Filling up a glass with drinking water from kitchen tap

EPA ‘Deletes’ Cybersecurity Safe Drinking Water Initiative

Posted by

In the 1970’s, a series of tests of community water systems across the country led to some disturbing findings; varied standards of water containment, transmission, and handling were resulting in substantial health risks to more than a third of tested sources. In response, Congress passed the Safe Water Drinking Act of 1974 (SWDA), a landmark legislation setting basic standards for drinking water for the more than 150,000 municipal water sources, nationwide.

Over the ensuing decades, the SWDA has been expanded and updated with the times and technology; the first substantial change came with a package of amendments in 1986, when the EPA (1) increased the number of recognized contaminants, (2) promulgated newer requirements for disinfection and filtration of public water supplies, (3) limited the use of lead in new water systems, and generally increased the EPA’s enforcement authority.

In the amendments of 1996, Congress added inter alia risk assessment and risk communication provisions to SDWA and mandated that the EPA use peer-reviewed science and supporting studies and data.

More recently, as America’s water infrastructure has become more and more reliant on computerization, the EPA has started trying to keep pace with some of the latest burgeoning threats; cyberattacks. The most infamous example came in February of 2021,  when a hacker attacked a Florida water treatment facility, increasing exponentially—and dangerously—the levels of sodium hydroxide being released into the water supply, until a sharp-eyed employee caught the hack and stopped it.   

In March of this year, in an attempt to strengthen cybersecurity protocols, the EPA promulgated a memorandum, requiring local water systems to review their cybersecurity practices and controls and identify what they needed in order to maintain “the integrity and continued functioning of operational technology.” States that found significant “cybersecurity deficiencies” during this process would have then been required to force the water system to address the security flaw, and choose a means by which to conduct the cybersecurity reviews, including public water system self-assessments, third party assessments or state official assessments.

This last week, however, on Oct. 13, the EPA formally backed off from the stances it took in the memorandum, following a rebuke from the Eighth Circuit; states such as Iowa, Arkansas and Missouri, along with the National Rural Water Association and the American Water Works Association, sued to prevent implementation of the memorandum, arguing, in substance, that the EPA had overstepped its authority, and created an untenable regulatory scheme that among other things risked states’ federal funding if found to be not in compliance. The Eighth Circuit agreed and blocked the EPA in July.

While the prevailing states and water entities cheered the EPA’s decision to step back from this new regulatory scheme, parties on all sides soberly accepted that the objective remains; coming up with, and implementing a robust, workable cybersecurity protocol to protect an increasingly vulnerable American water infrastructure.