EPA and the agency’s inspector general are at odds over whether federal oversight is sufficient to ensure U.S. water operators are protected against hackers and other saboteurs.
EPA’s inspector general today released an audit, which found weaknesses in the agency’s oversight of thousands of water system operators, including a lack of accurate contact information, insufficient resources to get the job done, and a lack of clear and transparent communication with smaller systems that failed to comply.
The findings highlight a growing area of concern for critical infrastructure in the U.S. Last year, a hacker altered chemical levels at a water plant in Florida. In March 2019, a former worker at a Kansas water system threatened drinking water safety after using credentials that had not been revoked to remotely access a system computer, according to the EPA inspector general. And in 2018, a ransomware attack on the city of Atlanta disrupted city utilities, and workers at the city’s water system were unable to turn on their computers or gain wireless internet access.
Overall, the watchdog’s audit found that the majority of U.S. water systems are complying with existing regulations and EPA had met the requirements of the America’s Water Infrastructure Act of 2018. A part of that law — Section 2013 — requires water systems serving more than 3,300 people to assess risks from disasters and malevolent acts, and provide data — as well as action plans — to EPA. The law, however, does not authorize EPA to review systems’ cyberdefenses (Greenwire, Aug. 30).
EPA, according to the report, issued that baseline data in August 2019 and updated it in February of 2021 to account for increasing cyberthreats.
But after conducting an audit from July 2021 through June 2022, EPA’s inspector general found the agency “did not provide adequate oversight” to ensure water systems were complying with the law, and that about 19 percent of all water systems did not certify completion of risk assessments by the statutory deadline. In all, those systems serve 40 million people.
The watchdog also found that the majority of those noncompliant systems were small and likely served disadvantaged communities, and had a higher average number of violations under the Safe Drinking Water Act. In those places, the inspector general noted that natural disasters and hackers could more likely disrupt the flow of safe drinking water. The state of Arkansas had the highest rate of noncompliance.
“Although the EPA has sole responsibility for overseeing and enforcing water systems’ compliance with section 2013, the Agency had limited time and resources to fulfill this responsibility,” the inspector general wrote. “Greater oversight by the Agency could have resulted in higher water system compliance.”
The report found EPA did not have accurate contact information for noncompliant systems, showing the agency had not “established close working relationships with the water systems, which means that the EPA was not providing the level of assistance needed,” according to the report.
The inspector general also found that EPA had “limited time, personnel, and funds” to fulfill its responsibility, noting that Congress did not appropriate funds for the agency to use in meeting the act’s requirement.
But in a six-page memo attached to the inspector general’s report, Assistant Administrator Radhika Fox disagreed with a host of recommendations the watchdog made regarding ways EPA can beef up its oversight.
Fox, for example, disagreed with the inspector general’s recommendation that the agency develop and implement a plan to support community water systems to comply with the act. Citing an “absence of a supporting factual foundation,” Fox noted that EPA has developed and implemented a plan for supporting such systems that included extensive outreach and resulted in high compliance rates.
Fox also emphasized that EPA specifically focused on systems that may have needed more help, and said the watchdog’s findings about inadequate contact information “contains overstatements about the accuracy of the contact information and overlooks the extensive efforts that [the Office of Water] conducted to obtain updated contact information.”