There is a growing danger of cyberattacks on the US water sector, which includes some 170,000 units. An rising number of malevolent actors, including state-sponsored hackers, are focusing on these systems, which are crucial for delivering potable water and controlling wastewater. Attacks against these systems have recently come to light, highlighting their susceptibility to public health, environmental safety, and other vital infrastructure sectors' stability.

There have been several efforts to strengthen the cybersecurity defenses of water and wastewater systems by federal agencies, with a focus on the EPA and the CISA of the Department of Homeland Security. Notifications and warnings, outreach to specific industries, and the provision of technical support and recommendations for best practices are all part of these initiatives. Nonetheless, difficulties continue, mostly as a result of the sector-wide disparity in system capabilities and resources.

The fact that different water and wastewater systems aren't as cyber-ready is a big problem. There is a severe shortage of resources and knowledge among many smaller networks that serve rural areas when it comes to cybersecurity. Due to this discrepancy, these systems may be unprepared to withstand complex cyberattacks, which poses a serious threat. It is also difficult to secure and modernize the sector's antiquated infrastructure and technology with contemporary cybersecurity safeguards, which is a widespread problem.

The Environmental Protection Agency (EPA) has recognized these difficulties as the water sector's designated Sector Risk Management Agency. No risk-informed strategy or thorough sector-wide risk assessment have been developed by the agency as of yet. The Environmental Protection Agency (EPA) cannot guarantee that it is successfully tackling the most serious cybersecurity threats in the water industry in the lack of such a plan. Furthermore, the EPA has had difficulty enforcing cybersecurity upgrades through the use of its current legislative authorities, instead depending on voluntary means that cannot ensure compliance.

A lack of proper cybersecurity measures has recently been brought to light by a number of cyber events. To illustrate the point, in late 2023, numerous water systems were the subject of malicious cyberattacks that caused major disruptions by taking use of flaws in programmable logic controllers (PLCs). The security of water supplies is just one of several vital infrastructures that are at risk from these assaults, which also affect public confidence.

The GAO-24-106744 report offers a number of important suggestions to deal with these urgent matters. To start, it strongly suggests that the EPA create a complete, risk-informed policy after performing a full evaluation of cybersecurity threats throughout the whole sector. Allocating resources effectively and prioritizing actions according to risk level should be the goals of this strategy. The Environmental Protection Agency (EPA) should also assess its current legal authority and, if needed, seek new powers to mandate cybersecurity measures in the water sector.

The EPA's efforts to improve cybersecurity across the board can also benefit greatly from the involvement of contractors. Contractors may aid the government in identifying security holes, exchanging information about what works, and creating successful cybersecurity plans by working with other stakeholders. In order to construct a water industry that can endure future cyber threats, this cooperative strategy is crucial.

Finally, the GAO-24-106744 study stresses how critical it is to address water sector cybersecurity with a unified front. In order to guarantee the ongoing dependability and safety of vital water and wastewater services, the offered suggestions seek to fortify the sector's defenses. This is a rallying cry for federal government contractors to step up their cybersecurity game and help protect our nation's vital infrastructure.