Court pauses cybersecurity rule following legal challenge

This week the U.S. Court of Appeals for the Eighth Circuit granted a request from the American Water Works Association (AWWA) and the National Rural Water Association (NRWA) to stop the U.S. Environmental Protection Agency’s Cybersecurity Rule from going into effect until a current case challenging the rule has been decided.

The court’s decision applies to all AWWA and NRWA members across the United States. AWWA and NRWA requested that the court stay (pause) the rule during a legal challenge from three states so that their members would not have to undertake costly changes to their operations until the court decides if the rule is legally valid. The stay applies until further notice from the court.

“AWWA is pleased the court recognized the importance of halting the Cybersecurity Rule for our utility members as it reviews the legality of the rulemaking process,” said AWWA CEO David LaFrance. “AWWA strongly supports efforts to strengthen cybersecurity in the water sector, but the Sanitary Survey Program is not the right tool for the job. We are grateful our viewpoint will be heard by the court and look forward to working together with EPA and others on a smart path forward.”

“NRWA commends the court for issuing this stay preventing EPA from enforcing the Cybersecurity Rule until it is determined if it has been lawfully implemented,” added NRWA CEO Matthew Holmes. “While NRWA fully supports efforts to strengthen cybersecurity in small communities across the country, enforcing this regulation is not the best way to help small and rural systems, and could have costly and unnecessary consequences.”

EPA’s intention to incorporate cyber audits as part of utility sanitary surveys was first announced in 2021 in the agency’s FY22 budget request. Following the announcement, AWWA and NRWA, along with other associations representing drinking water systems including the Association of Metropolitan Water Agencies and National Association of Water Companies, said they had heard “near-universal objections” to the approach, including from the primacy agencies that would be mandated to implement the new requirement. Among the associations’ rationale:

  • The planned program is legally unjustifiable, as interpretive rules like those governing sanitary surveys may not create new legal standards or requirements;
  • Sensitive information shared with states would not be protected from public disclosure; and
  • State primacy agencies are not qualified to assess the cyber readiness of a water system, which could lead to unmerited significant deficiencies and misinformed advice to utilities.

More recently AWWA and NRWA joined the States of Missouri, Arkansas and Iowa in a legal challenge to the Cybersecurity Rule because of concerns about the legal process and legality of the rule. In these instances, there are concerns that the rule may create additional cybersecurity vulnerabilities for members, as well as concerns that states do not have appropriate resources, laws, rules or procedures in place to adhere to the rule requirements.

Specifically, in the absence of a viable primacy agency implementation framework, water systems were at risk of violations for which they are unable to prepare. There is also the risk that the cybersecurity vulnerabilities of these systems would be publicly available because they are being done through sanitary surveys, which could be accessed by malicious actors.

The public wasn’t given the opportunity to comment about EPA’s proposed approach before the rule was issued. By granting a stay, the court has prevented these risks to members while it reviews the legality of EPA’s rulemaking process.

Source: AWWA

Leave a Reply

Your email address will not be published. Required fields are marked *