The Environmental Protection Agency (EPA) is backing out of an initiative to inspect public water systems for cybersecurity risks following legal challenges from three Republican-led states.
After a spate of high-profile hacks, including the SolarWinds breach in 2020, the EPA pushed to beef up security for public water systems. According to the agency's initial assessment, public water systems are a "frequent target of malicious cyber activity."
The original plan was for the EPA to create guidance for water companies to better protect against cyberattacks. Then, state regulators would inspect water companies to see if cybersecurity best practices were being followed. Companies that were deemed high-risk or were found to have "significant deficiencies" for cyberattacks would be forced to bring their systems up to date.
The EPA outlined its plans in March 2023, and the Republican attorneys general of Arkansas, Iowa, and Missouri sued the following month, stating that the EPA did not have the power to enact the kinds of regulations outlined in its memorandum. The AGs also said additional inspections would overwhelm state regulators.
As Iowa Attorney General Brenna Bird noted in April, "water systems with a population as small as 25 Iowans will have to pay to upgrade their cybersecurity systems and face large costs." Bird said she instead preferred a previous law passed by Congress with "a common-sense exception to the cybersecurity rule on public water systems serving fewer than 3,300 residents."
The courts issued a temporary block on the effort in July 2023, and the EPA has now canceled the program outright, Engadget reports.
The EPA says it's still interested in helping public water systems work out potential
Read more on pcmag.com