The Biden administration has decided to abandon its initiative to include cybersecurity in federally mandated safety assessments for water systems. The move comes after federal judges had previously ordered the Environmental Protection Agency (EPA) to halt its efforts in this direction.
Earlier this year, the EPA had invoked the Safe Drinking Water Act to make operational technology security a part of its periodic assessments, referred to as “sanitary surveys.” However, this move encountered opposition from the attorneys general of Missouri, Arkansas, and Iowa, as well as industry lobbying groups. An April lawsuit, initiated by the three states, challenged the EPA’s authority, leading to the U.S. Court of Appeals for the 8th Circuit staying the EPA’s order in July.
In an October 11 memo, the EPA announced that it would withdraw the cybersecurity component of water system safety assessments, citing ongoing litigation as the reason. While the EPA still believes in the importance of adopting cybersecurity best practices for public water systems, it has opted to encourage states to voluntarily engage in reviewing cybersecurity programs within the sanitary survey framework. Iowa Attorney General Brenna Bird welcomed the decision, suggesting that the original cybersecurity mandate would have raised water bills with no clear benefits.
The Biden administration intends to pursue legislation explicitly authorizing the EPA to include cybersecurity as an element of water safety. The move to integrate cybersecurity practices into water systems had gained prominence after an incident in Oldsmar, Florida, where a hacker attempted to tamper with the city’s water treatment system in 2021.
Water utilities, fearing hacking threats to their systems, had concerns about the cost and effectiveness of the EPA’s cybersecurity mandates, leading to the litigation and now the retraction of this initiative.