EPA Withdraws Memorandum Requiring Cybersecurity Assessments in Sanitary Surveys
At a meeting earlier today with sector agency leaders, the Environmental Protection Agency (EPA) announced that due to litigation (State of Missouri, et al. v. U.S. EPA), they have chosen to rescind the interpretive memorandum issued on March 3, 2023, Addressing Public Water System Cybersecurity in Sanitary Surveys of an Alternate Process.
The memorandum conveyed EPA’s interpretation that existing regulations required primacy agencies to include an evaluation of the cybersecurity of operational technology during their audits of public water systems, called sanitary surveys, or through an equivalent alternate process. On July 12, 2023, the U.S. Court of Appeals for the 8th Circuit stayed the memorandum under the litigation. Today’s action to rescind the memorandum means that this interpretation is now withdrawn from EPA’s public water system supervision program.
EPA emphasized that adopting cybersecurity best practices at public water systems is essential to providing safe and reliable drinking water. As we advance, EPA encouraged all primacy agencies to voluntarily review public water system cybersecurity programs within the sanitary survey or an alternate process to ensure that vulnerabilities are corrected, and potential public health impacts are minimized. EPA will continue to support primacy agencies and water and wastewater systems by providing technical assistance in the form of cybersecurity risk assessments, subject matter expert consultations, training, and funding.
ASDWA’s members appreciate the Agency demonstrating leadership in rescinding the memo and believe the decision creates the necessary space to collaboratively evaluate flexible and innovative approaches to lowering the sector’s risk profile and protecting it from future and ever-evolving threats. ASDWA looks forward to working with EPA and our partners on additional strategies to address cybersecurity in the water and wastewater sector.