Inside Cybersecurity

March 29, 2024

Daily News

Three states sue to block EPA from applying new cyber requirements through existing water program

By Charlie Mitchell / April 18, 2023

The states of Missouri, Arkansas and Iowa have asked a U.S. court of appeals “set aside” the Environmental Protection Agency’s new cybersecurity requirements for state drinking water regulators under an existing “sanitary survey” program, which critics say is ill-suited for bolstering cyber in the water sector.

“This Petition for Review asks the Court to hold unlawful and set-aside EPA’s March 3, 2023 Cybersecurity Rule requiring States to impose new and burdensome cybersecurity infrastructure mandates on Public Water Systems,” the states said in an April 17 petition for review filed with the U.S. Court of Appeals for the Eighth Circuit in St. Louis, MO.

Republicans control the political levers of power in all three states, including the governor’s office and the legislature.

EPA in March issued a memo to state drinking water regulators requiring them to assess the cyber practices of public water systems, as part of the Biden administration effort to improve cybersecurity across critical infrastructure sectors under its national cyber strategy.

State and water industry groups pushed back against the proposal, saying it will impose significant implementation challenges and that they had little opportunity to weigh in on the plan.

Deputy National Security Advisor for Cyber Anne Neuberger last fall said EPA is taking a “creative approach” on water, using “existing legislation that calls for safety and security of water, that includes cybersecurity as well,” as the basis for applying cyber regulation to the sector.

The three states said in the court filing that what they call the “cybersecurity rule” requires them “to change how they conduct sanitary surveys under the Safe Drinking Water Act and imposes increased technology costs on small (and rural) Public Water Systems.”

They said, “EPA’s new authority springs from re- ‘interpreting’ the words ‘equipment’ and ‘operation’ for a physical on-site inspection to include cybersecurity infrastructure, even though the words ‘cybersecurity’ or ‘internet’ are absent from the 2019 guidance. And EPA uses its new power to require a mandatory enforcement scheme that burdens States and rural Public Water Systems.”

The filing said, “EPA’s six-page checklist and sixteen new ‘significant deficiencies’ exemplify its unlawful tradition of creating new legal obligations and labeling them guidance.”

Further, they said, “EPA promulgated this rule without any statutory or Congressional support. By claiming to reinterpret its authority, EPA seeks to evade (rather than obey) the procedures required for promulgating a new rule. EPA’s actions impose costs on everyone now and waits to see how long it takes courts to notice and set them straight.”

The states said, “But the federal government must follow the rules like everyone else. The Administrative Procedure Act and other statutory obligations cannot be reduced to a speed bump so easily avoided.”

In addition, they said EPA is inappropriately shifting new responsibilities onto states and “EPA’s new rule thus intrudes on States’ sovereignty.”

“The Safe Drinking Water Act reflects this State-first statutory scheme and specifically empowers States to be the primary enforcers. But EPA’s lawless actions place States’ traditional role in jeopardy, because failing to impose EPA’s new burdens permits EPA to pull millions in funding and takeover enforcement,” the states said. – Charlie Mitchell (cmitchell@iwpnews.com)