In response to a probe from the Government Accountability Office (GAO), the Environmental Protection Agency (EPA) says it plans to release a national cybersecurity strategy for the water sector in January 2025.
GAO’s Aug. 1 report highlights that the EPA has worked to improve water sector cybersecurity, but that it has failed to identify and prioritize the greatest risks sector-wide – as required by President Biden’s April 30 National Security Memorandum (NSM) on Critical Infrastructure Security and Resilience.
“EPA officials said they have assessed threats, vulnerabilities, and consequences, but have not integrated this work in a comprehensive assessment,” the government watchdog’s 70-page report says. “Without a risk assessment and strategy to guide its efforts, EPA has limited assurance its efforts address the highest risks.”
In comments responding to Thursday’s GAO report, Acting Assistant Administrator for the Office of Water at EPA, Benita Best-Wong, said that the agency will develop a water sector risk assessment and risk management plan that addresses cybersecurity in accordance with President Biden’s April 2024 NSM.
“The water sector risk assessment and risk management plan will be completed in January 2025 and refreshed biannually thereafter,” she wrote on July 10.
Best-Wong also highlighted the EPA’s work to convene a Water Sector Cybersecurity Task Force, which she said will “develop risk-informed recommendations of actions to improve the cybersecurity state of practice in the water sector.”
The GAO report notes, “Federal agencies and other entities have acted to improve water sector cybersecurity, but reported challenges such as workforce skills gaps and older technologies that are difficult to update with cybersecurity protections. Further, the sector has made limited investments in cybersecurity protections because water systems prioritize funding to meet regulatory requirements for clean and safe water, while improving cybersecurity is voluntary.”
EPA has faced challenges using its existing legal authority and voluntary approaches to manage cybersecurity risks but has not fully evaluated either approach, the GAO report notes. In March 2023, EPA interpreted existing legal requirements to include cybersecurity assessments at drinking water systems but withdrew the requirement seven months later after facing legal challenges.
Improving water sector cybersecurity has become an elevated priority within the last year, after the discovery that both China and Iran are targeting U.S. critical infrastructure.
In April, Congress introduced a new bill that would create a new governing body to oversee cybersecurity requirements and recommendations for drinking and wastewater systems.