Watchdog Highlights Ongoing Cybersecurity Issues at EPA


The Environmental Protection Agency (EPA) has not yet implemented a risk assessment process to mitigate cyber threats, according to a report by the Government Accountability Office (GAO) released on Tuesday. The GAO’s annual report on open priority recommendations criticized the EPA for not establishing a procedure to assess vulnerabilities within its operations.

The GAO emphasized that implementing their recommendation for an agency-wide cyber security risk assessment process would significantly enhance the EPA’s ability to manage cybersecurity risks. This unaddressed cyber guidance is one of 12 priority recommendations listed in the report, which also includes proposals for improving the nation’s water and air quality, mitigating climate risks, and addressing communication and data issues related to drinking water and wastewater infrastructure.

GAO recommendation

The GAO originally recommended in 2019 that the EPA develop a cybersecurity risk assessment process. Although the EPA has since updated its cybersecurity risk management strategy and taken steps to create an organization-wide perspective on cybersecurity risks, it has not yet established a comprehensive risk assessment process. The EPA indicated that it is “in the process of updating an internal procedure to address ongoing risk assessment activities” and plans to release an organization-wide cyber risk assessment by “late summer to early fall of 2024.”


Despite these assurances, the EPA has repeatedly delayed the release of the cyber risk assessment framework. In 2022, the agency informed the GAO that it had engaged with a third-party Federally Funded Research Development Corporation to develop a comprehensive cybersecurity risk assessment, which was expected to be completed by the third quarter of fiscal year 2023, pending funding. However, in 2023, the EPA stated it planned to utilize an independent security assessment from the Federal Aviation Administration to enhance its current risk assessment process.

Absence of cybersecurity risk assessment at the organization level

The absence of an organization-wide cybersecurity risk assessment is particularly concerning as the EPA has been urging U.S. water systems to strengthen their cyber standards. Earlier this month, the EPA reported that over 70% of community water systems surveyed since September 2023 did not meet its security standards. The agency announced plans to increase inspections of water systems and take civil and criminal enforcement actions in cases of significant endangerment.

The EPA’s delay in establishing a comprehensive cybersecurity risk assessment framework underscores the urgent need for the agency to prioritize cybersecurity to protect critical infrastructure and public safety.

The lack of a comprehensive cybersecurity risk assessment at the Environmental Protection Agency (EPA) is a significant oversight, especially given the critical role the agency plays in safeguarding environmental and public health. The EPA’s responsibilities include regulating and enforcing standards for clean air and water, managing hazardous waste, and responding to environmental emergencies. In today’s digital age, cyber threats pose a substantial risk to these essential functions.

The Importance of Cybersecurity in Environmental Protection

Cybersecurity is crucial for protecting the integrity and reliability of the EPA’s systems and data. A cyberattack on the EPA could disrupt environmental monitoring, data collection, and regulatory enforcement, potentially leading to severe consequences for public health and the environment. For example, compromised data could affect air and water quality reports, leading to delayed or inadequate responses to pollution incidents.


Potential Impact on Water Systems

The EPA has highlighted vulnerabilities in the nation’s water systems, with over 70% of community water systems surveyed since September 2023 failing to meet security standards. Cyberattacks on water systems can have dire consequences, including the contamination of drinking water supplies and disruptions to water distribution. Ensuring robust cybersecurity measures in these systems is essential to prevent such scenarios.

Federal and Industry Collaboration

To address these challenges, the EPA is collaborating with various federal agencies and industry partners. The agency’s engagement with a third-party Federally Funded Research Development Corporation and the Federal Aviation Administration demonstrates its commitment to leveraging external expertise to enhance its cybersecurity posture. This collaboration is crucial for developing effective risk assessment frameworks and implementing best practices across the agency.

Legislative and Policy Support

There is growing recognition of the need for strong cybersecurity measures in critical infrastructure sectors, including environmental protection. Policymakers are increasingly focusing on cybersecurity requirements for federal agencies and critical infrastructure operators. Enhanced legislative and regulatory support can provide the EPA with the necessary resources and authority to implement comprehensive cybersecurity strategies.

Public Awareness and Education

Raising public awareness about the importance of cybersecurity in environmental protection is also vital. Educating stakeholders, including local governments, businesses, and the public, about the risks and best practices for cybersecurity can help create a more resilient infrastructure. The EPA can play a pivotal role in disseminating information and providing guidance on cybersecurity measures.

Moving Forward

As the EPA works towards completing its organization-wide cybersecurity risk assessment, it must prioritize transparency and accountability. Regular updates on the progress of the assessment and the implementation of cybersecurity measures can help build public trust. Additionally, the EPA should continue to seek input from cybersecurity experts, industry stakeholders, and other federal agencies to ensure a comprehensive and effective approach.

By addressing these cybersecurity challenges, the EPA can better protect its operations, safeguard public health and the environment, and enhance the resilience of the nation’s critical infrastructure. The timely implementation of a robust cybersecurity risk assessment process is a critical step in this direction.

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button