Attacks and Vulnerabilities
Critical infrastructure
IT/OT Collaboration
Malware, Phishing & Ransomware
News
Reports
Risk & Compliance
Secure Remote Access
Secure-by-Design
Utilities: Energy & Power, Water, Waste

GAO adds priority recommendation for EPA, drives focus on need for continued cybersecurity measures

May 30, 2024
GAO adds priority recommendation for EPA, drives focus on need for continued cybersecurity measures

The U.S. Government Accountability Office (GAO) has added a ‘priority recommendation’ for the Environmental Protection Agency (EPA), taking the total number to 12. The recommendations involve five areas, including improving the nation’s water quality; addressing data and risk communication issues related to drinking water and wastewater infrastructure; managing climate risks, protecting the nation’s air quality, and ensuring cybersecurity at EPA.

The move builds on last year’s findings when the GAO identified 15 priority recommendations for the EPA. Since then, EPA has implemented four of those recommendations by providing information on chemical assessment products and the length of time each takes to prepare; completing a programmatic resource analysis that included metrics on the recruitment and retention of its chemical assessment workforce; collecting data that will support the evaluation of human capital goals for the chemical assessment program; and issuing an asset management framework for the national ambient air quality monitoring system.

GAO recognized that federal agencies face a growing number of threats to their information technology systems and data. “To protect against these threats, federal law and policies establish that agencies should adopt a risk-based approach to cybersecurity by effectively identifying, prioritizing, and managing cyber risks. Implementing our priority recommendation to establish a process for conducting an agency-wide cybersecurity risk assessment would help EPA better manage its cybersecurity risks,” it added.

“In April 2023, we issued our biennial update to our High-Risk List. This list identifies government operations with greater vulnerabilities to fraud, waste, abuse, and mismanagement. It also identifies the need for transformation to address economy, efficiency, or effectiveness challenges,” Gene L. Dodaro U.S. Comptroller General, wrote in the GAO report to Michael S. Regan Administrator of the EPA. “One of our high-risk areas—transforming EPA’s process for assessing and controlling toxic chemicals—centers directly on EPA. Another high-risk area—limiting the federal government’s fiscal exposure by better managing climate change risks—is shared among multiple agencies, including EPA.”

Furthermore, several other government-wide, high-risk areas also have direct implications for EPA and its operations, such as ensuring the cybersecurity of the nation area, where there is one priority recommendation. The other areas include improving the management of IT acquisitions and operations, improving strategic human capital management, managing federal real property, and improving the government-wide personnel security clearance process. 

The GAO report also identified that the administrator of the EPA should establish a process for conducting an organization-wide cybersecurity risk assessment. “EPA neither agreed nor disagreed with this recommendation. However, EPA has updated its cybersecurity risk management strategy, which calls for the agency to develop an organization-wide perspective on cybersecurity risks,” it added. 

“As of April 2024, EPA stated that it was continuing to plan for an organization-wide cybersecurity risk assessment and plans to issue the assessment in late summer to early fall of 2024,” the report added. 

EPA officials added that they were updating an internal procedure to address ongoing risk assessment activities. The EPA must establish a process for conducting an organization-wide cybersecurity risk assessment before it may miss opportunities to identify trends in cybersecurity risks, target systemic risks to the agency and its systems, and prioritize investments in risk mitigation activities. 

Last week, the EPA disclosed that over 70 percent of the drinking water systems that it has inspected since last September violate basic Safe Drinking Water Act (SDWA) 1433 requirements including missing specific sections of the Risk and Resilience Assessments (RRAs) and Emergency Response Plans (ERPs). Against this backdrop, the water agency published an enforcement alert warning drinking water agencies to address their cybersecurity vulnerabilities. The agency also increases enforcement actions to ensure drinking water systems address cybersecurity threats.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

Webinar: A Sense of Urgency - Industrial Cybersecurity and Compliance Under the NIS2 Directive

Register: June 27, 2024 2pm CET

http://industrialcyber.co

Related

DHS Secretary Mayorkas unveils strategic guidance to bolster US critical infrastructure security and resilience
DHS Secretary Mayorkas unveils strategic guidance to bolster US critical infrastructure security and resilience
House Committee urges DHS, DOE to declassify risks of Chinese-manufactured drones
House Committee urges DHS, DOE to declassify risks of Chinese-manufactured drones
US DHS partners with Indonesia to strengthen maritime cybersecurity in Indo-Pacific region
US DHS partners with Indonesia to strengthen maritime cybersecurity in Indo-Pacific region
Broadcom's Symantec solutions achieve IRAP certification, meeting Australian government standards
Broadcom’s Symantec solutions achieve IRAP certification, meeting Australian government standards
MITRE launches ACID to boost OT security with ATT&CK-based indicators using CISA's ICSNPP Parsers
MITRE launches ACID to boost OT security with ATT&CK-based indicators using CISA’s ICSNPP Parsers
Fortinet reports surge in OT system cyberattacks with phishing and email compromises leading to intrusions
Fortinet reports surge in OT system cyberattacks with phishing and email compromises leading to intrusions
US CISA issues ICS cybersecurity advisories for Emerson, Mitsubishi Electric, Johnson Controls equipment
CISA warns of path traversal vulnerability in RAD Data’s SecFlow-2 hardware
US DOE introduces supply chain cybersecurity principles to bolster global energy infrastructure security
US DOE introduces supply chain cybersecurity principles to bolster global energy infrastructure security
Global cybersecurity agencies advocate adoption of zero trust, SSE, SASE to enhance network access security
Global cybersecurity agencies advocate adoption of zero trust, SSE, SASE to enhance network access security
Cal Poly report highlights outer space as new frontier for cybersecurity threats; offers ICARUS matrix
Cal Poly report highlights outer space as new frontier for cybersecurity threats; offers ICARUS matrix