The Environmental Protection Agency has retracted its earlier guidance on bolstering cybersecurity measures within the country's water system infrastructure. This means that states will no longer be bound by audit requirements pertaining to the cybersecurity of their public water facilities.

The decision to withdraw comes in the wake of ongoing legal disputes involving Missouri, Arkansas and Iowa against the EPA. Nevertheless, the agency emphasized its commitment to robust cybersecurity practices. 

The American Water Works Association and National Rural Water Association joined the three states in the legal challenge to the rule on behalf of their memberships. They pointed out that the rule was not consistent with the process Congress put in place to address cybersecurity concerns for water systems under the Safe Drinking Water Act or the American Water Infrastructure Act and was not issued with proper public engagement required by the Administrative Procedures Act.

In addition to concerns about the legal process and legality of the rule, the water associations expressed concerns that the rule would create additional cybersecurity vulnerabilities for utilities, as sanitary surveys required in the rule have public notification requirements. Finally, the rule would have required cybersecurity reviews by state regulatory agencies that lack expertise and resources for cybersecurity oversight, according to the assocations. The U.S. Court of Appeals for the Eighth Circuit granted a stay on July 12, two months before EPA withdrew the rule.

“AWWA is pleased that EPA has decided to withdraw its cybersecurity rule,” says AWWA CEO David LaFrance. “We also recognize that cyber threats in the water sector are real and growing, and we cannot let our guard down for even a moment. Strong oversight of cybersecurity in the water sector remains critical. We urge U.S. Congress and EPA to support a co-regulatory model that would engage utilities in developing cybersecurity requirements with oversight from EPA.”

"This is a major announcement for rural water and wastewater systems as EPA's decision to rescind the Cybersecurity Rule is released,” says NRWA CEO Matt Holmes. “NRWA commends EPA for making the right call as we understand this was not taken lightly and involved much debate. Cybersecurity remains an important issue for our sector, and we are eager to collaborate with EPA in the future to address cybersecurity in the water industry."

AMWA CEO Tom Dobbins also released a statement about the EPA withdrawing its cybersecurity memorandum. “Ensuring the cybersecurity of the nation’s water systems is of utmost importance, but attempting to do so through Public Water System Sanitary Surveys was the wrong approach. AMWA applauds EPA for listening to stakeholders and withdrawing this plan that would have fallen short of strengthening cybersecurity across the entire water sector, while putting sensitive utility security information at risk. We welcome the opportunity to work with EPA on a truly collaborative approach to water system cybersecurity that takes full advantage of resources like WaterISAC to ensure that all communities have the opportunity to implement the best cyber practices for their utility.”