MORGANTOWN – An association representing the state's 28 water utilities is concerned that a recent cyber threat vulnerability assessment order by the Public Utilities Commission could inadvertently pose a threat to water utilities' cybersecurity.
In a recent letter to the PSC, the West Virginia Municipal Water Quality Association said the PSC's May 16 order was erroneously based in part on federal EPA guidance that the EPA has rescinded following lawsuits in several states.
The association is calling on the PSC to modify the order, adding that it “respectfully requests that the PSC consider consulting with the state's public water systems before issuing an order that could have far-reaching and potentially unintended effects on an important issue like cybersecurity.”
On May 16, the PSC ordered all water and wastewater utilities to conduct a cyber threat vulnerability assessment within 60 days. The order was issued as a “general study to examine the cybersecurity of water and wastewater systems.”
“Pursuant to the National Primary Drinking Water Regulations, states are required to conduct regular sanitary inspections of public water systems,” the PSC said in its order.
Additionally, “the federal Environmental Protection Agency (EPA) has interpreted its sanitary review regulations to include the evaluation of the adequacy of the cybersecurity of any operational technology used in the production and supply of safe drinking water.”
The association said the assertion in the second sentence of the PSC is incorrect. Technically, the EPA's interpretation is set out in a separate memorandum issued on the same day as the guidance, March 3, 2023.
More importantly, a federal court has blocked the EPA's cybersecurity review requirement, the association said.
The states held each state accountable if their water systems had adequate security in place, and said, “Public water systems expressed concern that EPA's requirement to include cybersecurity considerations in sanitary reviews could have the unintended consequence of compromising their security and leaking sensitive information.”
The association said they agreed with the need for cybersecurity but felt the EPA needed to take a more cautious approach.
The EPA subsequently withdrew a memorandum that included the interpretation the PSC cited in its order, so the association is asking the PSC to remove that language from the order.
The committee added that “WVMWQA members would welcome the opportunity to share their practical experiences on cybersecurity and other issues. Such collaboration would play a valuable role in supporting and informing the PSC's decisions.”
The association informed the PSC that a representative from the Federal Cybersecurity and Infrastructure Security Agency will be attending the June 13 meeting and asked the PSC to send someone to participate in the discussions.
The association's members include the Morgantown Public Utilities Board, the City of Fairmont, the City of Bridgeport and the Clarksburg Board of Sanitation.
Email: dbeard@dominionpost.com