September 1, 2023

EPA Cybersecurity Rule Challenged by States and Water Systems Associations

Timothy Bado, Ketan Bhirud, Christopher Carlson, Clayton Friedman, Natalia Jacobo, Judith Jagdmann, Namrata Kang, Michael Lafleur, Susan Nikdel, Stephen Piepgrass, John Sample, Avi Schick, Whitney Shephard, Trey Smith, Ashley Taylor Jr., Daniel Waltz, Michael Yaghi

Troutman Pepper

+ Follow Contact

Facebook

Send

Embed

Troutman Pepper

[co-author: Stephanie Kozol]*

On July 25, Missouri, Arkansas, and Iowa (the states), along with intervenors American Water Works Association and National Rural Water Association (the water associations), petitioned the Eighth Circuit to review the U.S. Environmental Protection Agency’s (EPA) new rule requiring states to review and report cybersecurity threats to their public water systems (PWS).

In August 2022, the EPA provided a report to Congress describing its plan and prioritization framework for addressing the cybersecurity needs of the public water system. The EPA then issued an “implementation memo” in March 2023 that laid the groundwork for the EPA’s plan to combat cybersecurity risk. The memorandum requires states to incorporate an evaluation of the cybersecurity of operational technology used by a PWS when conducting its sanitary surveys. A sanitary survey is a review of a PWS to assess its capability to supply safe drinking water, and the EPA is including cybersecurity as a potential deficiency. In a press release announcing the memo, EPA Assistant Administrator for Water Radhika Fox said, “Cyber-attacks against critical infrastructure facilities, including drinking water systems, are increasing, and public water systems are vulnerable. Cyber-attacks have the potential to contaminate drinking water, which threatens public health.” In early July 2023, the Eighth Circuit blocked implementation of the rule while the legal challenge is ongoing.

The states’ brief argues that the EPA’s Cybersecurity Rule unlawfully imposes new legal requirements on states and PWSs, and that the rule exceeds the EPA’s statutory authority by ignoring congressional actions limiting cybersecurity requirements to large PWSs and changing the criteria for sanitary surveys through a memorandum. The states also assert that the rule is arbitrary and capricious because the EPA (i) failed to acknowledge or explain it had changed policies relating to amending the minimum criteria or the scope of sanitary surveys and (ii) failed to consider important aspects of the rule, including that the state agencies responsible for conducting the surveys lack the level of cybersecurity expertise necessary to complete the evaluations expected by the EPA, and the frequency with which sanitary surveys occur (every three to five years) will not ensure PWSs address new threats in a timely fashion.

In a separate brief, the water associations argued that the Cybersecurity Rule exceeds the EPA’s authority under the Safe Drinking Water Act, which provides the EPA with limited authority to address cybersecurity vulnerabilities, and Congress did not intend for the EPA to use the act to impose sanitary surveys, regulate smaller water systems, or force states to collect sensitive information and evaluate cybersecurity at PWSs. The water associations argued that the rule “contravenes Congress’s thoughtful policy preference that cybersecurity in smaller PWSs be addressed with assistance, not regulation, from EPA.” They specifically contend that Congress knew these smaller systems would lack the operational and financial capacity to undertake requirements like those included in the Cybersecurity Rule and that such requirements would strain those systems’ limited budgets and staff without providing proportionate benefits. The public disclosure of PWS cybersecurity information through states’ public records laws is also a concern.

If the new rule becomes a binding requirement, as the EPA intends, the states and their PWSs will face legal obligations that, if ignored, could potentially cause them to lose control over Safe Drinking Water Act programs and compromise federal funding.

Why It Matters

While the EPA’s new rule is presently being challenged by the states, it is clear that the cybersecurity landscape is shifting. The EPA’s new rule is consistent with efforts across the federal government to bolster the cybersecurity framework that protects critical infrastructure. The states’ challenge to the EPA rule may ultimately be successful, but new regulations and legislation to address the same concerns are likely in a world that increasingly relies on complex technology that is susceptible to attack by bad actors.

Utilities across the U.S. with significant technical debt need to be mindful of new legal and regulatory requirements relating to cybersecurity to ensure compliance. The same is true for vendors of critical infrastructure facilities who may share responsibility for cybersecurity. Failure to stay abreast of, and in compliance with, rapidly evolving cybersecurity obligations may place utilities and vendors in the crosshairs of regulators, and risk the loss of public funding or being compelled to comply with current requirements before the utility is permitted to continue operations. While compliance may seem impossible for entities that have fallen behind in modernizing cybersecurity platforms, assistance programs like the State and Local Cybersecurity Grant Program may provide important resources to offset some of the burden.

*Senior Government Relations Manager

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.