation),” he added.

Kail explained that AWWA is advocating for a regulatory model that resembles the energy sector — where the water sector would define and provide a “foundation” for implementing minimum cybersecurity requirements that would be overseen by the EPA.

The industry group is also advocating for capacity development programs and grants from the EPA and U.S. Department of Agriculture for training programs and implementation efforts.

Any rules, Kail said, should be “risk- and performance-based.”

Dozens of states backed the new EPA rules when they were first released, with several state-level officials in Minnesota, Massachusetts, New Jersey, New Hampshire and Wisconsin saying they were already working with the EPA on the measures and were working to implement the guidelines.

EPA Assistant Administrator Radhika Fox warned in March that cyberattacks against drinking water systems are increasing and said public water systems are vulnerable.

“Cyberattacks have the potential to contaminate drinking water, which threatens public health,” she said. “EPA is taking action to protect our public water systems by issuing this memorandum requiring states to audit the cybersecurity practices of local water systems.”