Water Sector Groups Oppose EPA’s Plans for Cyber Audits in Sanitary Surveys
Print this Article | Send to Colleague
In December, several water sector associations wrote to EPA Assistant Administrator for Water Radhika Fox to express concern and opposition to the agency’s plans to incorporate cybersecurity audits as part of utility sanitary surveys. The EPA proposal was included in its FY22 budget request to Congress and officials have been moving forward to implement the concept.
Meanwhile, the Association of Metropolitan Water Agencies (AMWA) and other water sector associations including AWWA, NAWC and NRWA, say they have heard near-universal objections to the approach, including from the primacy agencies that would be mandated to implement the new requirement.
In the letter, co-organized by AMWA, the associations advise Fox, "Our members have many years of experience with both sanitary surveys and cybersecurity, and they believe the surveys will be ineffective at improving cybersecurity at water systems.”
Among the associations’ rationales:
- The planned program is legally unjustifiable, as interpretive rules like those governing sanitary surveys may not create new legal standards or requirements;
- Sensitive information shared with states would not be protected from public disclosure; and
- State primacy agencies are not qualified to assess the cyber readiness of a water system, which could lead to unmerited significant deficiencies and misinformed advice to utilities.
The letter’s arguments are consistent with those put forth by the Association of State Drinking Water Administrators (ASDWA), which represents state primacy agencies. And ASDWA members have additional concerns, such as the lack of resources available to fulfill the burden that will fall upon them.
The letter closes with a commitment to work with EPA in a collaborative approach "that is protective of public health and cyber infrastructure in water utilities.” However, the letter adds, "[W]e caution against measures that could fail to have a decisive impact on water sector cybersecurity and that lack input by water sector subject matter experts.”