The US Environmental Protection Agency (EPA) is facing increasing cyber risks to water and wastewater systems [3], with known incidents disrupting operations and threatening public health and the environment [2].
Description
The Government Accountability Office (GAO) has made four recommendations to the EPA regarding cybersecurity risks in the water sector [2], including assessing sector risk [2], developing a national cybersecurity strategy [1] [2] [4] [6], and evaluating legal authorities to carry out cybersecurity responsibilities [2]. The EPA has been criticized for significant lapses in addressing cybersecurity threats in the water and wastewater sector [6], including failure to conduct risk assessments [6], set cybersecurity objectives [6], and submit tools for evaluation as required [6]. Foreign hackers targeted multiple water systems in 2023 [4], highlighting the need for a standard cyber strategy [4]. The EPA has committed to conducting risk evaluations by January to address these shortcomings and develop a national cyber strategy to better protect critical infrastructure [6]. Despite some federal agencies reviewing cybersecurity risks in the water sector [3], challenges such as workforce skills gaps and older technologies persist [2]. The report highlights the growing targeting of water systems by nation-state actors [3], such as Iran’s Islamic Revolutionary Guard Corps (IRGC) and the Chinese threat actor Volt Typhoon [3]. The EPA has not conducted a comprehensive sector-wide risk assessment or developed a risk-informed strategy to guide its actions [2] [3], which could limit its ability to address the highest risks in the sector [3]. EPA has concurred with the recommendations and is taking action to complete them [2], including conducting a peer review of its risk assessment tool in November and assessing legal authorities next year [5]. Collaboration with relevant agencies has led to guidance for water sector owners and operators to respond to cyber incidents [4]. By seeking additional authority as necessary and developing a comprehensive risk assessment and strategy [2], EPA can better prepare the water sector for future cyberattacks [2]. The EPA plans to release a national cybersecurity strategy for the water sector in January 2025 in response to a GAO report highlighting the agency’s failure to identify and prioritize sector-wide cyber risks [1]. Challenges in improving water sector cybersecurity include workforce skills gaps [1], outdated technologies [1] [2], and limited investments in cybersecurity protections [1]. The EPA has faced challenges in managing cybersecurity risks using existing legal authority and voluntary approaches [1]. Improving water sector cybersecurity has become a priority following reports of China and Iran targeting US critical infrastructure [1]. Congress introduced a bill to create a governing body overseeing cybersecurity requirements for drinking and wastewater systems [1].
Conclusion
The EPA’s efforts to address cybersecurity risks in the water sector are crucial to protecting public health and the environment. By implementing the recommendations from the GAO and developing a national cybersecurity strategy, the EPA can better prepare for and respond to cyber threats. Collaboration with relevant agencies and stakeholders is essential in mitigating risks and improving cybersecurity protections. The challenges of workforce skills gaps and outdated technologies must be addressed to strengthen the water sector’s resilience against cyberattacks. The EPA’s commitment to enhancing cybersecurity measures is a step in the right direction towards safeguarding critical infrastructure and ensuring the safety of water systems for the future.
References
[1] https://d3f5buclv39urb.cloudfront.net/articles/epa-set-to-release-water-cyber-strategy-in-january/
[2] https://www.gao.gov/products/gao-24-106744
[3] https://www.infosecurity-magazine.com/news/epa-cyber-risks-water-systems/
[4] https://executivegov.com/2024/08/gao-says-epa-needs-national-strategy-to-address-cyberthreats-against-us-water-sector/
[5] https://cyberscoop.com/epa-water-cyber-gao-report/
[6] https://www.scmagazine.com/brief/gao-immediate-epa-action-in-boosting-water-wastewater-sector-cybersecurity-needed