The water sector has struggled to stay safe for many reasons, the GAO notes in a new report. For one, utilities’ old technologies are often hard to update. Plus, utilities tend to prioritize meeting regulatory goals over improving cybersecurity because the latter is still voluntary.
Nation-state-linked actors have also targeted the sector recently. Last year, for example, Iran-associated hackers hit a water system near Pittsburgh to protest Israeli actions. And China-backed hackers have been targeting drinking water systems, seeking access they could use later to disrupt services during a time of heightened political tensions. Other threats come from insiders, like a former employee who allegedly tampered with a Kansas utility’s systems for cleaning public drinking water in 2019.
The EPA’s efforts to improve cybersecurity for the sector have at times been hamstrung by lack of sufficient legal authorities, the GAO wrote. It called for the EPA to identify what authorities it needs and to subsequently request them from Congress and the White House.
So far, the EPA has evaluated certain kinds of cyber risks, including threats, vulnerabilities and consequences. But it needs to build on this: The EPA should make these existing efforts part of a “comprehensive sector-wide risk assessment,” the GAO wrote.
It should also create a “risk-informed” strategy to guide its cybersecurity programs. Otherwise, without this strategy and a comprehensive risk assessment, the EPA cannot be sure it’s prioritizing properly. That strategy should include details like goals, performance measures, roles and responsibilities, along with necessary resources and investments.
Some efforts are underway: The GAO noted that the EPA expects to release a risk assessment, strategy and evaluation of its authorities in 2025.
Plus, the EPA did create a Vulnerability Self-Assessment Tool to help dinking water systems make plans. But the EPA still needs to get that tool peer-reviewed to make sure it really does offer “sound and credible information.”