Dark
Light

US water infrastructure: GAO Report Urges EPA to Address Growing Cybersecurity Risks

2 mins read
148 views
GAO Report Urges EPA to Address Growing Cybersecurity Risks in US water infrastructure

A new report from the US Government Accountability Office (GAO) highlights the urgent need for the US Environmental Protection Agency (EPA) to strengthen cybersecurity protections for water and wastewater systems. With cyberattacks from nation-state actors, such as Iran’s Islamic Revolutionary Guard Corps (IRGC) and China’s Volt Typhoon, increasingly targeting US water infrastructure, the report warns that outdated technology and workforce skill gaps are leaving critical systems vulnerable. Despite the growing threat, the EPA has not conducted a comprehensive risk assessment or developed a risk-informed strategy to address cybersecurity in the water sector. Key challenges include the presence of aging technology that is difficult to secure, insufficient separation between operational systems and internet-connected devices, and a lack of cybersecurity culture within the industry. The GAO made four recommendations for the EPA, including the need for a risk assessment, a cybersecurity strategy, and revisions to the EPA’s Vulnerability Self-Assessment Tool (VSAT). The EPA has agreed to implement these recommendations, with a revised VSAT potentially being published by August 2025. As cyber threats to critical infrastructure continue to rise, these measures are crucial in securing the water sector against future attacks.

GAO Urges EPA to Develop Cybersecurity Strategy for Water Systems | The  Driller

US GAO Report Urges EPA to Address Rising Cyber Risks Targeting US water infrastructure

A new report from the US Government Accountability Office (GAO) states that the US Environmental Protection Agency (EPA) needs to address growing cyberrisks to water and wastewater systems.

The warning comes amid rising targeting of water systems, including by nation-state actors.

The Islamic Revolutionary Guard Corps (IRGC) of Iran was the target of a number of attacks on US water plants in December 2023, according to the Cybersecurity and Infrastructure Security Agency (CISA).

Additionally, the US government issued a warning in March 2024 that Volt Typhoon, a threat actor from China, has effectively harmed water and wastewater system operators, among other things.

The EPA has no conducted a detailed sector-wide risk assessment or created and used a risk-informed strategy to guide its actions, despite the GAO’s observation that federal agencies have reviewed aspects of cybersecurity risk to the water sector.

Without a risk assessment and strategy to guide its efforts, the report stated that EPA has limited assurance that its efforts will address the highest risks.

Ageing Tech in Water Systems: A Barrier to Cybersecurity

The prevalence of outdated technologies that are challenging to update with cybersecurity protections, according to the GOA, is a big obstacle to improving cybersecurity in the water industry.

Also, many systems cannot be put back online for extended periods of time so that operators can update them because they need to have water for a long time for health and sanitation reasons.

Increased automation and remote access capabilities, as well as increased connections between functional technologies and internet-enabled devices, and administrative and IT systems that are not adequately separated by firewalls or other security measures, are additional challenges.

According to the report, workforce skill gaps have even increased the risk of cyber-attacks on water and wastewater systems.

Industry representatives who spoke with the GAO acknowledged that the staff who runs these systems might not devote much time or effort to developing their cyber-protection capabilities.

This is partially attributable to the false impression that their system is unlikely to be targeted because it serves a smaller population or is situated in a remote area.

Additionally, sector officials claimed that managers and staff in the water sector lack a focus on creating a cybersecurity culture.

The water industry, according to the GAO, prioritizes funding to meet the government’s mandates for healthy, clear water before investing in voluntary cybersecurity.

EPA Set to Release Water Cyber Strategy in January – MeriTalk

How to Address Cyber-Attacks on Water Systems

The GAO issued four recommendations for the EPA to address cyberrisks posed by the water and wastewater industries:

  1. Conduct a water sector risk assessment, considering actual security and cybersecurity threats, vulnerabilities and consequences
  2. Develop and implement a risk-informed cybersecurity strategy, in coordination with other governmental and sector stakeholders, to guide its waste sector cybersecurity programs
  3. Evaluate the legal frameworks in place to carry out the EPA’s cybersecurity obligations and seek any modifications that might be required from the national government and Congress.
  4. Submit the Vulnerability Self-Assessment Tool (VSAT) for independent peer review and revise the tool as appropriate

The EPA responded to the GAO report by fully accepting the recommendations. It plans to implement the first three recommendations by January 2025, and for the third, it will publish a revised VSAT, if needed, by August 2025.

EPA 'urgently' needs to step up cybersecurity assistance for the water  sector, GAO says | CyberScoop

Leo Portal

Leo is an expert in the field of smart city research and an overall tech-enthusiast with an emphasis on smart energy, IOT, smart homes and governance. After a master degree in international administration at the University of Gothenburg in Sweden, and a master in public management at Fudan University in China, he pursued research studies in the field of smart cities at the European University Institute. This led him to publish multiple articles on smart cities. Among them “Using Smart People to Build Smarter: How Smart Cities Attract and Retain Highly Skilled Workers to Drive Innovation (Belgium, Denmark, the Netherlands, Poland)” published in the Smart Cities and Regional Development Journal (SCRD) and “Establishing Participative Smart Cities: Theory and Practice”, also published in the SCRD Journal. He regularly audits and advises municipalities and regional governments on their smart city strategies. He is currently writing a chapter for Springer on smart mobility in French smart cities.

Leave a Reply

Your email address will not be published.

Wi-Fi HaLow: Revolutionizing Long-Range IoT Connectivity for Smart Cities and Industries
Previous Story

Wi-Fi HaLow: Revolutionizing Long-Range IoT Connectivity for Smart Cities and Industries

West Midlands Implements Smart Sensors to Improve Cyclist Safety and Traffic Flow
Next Story

West Midlands Implements Smart Sensors to Improve Cyclist Safety and Traffic Flow

Latest from News Feed

Don't Miss