EPA ‘urgently’ needs to step up cybersecurity assistance for the water sector, GAO says

The Environmental Protection Agency is falling far behind on some of the basic duties that come with its responsibilities as the federal lead for helping the water and wastewater sector fight against hackers amid increasing state-backed hacks, a new government watchdog report found.

The Government Accountability Office said in a report on the cybersecurity threats facing the sectors that the EPA “urgently” needs to develop a national strategy in order to address myriad cyber risks. The water sector itself has difficulty “developing a cybersecurity culture,” the GAO report noted, and that has seemingly led to a lack of basic cyber hygiene, which is further exacerbated by scarce resources for digital protections as the costs of maintaining the physical infrastructure increase.

The water sector has significant challenges in the past few years: Iranian-linked hackers defaced Israeli-made industrial equipment at a Pennsylvania water facility, Chinese state hackers dubbed Volt Typhoon burrowed into U.S. water systems with malicious intent, and a Russian nationalist hacktivist group with ties to Moscow’s Main Intelligence Directory military unit hacked into Texas water facilities. While the Biden administration has made protecting the water sector a key cybersecurity priority, the sector has pushed back heavily against regulatory mandates to improve cyber defenses.

The GAO said the EPA has yet to conduct a sector-wide risk assessment and does not use a risk-informed strategy to guide its actions as the sectors’ risk management agency. This means that when the agency is making decisions to help the water sector mitigate cyber risk, it’s missing a “basic underpinning for managing federal programs,” the GAO noted.

“EPA officials said they have assessed threats, vulnerabilities, and consequences, but have not integrated this work in a comprehensive assessment. Without a risk assessment and strategy to guide its efforts, EPA has limited assurance its efforts address the highest risks,” the GAO report stated. “A sector-wide risk assessment could help EPA identify the highest risks that its programs should address and prioritize actions to address those risks.”

EPA officials told the GAO that the agency does support risk and resilience assessments for community water systems, but the watchdog noted that those assessments only apply to water systems serving more than 3,300 people. Additionally, assessment results and reviews are anonymized before the EPA receives data, meaning the information is not “comprehensive enough” to help the agency develop a nation-level assessment.

The GAO also pointed out that the EPA has not formally identified “cybersecurity-related goals, objectives, activities, and performance measures.” For instance, EPA officials said that the agency wants 100% of systems with particular technologies like remote monitoring to have a cybersecurity program. Unfortunately, the report noted that the agency “has not identified those systems, prioritized steps for achieving a 100% goal, or identified milestones it hopes to achieve to gauge progress towards that goal.” Agency officials noted the compliance initiative that looks to have a 100% rate with risk assessment and emergency response plans, but that’s a general goal and lacks a specific cybersecurity-related focus, the report said.

Additionally, the EPA has not formally defined basic roles, responsibilities, or even how to coordinate efforts across the sector, the report said. A senior official at the Cybersecurity and Infrastructure Security Agency told the watchdog that the EPA has yet to communicate priorities or how coordination works with a sector that has many different entities, like municipalities or trade associations. Conversely, the report also noted that a DHS Office of Inspector General report found that CISA has not “collaborated with EPA to integrate CISA’s cybersecurity expertise with EPA’s water expertise.”

EPA officials told the watchdog that the cyber reporting law is unlikely to require more than 80 percent of the water and wastewater systems from alerting the government as many come from state, local and municipal governments which are exempt.

Additionally, the GAO report said the EPA’s tool to help drinking water systems assess vulnerabilities and resilience to cyberattacks has never been submitted for an external peer review. The report noted that EPA’s own guidance states that scientific peer reviews help ensure decisions are based on a “sound, credible basis.” A recent update to the tool in March was also not subjected to peer review, the report noted.

“Officials did not elaborate on why the agency was not planning to have these changes peer reviewed,” the GAO wrote.

The GAO recommended that the agency assess the risk of the sector, develop and implement a national strategy, and evaluate the authorities to carry out any sector risk mitigation responsibilities. EPA concurred with all of the recommendations and said it plans to complete the risk assessment by January 2025, while a peer review of the risk tool will begin in November and the examination of legal authorities will be completed next year. Recently, the White House issued a critical infrastructure memorandum that required all agencies with sector risk management responsibilities to go over their authorizations and budget and make a case for additional resources if needed.

The EPA has had a hard time with the sector. In October 2023, the agency shelved a memo that would require cybersecurity audits for water utilities through sanitation surveys, following pushback from states for what they saw as the administration stepping on their authority.

The agency has also had trouble with voluntary approaches to implementing cybersecurity practices, the GAO said, citing one example where developing cybersecurity performance metrics was difficult because the sector resisted providing voluntary baseline information.

EPA did not provide a response to a request for comment by the time of publication.

The GAO is not the first organization to come to the EPA with a list of improvements. A report out of the Foundation for the Defense of Democracies in 2022 said that the EPA bore the brunt of the blame for lax cybersecurity in the sector. 

Meanwhile, some cyber policy wonks and water trade associations have advocated for an industry-led regulatory model similar to the electric sector. In 2020, the Cyberspace Solarium Commission issued a report noting that the agency should be spending around $45 million for cybersecurity alone. But EPA officials reported that the agency appropriated $11.8 million in funding for fiscal year 2023 for its entire risk management responsibilities, including cybersecurity.