A Matter of Checks and Balances

Abstract

The sanitary survey program was created by the US Environmental Protection Agency (EPA) to support state primacy agencies in assessing utility progress with implementing water quality requirements in the Ground Water Rule and the Interim Enhanced Surface Water Treatment Rule. In the spring of 2021, EPA said it was planning to issue a direct file rule to integrate cybersecurity into the existing sanitary survey program. Multiple organizations representing water utilities and state primacy agencies communicated to EPA that using the sanitary survey program for cybersecurity was ill-advised. Even so, on March 3, 2023, EPA issued the “Cyber Rule” directing state primacy agencies to assess cybersecurity of public water systems (PWSs) as part of the sanitary survey program—effective immediately. The new Cyber Rule requires all PWSs (n = 151,606) to determine whether they use “operational technology,” meaning hardware and software that detect or cause a change through the direct monitoring or control of physical devices, processes, and events in the enterprise, per the Internet of Things Cybersecurity Improvement Act of 2020, 15 U.S.C. § 271(3)(6). EPA provided states with three compliance options: (1) self-assessment or third-party assessment by a state-approved entity; (2) state assessment during a sanitary survey; or (3) an alternative, equivalent, state-developed cybersecurity program. The draft guidance for the Cyber Rule includes a checklist of 33 controls that EPA determined are “technically feasible for most PWS[s] to address without significant capital expenditures.” Sixteen of these controls are classified by EPA as potential “significant deficiencies” if not implemented. There are numerous implementation challenges, including the ability of a state official to nonintrusively verify that a control has been implemented. The Cyber Rule interprets the use of operational technology as being part of the equipment or operations examined in the sanitary survey, components used for producing and distributing safe drinking water. This represents a significant expansion of the states’ existing sanitary survey inspection obligations. The details of the rule were never proposed or made available for public review and comment, which is the norm under the Administrative Procedures Act (APA). While EPA did have discussions with states in the summer of 2022, the Association of State Drinking Water Administrators has consistently advised the agency against using the sanitary survey for addressing cybersecurity. Bypassing APA and other regulatory obligations represents a troubling process issue that undermines the integrity of the rule of law. This includes EPA's determination that the regulatory oversight approach set out by Congress in §2013 of America's Water Infrastructure Act (AWIA) of 2018 was, in the administrator's judgment, insufficient. AWIA §2013 amended the Safe Drinking Water Act (SDWA) §1433 to require each community water system serving 3,300 or more people to conduct a risk and resilience assessment (RRA) at least every five years, which explicitly encompass cybersecurity threats to “electronic, computer, or other automated systems.” Further, §2013 requires systems to incorporate the findings of the RRA into emergency response plans, which must address the “strategies and resources to improve the resilience of the system, including the physical security and cybersecurity of the system.” Congress clearly defined a process by which a specific class of PWSs would address cybersecurity. Finally, Congress instructed EPA to directly implement, oversee, and enforce AWIA §2013. Unlike other SDWA requirements, AWIA does not authorize the EPA to delegate implementation to the states. Contrary to congressional direction, the Cyber Rule shifts the burden of oversight to the state. Many of these procedural concerns were shared with EPA in a January 2023 letter from the water community. Undeterred, EPA proceeded with issuing the Cyber Rule. Subsequently, on April 17, the states of Missouri, Arkansas, and Iowa filed a challenge to the Cyber Rule in the US Court of Appeals for the Eighth Circuit, State of Missouri, et al. v. EPA, et al., No. 23-1787 (8th Cir.). AWWA and the National Rural Water Association have filed to intervene on behalf of the states. The intent of the challenge is to hold EPA accountable for going around the checks and balances created to govern the promulgation of regulations. Perhaps watching the “Three Ring Government” episode from Schoolhouse Rock! is in order since it explains the balance of power between the three branches of government. The judiciary is a last resort for accountability; it is unfortunate that the public–private collaboration called for in the National Cybersecurity Strategy was not exercised. Kevin M. Morley is manager of federal relations at the AWWA Government Affairs Office in Washington, D.C. He can be reached at [email protected].