AWWA, NRWA Renew Call for Collaborative Approach After EPA Withdraws Cybersecurity Rule

The U.S. Environmental Protection Agency (EPA) has announced that it’s withdrawing its March 2023 Cybersecurity Rule. The American Water Works Association (AWWA) and National Rural Water Association (NRWA) are pleased with the decision and have renewed their call for a collaborative approach to cybersecurity measures in the water sector.

Both AWWA and NRWA joined Missouri, Arkansas, and Iowa in a legal challenge to the rule on behalf of their memberships. They pointed out that the rule was not consistent with the process Congress put in place to address cybersecurity concerns for water systems under the Safe Drinking Water Act or the American Water Infrastructure Act and was not issued with proper public engagement required by the Administrative Procedures Act.

In addition to concerns about the legal process and legality of the rule, the water associations expressed concerns that the rule would create additional cybersecurity vulnerabilities for utilities, as sanitary surveys required in the rule have public notification requirements. The rule would also have required cybersecurity reviews by state regulatory agencies that lack expertise and resources for cybersecurity oversight.

“AWWA is pleased that EPA has decided to withdraw its cybersecurity rule,” said David LaFrance, CEO of AWWA. “We also recognize that cyber threats in the water sector are real and growing, and we cannot let our guard down for even a moment. Strong oversight of cybersecurity remains critical. We urge the U.S. Congress and EPA to support a coregulatory model that would engage utilities in developing cybersecurity requirements, with oversight from EPA.”

“This is a major announcement for rural water and wastewater systems as EPA’s decision to rescind the Cybersecurity Rule is released,” said Matt Holmes, CEO of NRWA. “NRWA commends EPA for making the right call as we understand this was not taken lightly and involved much debate. Cybersecurity remains an important issue for our sector and we are eager to collaborate with EPA in the future to address cybersecurity in the water industry.”

Together AWWA and NRWA represent community water systems of all sizes and have been actively involved in advocating for solutions to address cybersecurity, while keeping their members’ perspectives in mind. This is the first time they have partnered together at this scale on national policy.

AWWA first formally endorsed a coregulatory approach in October 2021 and testified about it before the U.S. House Committee on Homeland Security in 2022. The new governance framework would build on a similar process in the electric sector, maintain EPA oversight, ensure the engagement of water sector experts, and protect sensitive information. It would also incorporate the public-private collaboration called for in the recent National Cybersecurity Strategy. 

NRWA has been actively involved in the legislative arena where cybersecurity is concerned, and its grassroots advocacy has resulted in the introduction of the “Cybersecurity for Rural Water Systems Act of 2023” by Congressmen Zach Nunn (IA-R) and Don Davis (NC-D) and Congresswomen Angie Craig (MN-D), and Abigail Spanberger (VA-D). A key portion of the bill includes additional funding through the NRWA Circuit Rider Program to provide technical assistance to help utilities address cybersecurity. 

AWWA, NRWA, and other water organizations continue to strongly advocate for the implementation of cybersecurity best practices at drinking water and wastewater utilities. Several resources that AWWA has developed, in collaboration with other organizations, facilitate utility review of potential vulnerabilities based on the National Institute of Standards and Technology (NIST) Cybersecurity Framework. 

“October is Cybersecurity Awareness Month, a time when all water utilities are especially focused on keeping our critical infrastructure safe from those who would do us harm,” LaFrance said. “We hope this development is an opportunity to advance a collaborative approach that leads to a safer cybersecurity future.”