A report by the Government Accountability Office (GAO) urges the Environmental Protection Agency (EPA) to develop a national cybersecurity strategy for water and wastewater systems, but the EPA tells The Driller it has been developing such a strategy.
In developing the report—“Critical Infrastructure Protection: EPA Urgently Needs a Strategy to Address Cybersecurity Risks to Water and Wastewater Systems”—the GAO was tasked with assessing cybersecurity threats facing the water sector and reviewing the federal government’s efforts to address those threats, as well as outlining the findings of that effort in the report that was issued on August 1, 2024. The report says the water sector has worked to improve cybersecurity, but the sector has challenges to improving cybersecurity, including workforce skills gaps and older technologies that are difficult to update with cybersecurity protections.
The EPA is required by law to identify, assess, and prioritize risks to the water sector risks, and while the EPA has assessed aspects of cybersecurity risks, it has not conducted a comprehensive sector-wide risk assessment or developed and used a risk-informed strategy to guide its actions, according to the GAO.
Furthermore, despite the EPA identifying threats, vulnerabilities, and consequences to the water sector, the agency has not integrated that work into a comprehensive assessment, the GAO says. “Without a risk assessment and strategy to guide its efforts, EPA has limited assurance its efforts address the highest (cyber) risks” to the water sector, GAO says.
However, a top EPA official said in a written statement that while the agency generally agrees with the GAO’s assessment of the cyber threats to the water sector, the agency has been developing a national cybersecurity strategy. “EPA concurs with the recommendations of the GAO, several of which were already planned activities or will be addressed under the National Security Memorandum on Critical Infrastructure Security and Resilience, published on April 30, 2024, including developing a water sector risk management plan and cybersecurity strategy,” said Remmington Belford, press secretary to EPA Administrator Michael S. Regan.
Nonetheless, the water sector faces increasing cybersecurity-related risks from nations such as Iran and China, cyber criminals, and others, said the GAO, which notes that such foreign hackers targeted multiple water systems in late 2023. Such cyberattacks threaten public health, the environment, and other critical infrastructure sectors, according to the report.
Furthermore, the possibility of Chinese hackers attacking U.S. water utilities in 2026 or 2027 is strong enough that top federal officials conducted a virtual meeting with state governors to discuss cyber threats to critical water infrastructure, according to Jennifer McLain, director of the EPA’s Office of Ground Water and Drinking Water. In addition, large metropolitan water facilities with strong cybersecurity programs are urged to help smaller utilities incorporate more robust programs into their systems, McLain said.
The GAO says federal agencies and other entities have acted to improve water sector cybersecurity, including the sector making investments in cybersecurity, but there are still challenges. To help deal with those challenges, the report lists four recommendations, they are:
The EPA should, as required by law, conduct a water sector risk assessment, considering physical security and cybersecurity threats, vulnerabilities, and consequences.
The EPA should develop and implement a risk-informed cybersecurity strategy, in coordination with other federal and sector stakeholders, to guide its water sector cybersecurity programs. Such a strategy should include information from a risk assessment and should identify objectives, activities, and performance measures; roles, responsibilities, and coordination; and needed resources and investments.
The EPA should evaluate its existing legal authorities for carrying out its cybersecurity responsibilities and seek any needed enhancements to such authorities from the administration and Congress.
The EPA should submit the Vulnerability Self-Assessment Tool (VSAT) for independent peer review and revise the tool as appropriate.
Of the four recommendations, EPA says it had already planned to submit “the VSAT tool for independent review,” Belford said. In addition, EPA will continue to work with federal partners to assess cybersecurity risks to the sector as is currently underway in the Water Sector Cybersecurity Task Force and was recently delineated in the 2024 Roadmap to a Secure and Resilient Water and Wastewater Sector, according to Belford.
Read the report: Critical Infrastructure Protection: EPA Urgently Needs a Strategy to Address Cybersecurity Risks to Water and Wastewater Systems.