The EPA has retracted its proposal mandating states to evaluate the cybersecurity and integrity of public water system programs, reports Yahoo Finance.
Although the agency emphasizes the importance of cybersecurity measures for the public water industry, this decision follows legal action by GOP-led states challenging the rule.
In a memo accompanying the revised regulations released in March, the EPA highlighted the potential impact of cybersecurity attacks on water and wastewater systems, citing the risk of disrupting drinking water delivery to consumers and essential facilities like hospitals. Despite the EPA's offer to assist states and public water system organizations in implementing cybersecurity surveys through training and technical support, this proposal faced opposition from GOP state attorneys and trade groups.
Republican state attorneys opposing the proposed policies argued that the call for new inspections could overwhelm state regulators. Attorneys general from Arkansas, Iowa, and Missouri filed lawsuits against the EPA, contending that the agency lacked the authority to establish these requirements. Consequently, the EPA's proposal was temporarily halted in June.
While it's unclear if any cybersecurity regulations will be put in motion to protect the public moving forward, the EPA stated its intention to collaborate with the industry to reduce cybersecurity risks for clean and safe water. The agency encourages all states to voluntarily assess the cybersecurity of their water systems, emphasizing proactive measures to mitigate potential public health impacts in the event of a cyberattack.
In light of high-profile cyber incidents such as the SolarWinds hack in 2020 and the Colonial Pipeline ransomware attack in 2021, which underscored the vulnerability of government entities and public agencies, it is evident that these organizations are attractive targets for malicious actors. The Biden administration has initiated a national strategy that focuses on public-private partnerships, aiming to shift the responsibility for cybersecurity onto organizations best equipped to mitigate risks for the collective well-being.