The U.S. water and wastewater systems are dealing with an increasingly serious threat from cyberattacks, which could have lasting consequences for public health and environmental safety. A report from the U.S. Government Accountability Office (GAO) has found weaknesses within these systems, calling for the Environmental Protection Agency (EPA) to develop a national cybersecurity strategy. The report displays the need for strong cybersecurity measures in a sector that is becoming more automated and consequently more exposed to attacks.
Growing Cybersecurity Risks in the Water Sector
The water sector, comprising nearly 170,000 water and wastewater systems across the United States, is a large piece of the nation’s infrastructure. These systems ensure the delivery of clean drinking water and the safe treatment of wastewater, both of which are needed for public health and environmental protection. The sector’s reliance on automation and interconnected technologies has exposed it to cybersecurity risks.The GAO report outlines several recent incidents where cyberattacks disrupted water operations. These incidents include attacks from nation-states such as Iran and China, as well as cybercriminals and other malicious actors. The consequences of such attacks could result in serious harm, potentially leading to unsafe levels of bacteria or chemicals in drinking water, service disruptions, or even the compromise of other infrastructure sectors. One of the challenges identified by the GAO is the water sector’s use of outdated technologies, which are difficult to update with modern cybersecurity protections. Many water systems prioritize regulatory compliance for safe water delivery over cybersecurity investments, as the latter remains largely voluntary. This prioritization has left gaps in the sector’s defences against cyber threats.
EPA’s Role
As the lead federal agency responsible for protecting the water sector from cybersecurity risks, the EPA plays the largest role in supporting efforts to lessen these threats. The EPA works with the Cybersecurity and Infrastructure Security Agency (CISA) and other federal entities to improve the cyber strength of the water sector, however, the GAO report states that the EPA has not yet conducted a sector-wide risk assessment, which is required to identify weaknesses. National Security Memorandum 22 (NSM-22) and existing laws require the EPA to identify, assess, and prioritize cybersecurity risks in the water sector. While the EPA has conducted some assessments of threats, vulnerabilities, and potential consequences, these efforts have not been integrated into a strategy. This lack of a unified approach limits the effectiveness of the EPA’s actions. The GAO report also points out that the EPA has experienced difficulties in using its existing legal authority to manage cybersecurity risks. In March 2023, the EPA attempted to include cybersecurity assessments as part of its regulatory requirements for drinking water systems. This initiative was withdrawn seven months later after legal obstacles were met.
Federal agencies including the EPA and CISA, have been working to improve the cybersecurity of the water sector. These efforts include sharing information, providing technical assistance, and developing guidance for water utilities. The GAO report suggests these efforts have been met with difficulty, identifying workforce skills gaps within the water sector, as well as difficulties in updating older technologies with modern cybersecurity protections. The voluntary nature of cybersecurity improvements in the water sector also complicates federal efforts to enforce changes. The EPA’s attempts to mandate cybersecurity assessments through existing legal frameworks have encountered resistance, further showing the need for a stronger approach. The GAO has recommended that the EPA develop a national cybersecurity strategy, specifically for the water sector. This strategy should include a risk assessment to guide the agency’s actions and ensure that the main threats are addressed. The GAO also suggests that the EPA evaluate whether it has enough legal authority to enforce cybersecurity requirements. If the current authority is deemed insufficient, the EPA should seek alternate legal authority to compel water systems to adopt necessary cybersecurity measures. Without such authority, the EPA’s ability to protect the water sector from cyber threats remains limited.
Is It time For a National Strategy?
The GAO’s recommendations reaffirm the importance for the EPA to develop a national cybersecurity strategy for the water sector. This strategy should tackle the current gaps in cybersecurity, and anticipate future threats. By conducting a sector-wide risk assessment, the EPA can identify the biggest weaknesses and prioritize actions to lessen these risks. Following a risk assessment, the EPA must work closely with other federal agencies, state and local governments, and private sector entities to implement strong cybersecurity measures across the water sector.
The cybersecurity threats that the U.S. water and wastewater systems are battling grow more severe, and the consequences of inaction could be calamitous. The GAO’s report clearly shows the need for a comprehensive national cybersecurity strategy, supported by a risk assessment and, if necessary, expanded legal authority.
Photo credits: reewungjunerr, AdobeStock.com