In the wake of a pivotal directive issued by the Public Service Commission (PSC) on May 16, the West Virginia Municipal Water Quality Association (WVMWQA) is challenging the veracity of the order that commands water and sewer utilities across the state to conduct cyber-threat vulnerability assessments. The crux of WVMWQA’s concern lies in the fact that the PSC, with an intent to bolster the cybersecurity defenses of water and sewer systems, mistakenly referenced guidance from the Environmental Protection Agency (EPA) that had been withdrawn following a legal contest.
The EPA’s original interpretation of the regulations had included assessments of cybersecurity in standard sanitary surveys, a decision that was later stayed by a multi-state court over concerns that such strategies could potentially compromise security by exposing sensitive information. Besides, utilities were at risk of facing liabilities should their cybersecurity measures be deemed insufficient. Understanding the gravity of these repercussions, the EPA retracted the memorandum that the PSC had used as a basis for their order.
Seeking Amendments for Accurate Compliance
The WVMWQA is calling for an amendment to the PSC order to eliminate the erroneous reference and proposes proactive engagement with state public water systems before issuing commands with significant cybersecurity implications. The association promotes the idea of a collaborative partnership and the exchange of expertise, with a representative from the PSC attending a meeting that includes a cybersecurity authority from the federal Cybersecurity & Infrastructure Security Agency.
Toward Cooperative Cybersecurity Efforts
The West Virginia Municipal Water Quality Association (WVMWQA) objects to an order from the Public Service Commission (PSC) issued on May 16, which requires water and sewer providers statewide to undertake cyber-threat assessments. WVMWQA’s issue with the PSC’s mandate stems from an incorrect citation of Environmental Protection Agency (EPA) guidance, which was invalidated after a legal dispute.
The EPA’s initial rules included cybersecurity evaluations in routine sanitary surveys. However, challenges from multiple states prompted a stay of these rules, citing risks of exposing sensitive data and subjecting utilities to legal jeopardy if their cyber protections were found wanting. In response to these concerns, the EPA withdrew the guide that had unwittingly become the foundation of the PSC’s directive. As WVMWQA opposes the order, the dispute highlights the complex balance between regulatory enforcement and the secure, responsible management of utility cyber infrastructure.