US Government Accountability Office GAO

Federal agencies (…) reported challenges such as workforce skills gaps and older technologies that are difficult to update with cybersecurity protections. Further, the sector has made limited investments in cybersecurity protections because water systems prioritize funding to meet regulatory requirements for clean and safe water, while improving cybersecurity is voluntary.

Federal and non-federal entities have taken actions to improve water sector cybersecurity, including issuing alerts and advisories, conducting sector outreach and coordination, carrying out research and development, and distributing guidance and best practices. To help drinking water systems conduct risk and resilience assessments and develop emergency response plans, as required, Environmental Protection Agency (EPA) developed the Vulnerability Self-Assessment Tool (VSAT). However, EPA has not had VSAT peer reviewed to ensure the tool provides systems with sound and credible information.

Environmental Protection Agency has not conducted a comprehensive sector-wide risk assessment or used a risk-informed strategy to guide its actions to improve the water sector’s level of cybersecurity. We previously found that using a risk in formed strategy can improve the effectiveness of agency efforts to develop critical infrastructure cybersecurity programs.

Cybersecurity incidents in the U.S. over the past 5 years have disrupted water and wastewater system operations. However, the full extent of such incidents and their consequences are unknown because national level cybersecurity incident reporting requirements are under development, and water and wastewater systems have not yet been required to report incidents to the federal government. In addition, according to Environmental Protection Agency officials, the national-level reporting requirements would exempt almost 80 percent of water and wastewater systems from reporting.