GAO Releases Report on Water Cybersecurity & Recommends EPA Develop a National Cybersecurity Strategy

On Thursday, August 1, the Government Accountability Office (GAO) released a report on cybersecurity for water and wastewater systems, and recommended that EPA develop a national cybersecurity. The report recognized that the water sector has worked to improve cybersecurity, but reported challenges such as workforce skills gaps and older technologies that are difficult to update with cybersecurity protections. Additionally, the sector has made limited investments in cybersecurity protections because water systems prioritize funding to meet regulatory requirements for clean and safe water, while improving cybersecurity is voluntary.

The report made four recommendations to the EPA Administrator:

1. The EPA Administrator should, as required by law, conduct a water sector risk assessment, considering physical security and cybersecurity threats, vulnerabilities, and consequences.
2. The EPA Administrator should develop and implement a risk-informed cybersecurity strategy, in coordination with other federal and sector stakeholders, to guide its water sector cybersecurity programs. Such a strategy should include information from a risk assessment and should identify objectives, activities, and performance measures; roles, responsibilities, and coordination; and needed resources and investments.
3. The EPA Administrator should evaluate its existing legal authorities for carrying out EPA’s cybersecurity responsibilities and seek any needed enhancements to such authorities from the administration and Congress.
4. The Administrator of EPA should submit the Vulnerability Self-Assessment Tool (VSAT) for independent peer review and revise the tool as appropriate.