EPA pulls back cybersecurity rule | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware

The U.S. Environmental Protection Agency (EPA) today announced it will withdraw plans to require states to survey cybersecurity best practices at public water systems — welcome news to much of the industry that opposed the approach.

The EPA proposal was included in the agency’s FY22 budget request to Congress in 2021, and officials had been moving forward to implement the rule that would require water systems to incorporate cybersecurity audits as part of utility sanitary surveys. But industry associations and utility leaders pushed back against the plan, saying surveys would ultimately be ineffective at improving cybersecurity at water systems.

The American Water Works Association (AWWA), Association of Metropolitan Water Agencies (AMWA), National Association of Water Companies (NAWC) and National Rural Water Association (NRWA) – all representing drinking water systems – said they heard near-universal objections to the approach.

Then, AWWA and NRWA joined the States of Missouri, Arkansas and Iowa in a legal challenge to the rule on behalf of their memberships. They pointed out that the rule was not consistent with the process Congress put in place to address cybersecurity under the Safe Drinking Water Act or the American Water Infrastructure Act and was not issued with proper public engagement required by the Administrative Procedures Act.

The associations expressed concerns that the rule would create more cybersecurity vulnerabilities for utilities because sanitary surveys required in the rule have public notification requirements. The rule would have also required cybersecurity reviews by state regulatory agencies. The associations argued state agencies are not qualified to assess the cyber readiness of a water system, which could lead to unmerited significant deficiencies and misinformed advice to utilities. that lack expertise and resources for cybersecurity oversight.

On July 12, the U.S. Court of Appeals for the Eighth Circuit granted a stay, three months before EPA withdrew the rule.

AWWA and NRWA said they are pleased with the decision and have renewed their call for a collaborative approach to cybersecurity measures in the water sector.

“AWWA is pleased that EPA has decided to withdraw its cybersecurity rule,” said AWWA CEO David LaFrance. “We also recognize that cyber threats in the water sector are real and growing, and we cannot let our guard down for even a moment. Strong oversight of cybersecurity in the water sector remains critical. We urge U.S. Congress and EPA to support a co-regulatory model that would engage utilities in developing cybersecurity requirements with oversight from EPA.”

“This is a major announcement for rural water and wastewater systems as EPA’s decision to rescind the Cybersecurity Rule is released,” said NRWA CEO Matt Holmes. “NRWA commends EPA for making the right call as we understand this was not taken lightly and involved much debate. Cybersecurity remains an important issue for our sector, and we are eager to collaborate with EPA in the future to address cybersecurity in the water industry.”

A press release from AWWA noted this is the first time AWWA and NRWA have partnered together at this scale on national policy.

Tom Dobbins, CEO of the Association of Metropolitan Water Agencies (AMWA), representing large drinking water systems, added: “Ensuring the cybersecurity of the nation’s water systems is of utmost importance, but attempting to do so through Public Water System Sanitary Surveys was the wrong approach. AMWA applauds EPA for listening to stakeholders and withdrawing this plan that would have fallen short of strengthening cybersecurity across the entire water sector, while putting sensitive utility security information at risk.

“We welcome the opportunity to work with EPA on a truly collaborative approach to water system cybersecurity that takes full advantage of resources like WaterISAC to ensure that all communities have the opportunity to implement the best cyber practices for their utility.”


Click Here For The Original Source.

National Cyber Security