Connect with us

Hi, what are you looking for?



EPA Withdraws Water Sector Cybersecurity Rules Due to Lawsuits

Environmental Protection Agency (EPA) withdraws recent water sector cybersecurity rules due to lawsuits by states and water associations.

Aliquippa water utility hack

The US Environmental Protection Agency (EPA) has withdrawn cybersecurity rules for public water systems due to lawsuits filed by states and non-profit water associations.

The EPA announced in March that it would require states to report on cybersecurity threats in their public water system audits. The agency offered to provide guidance and technical know-how, but did mention any financial assistance.

Soon after the new cybersecurity requirements were announced, the attorney generals of Missouri, Arkansas and Iowa took legal action to challenge the EPA’s memo, arguing that meeting the new requirements would put a significant financial burden on small towns. 

The American Water Works Association (AWWA) and the National Rural Water Association (NRWA), non-profit organizations that each have tens of thousands of members, joined the lawsuits, questioning the legality of the requirements. A court ordered the EPA in July to pause the new rules while the case was being tried.

“In addition to concerns about the legal process and legality of the rule, the water associations expressed concerns that the rule would create additional cybersecurity vulnerabilities for utilities, as sanitary surveys required in the rule have public notification requirements. Finally, the rule would have required cybersecurity reviews by state regulatory agencies that lack expertise and resources for cybersecurity oversight,” AWWA and NRWA said in a press release issued last week after the EPA withdrew the rules.

Organizations in the water sector have often been targeted in attacks in recent years, including their operational technology (OT) systems, and AWWA and NRWA say they “recognize that cyber threats in the water sector are real and growing”. On the other hand, they ask for a “collaborative approach to cybersecurity measures in the water sector”.

The US government has been taking steps to improve cybersecurity in the water sector. A bill announced this summer aims to increase cybersecurity funding for rural water systems. 

In addition, the cybersecurity agency CISA recently announced offering a free vulnerability scanning service to water utilities to help them protect drinking water and wastewater systems against cyberattacks.

Advertisement. Scroll to continue reading.
Learn More at SecurityWeek’s ICS Cyber Security Conference
The leading global conference series for Operations, Control Systems and OT/IT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.
ICS Cybersecurity Conference
October 23-26, 2023 | Atlanta

Related: Unpatched Security Flaws Expose Water Pump Controllers to Remote Hacker Attacks

Related: Former Contractor Employee Charged for Hacking California Water Treatment Facility

Related: US Says National Water Supply ‘Absolutely’ Vulnerable to Hackers

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content

Cloud Security

Cloud security researcher warns that stolen Microsoft signing key was more powerful and not limited to and Exchange Online.


Private equity giant plans to buy Forcepoint’s Global Governments and Critical Infrastructure (G2CI) business unit for $2.5 billion.


US National Cybersecurity Strategy pushes regulation, aggressive 'hack-back' operations.


Companies have announced securing billions of dollars in cybersecurity-related contracts with the United States government in 2022.


The proposed UK Online Safety Bill is the enactment of two long held government desires: the removal of harmful internet content, and visibility into...


CISA has described and published a set of principles for the development of security-by-design and security-by-default cybersecurity products.

Cloud Security

Redmond is accused of “negligent cybersecurity practices” that enabled a successful Chinese hack of the United States government.


TSA instructs airport and aircraft operators to improve their cybersecurity resilience and prevent infrastructure disruption and degradation.