Even though the EPA has stepped back from its cybersecurity requirements, utilities should not relax cybersecurity planning and measures.
You may have heard that the Environmental Protection Agency (EPA) recently stepped back from its March 2023 cybersecurity regulation aimed at water utilities. However, this doesn’t mean you should put your cybersecurity plans on pause. Even without this regulation, cyber threats are still out there.
The cybersecurity landscape is ever evolving, and attacks and data breaches won’t stop just because the rules won’t be implemented (at this time). Absence of EPA requirements and regulations should not signal a pause or relaxation of cybersecurity efforts. In fact, with the current geopolitical climate, cyber threats have increased.
Relaxing your cybersecurity measures is the opposite of what you should do right now.
Here are four key points to consider as your utility considers cybersecurity planning for the new year:
- Cyber threats are here to stay: Threats like ransomware and data breaches are still very real for all utilities, not just those in major metropolitan areas or those with a large customer base. Threat actors don’t discriminate. And these threats aren’t going away. If anything, attacks are getting more sophisticated and happening more often. Loosening stringent regulations doesn’t make the risks disappear and shouldn’t diminish our understanding of the risks these threats pose.
- Sensitive information must be protected: Utilities handle a variety of sensitive data, including customer information, financial records and supervisory control and data acquisition (SCADA) systems. Without strong security, that information is vulnerable. This data ending up in the wrong hands could lead to huge financial losses and reputational damage. Strong cybersecurity shows customers their data is safe—and helps reassure board members, stakeholders, and city councils, too.
- Business continuity must be ensured: Attacks cause business disruption, leading to downtime, financial losses, and damage to your reputation. An effective cybersecurity plan aims to both prevent incidents and lay out a response plan to minimize risk and loss.
- Legal and regulatory risks remain: While the EPA may have eased its cybersecurity requirements, other legal and regulatory risks remain in place. Non-compliance with industry-standard requirements can lead to exposure, legal consequences, and lawsuits.
Cyber threats are more dynamic than ever.
Much like viruses, threat actors continue to evolve and adapt, with their methods becoming more sophisticated over time. Security planning is key to spotting new risks, finding weaknesses, and applying updated protections to meet the latest standards.
According to American Water Works Association (AWWA) CEO David LaFrance, “cyber threats in the water sector are real and growing, and we cannot let our guard down for even a moment.”
There’s no debating the need for cybersecurity planning and implementation among utilities and municipalities, regardless of regulatory changes. Cyber threats continue to place organizations at risk for financial, legal, and reputation damage. Utilities and local government must implement policies and procedures aimed at protecting sensitive data, ensure business continuity, and comply with industry-standard requirements.
Regardless of who you work with to get a firm plan in place, even with the EPA stepping back from their mandate, being more cyber-secure is key.
Proper cybersecurity planning (and implementation) is imperative so we can keep our critical infrastructure safe.
For helpful information, check out the following resources: