The Environmental Protection Agency rescinded a March memorandum last week requiring public water systems to include cybersecurity as part of their periodic system audits, following a legal challenge from Missouri, Arkansas and Iowa.
The 8th U.S. Circuit Court of Appeals in July stayed the memorandum after the three states challenged the rule in federal court.
The EPA said states should still review cybersecurity practices for public water systems on a voluntary basis under the sanitary survey or use another equivalent process, according to a memo from Assistant Administrator Radhika Fox.
“Cybersecurity represents a serious and increasing threat to drinking water and wastewater utilities,” the EPA said in an emailed statement. “EPA remains committed to using available tools and resources to help protect communities from the increasing number and severity of cyberthreats facing our nation’s water systems.”
The EPA will continue to provide cybersecurity risk assessments, training and subject matter expert consultations to local utilities, the agency said.
The American Water Works Association and the National Rural Water Association, who joined the three states in the legal challenge, said they were pleased with the decision to withdraw. The associations said they fully recognize the seriousness of cybersecurity threats against the water industry and renewed calls for the EPA to work with industry in a collaborative approach.
The EPA memo was among the earliest sector-specific actions taken by the Biden administration amid the rollout of its national cybersecurity strategy, which is designed to help develop a more resilient infrastructure against future malicious threat activity.
A senior administration official who requested anonymity said the Biden administration has been focused on securing critical infrastructure, including prior actions on rail, aviation and pipeline security, and will continue to take measures to protect water.
“We will continue to use all the tools and resources needed to secure the water sector — and all sectors — to ensure the continuity of services which Americans expect,” the senior administration official said.