The Government Accountability Office (GAO) has recently released a report emphasizing the urgent need for the Environmental Protection Agency (EPA) to enhance its cybersecurity measures in the water sector. With cyber threats on the rise, the safety and reliability of water and wastewater systems in the United States are at risk, prompting the GAO to call for more robust cybersecurity strategies to safeguard these critical infrastructures.
The water sector, which comprises nearly 170,000 water and wastewater systems nationwide, is facing escalating cybersecurity risks. The report from the GAO underscores the vulnerability of these systems to cyberattacks, which have the potential to cause significant disruptions to public health and the environment.
In recent years, there have been notable incidents highlighting the pressing need for improved water sector cybersecurity. For instance, in 2023, Iranian-linked hackers targeted a water system near Pittsburgh as a geopolitical protest. Similarly, hackers backed by China have been implicated in attempting to breach drinking water systems, potentially to gain control during periods of political tension. Moreover, insider threats have also been a concern, as demonstrated by a former employee who allegedly compromised a Kansas utility’s water treatment systems in 2019.
Despite these known cybersecurity vulnerabilities in the water sector, the approach to cybersecurity remains fragmented and reactive. Many utilities are struggling with outdated technology, making it challenging to implement modern cybersecurity measures effectively. Additionally, the sector’s focus on regulatory compliance for water quality often overshadows investments in cybersecurity.
Presently, the EPA’s cybersecurity approach relies on voluntary cooperation from utilities, which has proven insufficient given the increasing complexity and sophistication of cyber threats. As a result, cybersecurity improvements in the water sector have been ad hoc and inconsistent.
While the EPA has made efforts to enhance water sector cybersecurity, the GAO report points out that a comprehensive risk assessment and a risk-informed strategy are lacking. The absence of a unified approach hampers the EPA’s ability to effectively address the most significant cybersecurity threats facing the sector.
In response to these findings, the GAO recommends that the EPA take decisive action to strengthen water sector cybersecurity. Specifically, the report calls for the development of a national cybersecurity strategy that addresses sector-wide risks. The EPA should assess whether additional authority is needed to enforce cybersecurity improvements and ensure that water systems adhere to best practices for cybersecurity.
Although the EPA has taken some steps towards enhancing enforcement activities and collaborating with relevant agencies like the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), a more structured and proactive strategy is necessary to address cybersecurity challenges effectively.
The GAO has outlined four key recommendations for the EPA, including conducting a comprehensive sector risk assessment, developing and implementing a national cybersecurity strategy, evaluating legal authority adequacy, and seeking additional authority if necessary. The EPA has agreed with these recommendations and is expected to release an evaluation of its authorities and a risk assessment strategy by mid-2025.
Given the tangible cybersecurity risks to water systems demonstrated by recent attacks, it is imperative for the EPA to prioritize and strengthen cybersecurity measures in the water sector to protect critical infrastructure and public safety.