The West Virginia Municipal Water Quality Association in its recent letter to the PSC said that the PSC's May 16 order is erroneously based in part on federal EPA guidance that the EPA withdrew following a multi-state court challenge.
The association asks the PSC to amend its order. It then adds, "We also respectfully request that the PSC consider consulting with the state's public water systems in advance of issuing orders that have sweeping and potentially unintended implications on matters as important as cybersecurity."
The PSC on May 16 ordered all water and sewer utilities to conduct a cyber threat vulnerability assessment within 60 days. The order was issued as "a general investigation to examine water and sewer system cybersecurity."
In the order, the PSC said, "Pursuant to the National Primary Drinking Water Regulations, states are required to conduct periodic sanitary surveys of public water utilities."
And, "The Federal Environmental Protection Agency (EPA) interprets the regulations regarding sanitary surveys to include an evaluation of the adequacy of the cybersecurity of any operational technology used in the production and distribution of safe drinking water."
The association said the PSC's assertion in the second sentence is incorrect. Tehnically, the EPA's interpretation came in a separate memorandum issued the same day as the guidance, March 3, 2023.
More important, the association said, a federal court stayed the EPA cybersecurity review requirement.
Along with setting the states up for liability if the water systems in those states had adequate security, the states said, "Public water systems expressed concerns that EPA's requirement to include cybersecurity reviews in sanitary surveys could have the unintended effect of compromising security and exposing sensitive information."
They agreed on the need for cybersecurity, the association said, but thought the EPA needed to take a more cautious approach.
EPA then rescinded the memorandum with the interpretation the PSC referred to in its order. So the association is asking the PSC to remove that sentence from its order.
On a more encouraging note, it added, "WVMWQA's members would welcome the opportunity to share their practical experience with cybersecurity and other issues. Such collaboration would serve a beneficial role in supporting and informing the PSC's decisions."
The association told the PSC that it is having a federal Cybersecurity & Infrastructure Security Agency representative attend its June 13 meeting and invited the PSC to send someone too, to join the discussion.
Association membership includes Morgantown Utility Board, the cities of Fairmont and Bridgeport, and Clarksburg Sanitary Board.
© 2024 The Dominion Post (Morgantown, W.Va.). Distributed by Tribune Content Agency, LLC.
