Leo PortalA new report from the US Government Accountability Office (GAO) highlights the urgent need for the US Environmental Protection Agency (EPA) to strengthen cybersecurity protections for water and wastewater systems. With cyberattacks from nation-state actors, such as Iran’s Islamic Revolutionary Guard Corps (IRGC) and China’s Volt Typhoon, increasingly targeting US water infrastructure, the report warns that outdated technology and workforce skill gaps are leaving critical systems vulnerable. Despite the growing threat, the EPA has not conducted a comprehensive risk assessment or developed a risk-informed strategy to address cybersecurity in the water sector. Key challenges include the presence of aging technology that is difficult to secure, insufficient separation between operational systems and internet-connected devices, and a lack of cybersecurity culture within the industry. The GAO made four recommendations for the EPA, including the need for a risk assessment, a cybersecurity strategy, and revisions to the EPA’s Vulnerability Self-Assessment Tool (VSAT). The EPA has agreed to implement these recommendations, with a revised VSAT potentially being published by August 2025. As cyber threats to critical infrastructure continue to rise, these measures are crucial in securing the water sector against future attacks.
US GAO Report Urges EPA to Address Rising Cyber Risks Targeting US water infrastructure
A new report from the US Government Accountability Office (GAO) states that the US Environmental Protection Agency (EPA) needs to address growing cyberrisks to water and wastewater systems.
The warning comes amid rising targeting of water systems, including by nation-state actors.
The Islamic Revolutionary Guard Corps (IRGC) of Iran was the target of a number of attacks on US water plants in December 2023, according to the Cybersecurity and Infrastructure Security Agency (CISA).
Additionally, the US government issued a warning in March 2024 that Volt Typhoon, a threat actor from China, has effectively harmed water and wastewater system operators, among other things.
The EPA has no conducted a detailed sector-wide risk assessment or created and used a risk-informed strategy to guide its actions, despite the GAO’s observation that federal agencies have reviewed aspects of cybersecurity risk to the water sector.
Without a risk assessment and strategy to guide its efforts, the report stated that EPA has limited assurance that its efforts will address the highest risks.
Ageing Tech in Water Systems: A Barrier to Cybersecurity
The prevalence of outdated technologies that are challenging to update with cybersecurity protections, according to the GOA, is a big obstacle to improving cybersecurity in the water industry.
Also, many systems cannot be put back online for extended periods of time so that operators can update them because they need to have water for a long time for health and sanitation reasons.
Increased automation and remote access capabilities, as well as increased connections between functional technologies and internet-enabled devices, and administrative and IT systems that are not adequately separated by firewalls or other security measures, are additional challenges.
According to the report, workforce skill gaps have even increased the risk of cyber-attacks on water and wastewater systems.
Industry representatives who spoke with the GAO acknowledged that the staff who runs these systems might not devote much time or effort to developing their cyber-protection capabilities.
This is partially attributable to the false impression that their system is unlikely to be targeted because it serves a smaller population or is situated in a remote area.
Additionally, sector officials claimed that managers and staff in the water sector lack a focus on creating a cybersecurity culture.
The water industry, according to the GAO, prioritizes funding to meet the government’s mandates for healthy, clear water before investing in voluntary cybersecurity.
How to Address Cyber-Attacks on Water Systems
The GAO issued four recommendations for the EPA to address cyberrisks posed by the water and wastewater industries:
- Conduct a water sector risk assessment, considering actual security and cybersecurity threats, vulnerabilities and consequences
- Develop and implement a risk-informed cybersecurity strategy, in coordination with other governmental and sector stakeholders, to guide its waste sector cybersecurity programs
- Evaluate the legal frameworks in place to carry out the EPA’s cybersecurity obligations and seek any modifications that might be required from the national government and Congress.
- Submit the Vulnerability Self-Assessment Tool (VSAT) for independent peer review and revise the tool as appropriate
The EPA responded to the GAO report by fully accepting the recommendations. It plans to implement the first three recommendations by January 2025, and for the third, it will publish a revised VSAT, if needed, by August 2025.
