The U.S. Environmental Protection Agency (EPA) has made a decisive move, officially withdrawing its proposed cybersecurity regulations which necessitated states to report any cyber threats to their public water systems (PWS). The rules, introduced in March, were intended to bolster security in regards to water availability and purity, considering the escalating number of cyber-attacks we’ve been witnessing across industries.
However, this reversal wasn’t an isolated action; it was provoked by a series of lawsuits initiated in the Eighth Circuit during July. These legal actions were spearheaded by Missouri, Arkansas, and Iowa, which strongly opposed the EPA’s cybersecurity regulations. In addition to individual states, a couple of significant intervenors were brought into the legal battle, namely the American Water Works Association and National Rural Water Association, the water associations who joined the states in their crusade against the EPA’s cybersecurity provision.
The withdrawn rules were directed towards protecting the public water systems from devastating cyber-attacks that could potentially compromise the people’s access to safe drinking water. However, the aforementioned states, along with water associations, believed them to be onerous and unnecessary.
The withdrawal implies that states and water associations that previously would have been subjected to the rules are no longer mandated to report any cyber threats to their public water systems. It remains unclear whether any alternative regulations will be established to shield such critical infrastructures from potential cyber threats. The repercussions of this withdrawal are yet to be seen, particularly in a world that’s increasing in digitization and, correspondingly, cyber threats.