Summary: The U.S. Government Accountability Office has urged the Environmental Protection Agency to develop a strategy to combat increasing cyber threats targeting the nation’s drinking and wastewater systems. The report highlights the vulnerability of water utilities to attacks from state-linked and criminal hackers using advanced malware and ransomware.
Threat Actor: State-linked and criminal hackers | state-linked and criminal hackers
Victim: Water utilities | water utilities
Key Point :
- The GAO report emphasizes the need for a sector-wide risk assessment to better prepare water utilities against cyber threats.
- The Biden administration is prioritizing cybersecurity in the drinking and wastewater sectors due to recent high-profile hacking incidents.
- The EPA is working on plans to enhance federal assistance and technical support for the water industry to improve cyber resilience.
- Previous efforts to tighten cybersecurity through audits were halted due to legal challenges from states.
Dive Brief:
- The congressional watchdog is calling on the Environmental Protection Agency to urgently develop a strategy to address the rising risk of malicious cyber activity targeting the nation’s drinking and wastewater, according to a report from the U.S. Government Accountability Office released last week.
- In recent months, the sector has been up against heightened threat activity from state-linked and criminal hackers targeting vulnerable water utilities using custom malware, ransomware and other tools designed to either disable, sabotage or exfiltrate data.
- The EPA needs to conduct a sector-wide risk assessment, the GAO said, because the water utility sector is unprepared to protect itself against these existing threats without additional government support.
Dive Insight:
The Biden administration has prioritized the drinking and wastewater treatment industries as a number of high-profile hacking incidents have raised concerns about the ability to secure the nation’s drinking water and water treatment sectors.
The White House and EPA in March urged state officials to provide information on how well prepared water utilities were to combat heightened cyber risks. EPA officials said they are still concerned the information is not being integrated into a comprehensive strategy.
“This ask would provide information on a state-by-state basis, but would not integrate the risks across states at the national level,” Alfredo Gomez, director, natural resources and the environment at GAO, said via email. “Our past work has emphasized integration of risk information in a comprehensive risk assessment.”
National Cyber Director Harry Coker Jr. outlined steps to address the water industry in a May speech in Washington, D.C. Coker detailed plans for the EPA to increase technical assistance for public water systems and for the Department of Agriculture to invest in programs for rural water utilities.
Following the GAO report last week, EPA officials said they are working on plans to strengthen federal assistance to the water industry. The EPA in 2023 launched plans to get water utilities to tighten cyber resilience through audits, but that plan was rescinded after a state legal challenge.
“EPA remains committed to providing cybersecurity technical assistance to the water sector and will continue with our federal partners to seek every opportunity to lower risk for the nation’s drinking water and wastewater systems,” the agency said in a statement.
Source: https://www.cybersecuritydive.com/news/federal-watchdog-epa-cyber-strategy/723427