The latest report from the Government Accountability Office (GAO) highlights a pressing need for the Environmental Protection Agency (EPA) to bolster its strategy for water sector cybersecurity. As cyber threats increasingly jeopardize the safety and reliability of water and wastewater systems across the United States, the GAO is calling for more cybersecurity measures to protect these critical infrastructures from attacks.
The water sector, encompassing nearly 170,000 water and wastewater systems nationwide, faces escalating cybersecurity risks. The GAO’s new report highlights the vulnerability of these systems to cyberattacks, which have the potential to disrupt public health and the environment significantly.
Water Sector Cybersecurity is Priority Amid Rise of Cyberattacks
In 2023, Iranian-linked hackers targeted a water system near Pittsburgh in an act of geopolitical protest. Similarly, China-backed hackers have been implicated in attempting to breach drinking water systems, possibly aiming to gain control during times of political tension. Moreover, insider threats are a concern, as demonstrated by a 2019 incident where a former employee allegedly compromised a Kansas utility’s water treatment systems.
Despite these laps in water sector cybersecurity, the water sector’s approach remains fragmented and reactive. Many utilities are grappling with outdated technology that complicates efforts to integrate modern cybersecurity measures. Furthermore, the sector’s investment in cybersecurity is often overshadowed by the immediate need to comply with regulatory requirements, which tend to prioritize water quality over cybersecurity.
Currently, the EPA’s approach relies on voluntary cooperation from utilities, which has proven insufficient given the magnitude and sophistication of current cyber threats. As a result, improvements in cybersecurity have been largely voluntary and inconsistent.
The GAO’s report highlights that while the EPA has engaged in some efforts to improve water sector cybersecurity, it has not conducted a comprehensive assessment of risks or developed a risk-informed strategy. This lack of a unified approach hampers the EPA’s ability to address the sector’s most significant threats effectively.
The Need for a National Cybersecurity Strategy
The GAO recommends that the EPA take decisive steps to strengthen water sector cybersecurity. Specifically, the report calls for the development of a national cybersecurity strategy that addresses sector-wide risks. The EPA must assess whether it requires additional authority to enforce cybersecurity improvements and ensure that water systems adhere to best practices for safeguarding against cyber threats.
Although the EPA has made some strides, such as enhancing enforcement activities and collaborating with the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), a more structured and proactive strategy is necessary.
The report also points out gaps in the current cybersecurity framework for water systems, including workforce skill deficiencies and the challenge of updating older technologies. The EPA’s efforts to mandate cybersecurity assessments at drinking water systems were stymied by legal challenges, demonstrating the need for a clearer and more authoritative regulatory approach.
The GAO has outlined four key recommendations for the EPA: conducting a comprehensive sector risk assessment, developing and implementing a national cybersecurity strategy, evaluating the adequacy of its legal authority, and seeking additional authority if necessary. The EPA has agreed with these recommendations and is expected to release an evaluation of its authorities and a risk assessment strategy by mid-2025.
Cybersecurity risks to water systems are not just theoretical; they present a real threat as recent attacks against these systems from nation-state actors and cybercriminals have shown.