The U.S. Government Accountability Office (GAO) identified on Tuesday additional priority recommendations for the Environmental Protection Agency (EPA), to ensure tackling cybersecurity dangers in the environment, and addressing data, cybersecurity, and risk communication issues for drinking water and wastewater infrastructure.
The updated strategy for the critical infrastructure includes a discussion of the agency’s risk tolerance and how it intends to assess, respond to, and monitor cybersecurity risks on an ongoing basis. By updating its strategy, EPA should enhance its organization-wide understanding of acceptable risk levels and appropriate risk response strategies to protect the agency’s systems and data, GAO said in its Tuesday report.
The U.S. EPA has improved the reliability of the information it needs to identify its cybersecurity and other cyber-related workforce roles of critical need, in addition to updating its cybersecurity risk management strategy, while addressing key elements called for in federal guidance.
To improve cybersecurity, the GAO made a priority recommendation in July 2019 that would help EPA better manage its cybersecurity dangers. It recommended that the EPA establish a process for conducting an organization-wide cybersecurity risk assessment. EPA has identified steps the agency is taking toward implementing this recommendation, such as establishing a process for updating policies. To fully address the recommendation, EPA needs to complete these steps and ensure they result in a process for conducting cybersecurity risk assessment as laid out in the GAO recommendation.
The GAO has advocated that the administrator of the EPA should establish a process for conducting an organization-wide cybersecurity risk assessment. The EPA has updated its cybersecurity risk management strategy, which calls for the agency to develop an organization-wide perspective on cybersecurity dangers.
However, as of April 2021, the agency had not provided evidence that it had developed a process for aggregating information from system-level risk assessments, continuous monitoring, and other sources to allow the agency to assess the risk from the operation and use of its information systems from an agency-wide perspective, the GAO noted.
The administrator of EPA must address data, cybersecurity, and risk communication issues for drinking water and wastewater infrastructure, in order to improve the EPA’s ability of overlooking the states’ implementation of the Safe Drinking Water Act and providing Congress and the public with more complete and accurate information on compliance.
The EPA has, however, partially agreed with the GAO’s recommendation. One of the GAO’s recommendations identifies steps that would improve EPA’s ability to determine the success of efforts to protect infrastructure from cyber risks and where to focus limited resources for cyber risk mitigation. This calls for the EPA to develop methods for determining the level and type of cybersecurity framework adoption by entities across the water and wastewater systems sector.
The agency was conducting file reviews in at least 10 states annually to verify the reliability of data and identify opportunities for implementation improvements. Nevertheless, the extent to which EPA’s file reviews and other actions determine the completeness and accuracy of the Safe Drinking Water Information System (SDWIS) data overall is unclear.
However, additional information is needed on whether EPA uses a selection mechanism for file reviews that examines the entire population, a generalizable sample that produces reliable estimates of accuracy and completeness of the entire population, or another selection method that provides similar assurances, the GAO said in its report.
Without insight into the generalizability of the results of these file reviews, for example, it is difficult to determine the extent to which the SDWIS data are complete and accurate and the extent to which Congress and the public can rely on those data to assess compliance with the Safe Drinking Water Act. As of May 2021, the GAO is conducting additional follow-up with EPA staff on the status of these efforts.
In its previous reports, the GAO has stated that federal agencies and the nation’s critical infrastructures, such as energy, transportation systems, communications, and financial services, are dependent on IT systems and electronic data to carry out operations and to process, maintain, and report essential information.
The security of these systems and data is vital to public confidence and national security, prosperity, and well-being. As many of these systems contain vast amounts of personally identifiable information (PII) and other sensitive information, agencies must protect the confidentiality, integrity, and availability of this information. In addition, they must effectively respond to data breaches and security incidents when they occur.
The risks to the systems supporting the federal government and the nation’s critical infrastructure are increasing, including insider threats, escalating and emerging threats from around the globe, and the emergence of new and more destructive attacks.
EPA has begun to address some of the data, cybersecurity, and risk communication recommendations through actions such as conducting file reviews in some states to verify the reliability of drinking water data, GAO said. The agency also needs to work towards ensuring that it completes and implements specific steps, such as consulting with partners to develop a comprehensive understanding of the level and type of cybersecurity framework adoption, the GAO report concluded.
The cybersecurity dangers advice of the U.S. GAO to the EPA comes at a time when the nation’s critical infrastructure, including its water systems are falling prey to cyberattacks. The Metropolitan Water District of Southern California has allegedly been hacked by supposedly Chinese-backed hackers using security vulnerabilities in the Pulse Connect Secure appliances.
Apart from this, in February, unidentified cyber attackers were able to gain access to a panel that controls the water treatment plant at the city of Oldsmar near Tampa, Florida. A modification in the setting would have drastically increased the amount of sodium hydroxide in the water supply, which could have led to poisoning the water supply to the city.
The EPA also released in April its 2021 notice of funding available to implement newer approaches including cybersecurity and green infrastructure, besides boosting investment in critical water infrastructure through innovative and flexible financing that can support a number of projects in both large and small communities. These lending programs come under the agency’s Water Infrastructure Finance and Innovation Act (WIFIA) program, and state infrastructure financing authority WIFIA (SWIFIA) program.