“We forget that the water cycle and the life cycle are one,” said Jacques Cousteau, the renowned oceanographer and environmental advocate. Humans, composed of approximately 60% water, depend on this vital resource for survival, with civilizations flourishing around its availability. A recent report from the United States Government Accountability Office (GAO) underscores the urgent need for a comprehensive cybersecurity strategy to protect the nation’s water and wastewater systems from growing cyber threats.
The GAO report follows a letter sent by the EPA to state governors in March emphasizing the urgent need to address cybersecurity vulnerabilities in water systems. This letter highlighted recent cyber incidents and stressed the potential consequences of such attacks, including threats to public health and safety. The EPA underscored the importance of collaboration between federal and state agencies to enhance the cybersecurity posture of water and wastewater systems.
You can get the full GAO report here. What follows is our summary.
Rising Threats and Incidents
The report identifies a growing number of cyber threats targeting the nearly 170,000 water systems in the U.S., including attacks by foreign nations, cybercriminals, and other malicious actors. Notable incidents include attacks by Chinese-sponsored hackers on multiple water systems in late 2023, demonstrating the potential for severe disruptions.
Vulnerability Factors
Water and wastewater systems are increasingly automated, relying on technologies such as Supervisory Control and Data Acquisition (SCADA) systems. While these technologies enhance operational efficiency, they also expose the systems to cyber risks. The GAO report highlights the challenges of outdated technologies, workforce skills gaps, and limited investments in cybersecurity protections, as water systems prioritize regulatory compliance and safe water provision over cybersecurity enhancements.
Federal and Non-Federal Efforts
Actions Taken
Federal agencies, including the Environmental Protection Agency (EPA) and the Cybersecurity and Infrastructure Security Agency (CISA), have improved water safety and the sector’s cybersecurity. These actions include issuing cybersecurity alerts and advisories, conducting sector outreach, and providing technical assistance. The EPA developed the Vulnerability Self-Assessment Tool (VSAT) to help water systems assess risks and develop emergency response plans.
Challenges and Limitations
Despite these efforts, the GAO report indicates that the EPA has not conducted a comprehensive sector-wide risk assessment or developed a risk-informed strategy. The EPA has faced legal and voluntary approach challenges in managing cybersecurity risks. A notable example is the EPA’s March 2023 interpretation of existing legal requirements to include cybersecurity assessments, which was withdrawn after legal challenges. The EPA is expected to release an evaluation of its authorities and a risk assessment in 2025.
Recommendations and Future Actions
GAO’s Recommendations
The GAO report makes four key recommendations to enhance cybersecurity in the water sector:
Conduct a Comprehensive Risk Assessment: The EPA should conduct a sector-wide risk assessment considering physical security and cybersecurity threats, vulnerabilities, and consequences.
Develop and Implement a National Cybersecurity Strategy: The EPA should create a risk-informed cybersecurity strategy coordinating with federal and sector stakeholders. This strategy should include clear objectives, activities, performance measures, roles, responsibilities, and required resources.
Evaluate Legal Authorities: The EPA should assess its existing legal authorities for managing cybersecurity responsibilities and seek additional authority from Congress as needed.
Peer Review of VSAT: The EPA should submit the VSAT for independent peer review and make necessary revisions to ensure its effectiveness.
EPA’s Response
The EPA concurred with the GAO’s recommendations and indicated that it is taking action to address them. The agency plans to increase inspection and enforcement activities to ensure drinking water systems address cybersecurity threats.
The GAO report emphasizes the critical need for a robust and comprehensive approach to cybersecurity in the U.S. water sector. With increasing cyber threats and the potential for significant public health and environmental consequences, the EPA must prioritize developing and implementing a national cybersecurity strategy.
Bottom line: Without immediate action, our water could be dangerously compromised.
Other News: Water Companies Face Challenges Getting Cyber Insurance, Industry Expert Says (Opens in a new browser tab).
Other News: Blood donations needed after cyber attack.