Republican attorneys general in Arkansas, Iowa and Missouri this week asked a federal appeals court to overturn the Biden administration’s new cybersecurity regulations for water facilities, calling the requirements overly burdensome and a violation of state sovereignty.
It’s one of the biggest legal challenges yet to the Biden administration’s embrace of regulation to raise the cyber defenses of vulnerable critical infrastructure providers. The Biden administration has also imposed cybersecurity regulations on sectors such as aviation and oil and gas pipelines – but those rules haven’t faced significant legal hurdles.
The Environmental Protection Agency on March 3 issued a memo requiring state governments to audit the cybersecurity practices of public water systems and use their regulatory authority to spur better security practices if necessary. The move was aimed at a sprawling US water sector, which includes more than 148,000 public water systems and has sometimes struggled with funding and personnel protect systems.
But in their petition to the US Court of Appeals for the Eight Circuit, the Arkansas, Iowa and Missouri attorneys general argue that the new regulations circumvent state authorities and reinterpret federal statute that does not apply to cybersecurity.
The office of Iowa Attorney General Brenna Bird claimed in a statement Monday that the new EPA memo vastly expands the number of water systems subject to regulation to include facilities serving as few as 25 people.
The legal challenge was about “protect[ing] Iowans’ pocketbooks,” Bird said.
An EPA spokesperson declined to comment on the lawsuit because it is a pending legal matter.
The water sector has made improvements to cybersecurity in recent years, but analysts say smaller water systems need more resources and expertise to deal with hacking threats.
The FBI and US Cybersecurity and Infrastructure Security Agency have warned about multiple ransomware attacks on the computer networks of water and wastewater facilities from California to Maine.