In December, several water sector associations wrote to EPA Assistant Administrator for Water Radhika Fox to express concern and opposition to the agency’s plans to incorporate cybersecurity audits as part of utility sanitary surveys. The EPA proposal was included in its FY22 budget request to Congress and officials have been moving forward to implement the concept.
Meanwhile, the Association of Metropolitan Water Agencies (AMWA) and other water sector associations including AWWA, NAWC and NRWA, say they have heard near-universal objections to the approach, including from the primacy agencies that would be mandated to implement the new requirement.
In the letter, co-organized by AMWA, the associations advise Fox, "Our members have many years of experience with both sanitary surveys and cybersecurity, and they believe the surveys will be ineffective at improving cybersecurity at water systems.”
Among the associations’ rationales:
The letter’s arguments are consistent with those put forth by the Association of State Drinking Water Administrators (ASDWA), which represents state primacy agencies. And ASDWA members have additional concerns, such as the lack of resources available to fulfill the burden that will fall upon them.
The letter closes with a commitment to work with EPA in a collaborative approach "that is protective of public health and cyber infrastructure in water utilities.” However, the letter adds, "[W]e caution against measures that could fail to have a decisive impact on water sector cybersecurity and that lack input by water sector subject matter experts.”