Trump EPA Targets Climate Rule Foundation: Cybersecurity Implications

The Environmental Protection Agency (EPA) under the Trump administration has taken formal steps to repeal the landmark 2009 Endangerment Finding, the scientific and legal determination that greenhouse gases threaten public health and welfare. This foundational regulation has served as the basis for nearly all U.S. climate change policies, including critical infrastructure cybersecurity requirements for climate resilience.

Cybersecurity professionals are particularly concerned about the potential domino effects on industrial control systems (ICS) and operational technology (OT) security. The endangerment finding currently mandates climate adaptation planning for energy infrastructure, including cybersecurity measures to protect against weather-related disruptions that could create vulnerabilities. For example, power plants must implement specific cyber defenses against threats exacerbated by climate change, such as grid instability during heat waves or flooding at critical facilities.

The proposed repeal comes as the National Institute of Standards and Technology (NIST) was preparing to release updated cybersecurity guidelines for climate-resilient infrastructure in Q3 2025. These guidelines, now potentially in jeopardy, included provisions for:

Energy sector cybersecurity teams have expressed concern that without federal requirements, many utilities may deprioritize climate-related cyber investments. This could create vulnerabilities in supervisory control and data acquisition (SCADA) systems just as climate change increases the frequency of extreme weather events that stress critical infrastructure.

Internationally, the move may weaken U.S. positions in climate agreements with cybersecurity components, including the Paris Agreement's technology transfer provisions and the EU-U.S. Data Privacy Framework's infrastructure resilience standards. Cybersecurity firms specializing in environmental, social, and governance (ESG) compliance are already reporting client inquiries about contingency planning.

Legal experts anticipate immediate challenges from environmental groups and tech industry coalitions. The case will likely hinge on whether the EPA can demonstrate that greenhouse gases no longer meet the Clean Air Act's definition of pollutants - a position most climate scientists dispute. The administration's own 2024 National Climate Assessment concluded that climate change continues to threaten infrastructure security.

For cybersecurity professionals, the key considerations include:
1) Reviewing organizational climate risk assessments for cyber implications
2) Monitoring state-level regulations that may fill the federal gap
3) Evaluating supply chain vulnerabilities if infrastructure partners reduce climate adaptations
4) Preparing for potential increases in climate-related social engineering attacks during disasters

The rulemaking process will take several months, with a final decision expected in late 2026. In the interim, the cybersecurity community is urged to maintain current climate adaptation measures as best practices, regardless of regulatory changes.