The US Environmental Protection Agency (EPA) urgently needs to address rising cyber risks to water and wastewater systems, a new report by the US Government Accountability Office (GAO) has found.
The warning comes amid rising targeting of water systems, including by nation-state actors.
In December 2023, the Cybersecurity and Infrastructure Security Agency (CISA) attributed a series of attacks against water plants in the US to Iran’s Islamic Revolutionary Guard Corps (IRGC).
The US government also warned in March 2024 that the Chinese threat actor Volt Typhoon has successfully compromised operators of water and wastewater systems, among many other sectors.
While the GAO noted that federal agencies have reviewed aspects of cybersecurity risk to the water sector, the EPA has not conducted a comprehensive sector-wide risk assessment or developed and used a risk-informed strategy to guide its actions.
“Without a risk assessment and strategy to guide its efforts, EPA has limited assurance its efforts address the highest risks,” the report noted.
Aging Tech in Water Systems a Cybersecurity Barrier
A major barrier to improving cybersecurity in the water industry is the prevalence old technologies that are difficult to update with cybersecurity protections, the GOA reported noted.
Additionally, many systems cannot go offline for extended periods for operators to make updates because of the crucial health and sanitation need for a continue supply of water.
Another challenge is increased connections between operational technologies and internet-enabled devices, increased automation and remote access capabilities, and operational and IT systems that are not properly separated by firewalls or other protections.
Workforce skills gaps have also made water and wastewater systems more vulnerable to cyber-attacks, the report found.
Industry officials interviewed by the GAO acknowledged that staff operating these systems may not dedicate significant time or effort to increasing their systems’ capabilities to defend against cyber-attacks.
This is partly due to the mistaken belief that their system is unlikely to be targeted because it serves a small population or is located in a rural area.
Sector officials also reported that the water sector has lacked a focus on developing a cybersecurity culture among managers and staff.
The GAO added that the water industry prioritizes funding to meet regulatory requirements for clean and safe water ahead of improving cybersecurity, which is voluntary.
How to Address Cyber-Attacks on Water Systems
The GAO set out four recommendations for the EPA to address cyber risks to the water and wastewater sector:
- Conduct a water sector risk assessment, considering physical security and cybersecurity threats, vulnerabilities and consequences
- Develop and implement a risk-informed cybersecurity strategy, in coordination with other federal and sector stakeholders, to guide its waste sector cybersecurity programs
- Evaluate existing legal authorities for carrying out the EPA’s cybersecurity responsibilities and seek any needed enhancements to such authorities from the federal administration and Congress
- Submit the Vulnerability Self-Assessment Tool (VSAT) for independent peer review and revise the tool as appropriate
Responding the GAO report, the EPA said it accepted the recommendations in full. It plans to implement the first three recommendations by January 2025, and for the fourth, it will publish a revised VSAT, if necessary, by August 2025.