On July 25, Missouri, Arkansas, and Iowa (the states), along with intervenors American Water Works Association and National Rural Water Association (the water associations), petitioned the Eighth Circuit to review the U.S. Environmental Protection Agency’s (EPA) new rule requiring states to review and report cybersecurity threats to their public water systems (PWS).
In August 2022, the EPA provided a report to Congress describing its plan and prioritization framework for addressing the cybersecurity needs of the public water system. The EPA then issued an “implementation memo” in March 2023 that laid the groundwork for the EPA’s plan to combat cybersecurity risk. The memorandum requires states to incorporate an evaluation of the cybersecurity of operational technology used by a PWS when conducting its sanitary surveys. A sanitary survey is a review of a PWS to assess its capability to supply safe drinking water, and the EPA is including cybersecurity as a potential deficiency. In a press release announcing the memo, EPA Assistant Administrator for Water Radhika Fox said, “Cyber-attacks against critical infrastructure facilities, including drinking water systems, are increasing, and public water systems are vulnerable. Cyber-attacks have the potential to contaminate drinking water, which threatens public health.” In early July 2023, the Eighth Circuit blocked implementation of the rule while the legal challenge is ongoing.
The states’ brief argues that the EPA’s Cybersecurity Rule unlawfully imposes new legal requirements on states and PWSs, and that the rule exceeds the EPA’s statutory authority by ignoring congressional actions limiting cybersecurity requirements to large PWSs and changing the criteria for sanitary surveys through a memorandum. The states also assert that the rule is arbitrary and capricious because the EPA (i) failed to acknowledge or explain it had changed policies relating to amending the minimum criteria or the scope of sanitary surveys and (ii) failed to consider important aspects of the rule, including that the state agencies responsible for conducting the surveys lack the level of cybersecurity expertise necessary to complete the evaluations expected by the EPA, and the frequency with which sanitary surveys occur (every three to five years) will not ensure PWSs address new threats in a timely fashion.
Troutman Pepper
September 1, 2023