GAO warns water cyber risk outruns EPA oversight
The hard part is not finding the vulnerable utility; it is governing 170,000 operators built for local autonomy.
TL;DR
Federal News Network reports that a new Government Accountability Office review finds persistent cybersecurity vulnerabilities across drinking water and wastewater systems as utilities add connected valves, pipes and control points. The affected sector spans about 170,000 owner-operators, many local or private, with uneven resources and limited federal compulsion. EPA can lead and persuade; GAO’s warning is that persuasion is a weak control for operational technology tied to public water.
Federal News Network’s interview with GAO cybersecurity director Dave Hinchman describes the water problem in the least comforting way: the sector is getting more connected at the same time its governance remains mostly local, fragmented and voluntary. Remote valves, pipes, treatment tanks and storage systems make sprawling infrastructure easier to manage. They also give attackers more electronic access points to systems that are supposed to deliver clean water, not merely protect data.
The scale is the real governance problem. Hinchman put the sector at about 170,000 water and wastewater owner-operators, spread across private, municipal, county and other local arrangements. EPA is the lead federal agency for the water sector, but GAO’s point is that most federal cybersecurity direction arrives through cooperation and persuasion, not direct control. That is a tolerable model when the issue is guidance adoption. It is a brittle model when the affected technology can change chemical treatment, valve operations or availability of service.
This is not a brand-new warning dressed up as a new category. CISA and EPA warned in December 2024 that internet-exposed human-machine interfaces can let threat actors affect water and wastewater operations and force utilities back to manual operation, and they urged facilities to harden remote access to those interfaces: https://www.cisa.gov/news-events/alerts/2024/12/13/cisa-and-epa-release-joint-fact-sheet-detailing-risks-internet-exposed-hmis-pose-wws-sector. CISA’s broader OT procurement guidance also says many operational technology products still carry weak authentication, insecure defaults, known vulnerabilities and limited logging: https://www.cisa.gov/sites/default/files/2025-01/joint-guide-secure-by-demand-priority-considerations-for-ot-owners-and-operators-508c.pdf.
For practitioners, the Monday work is familiar and unglamorous: inventory internet-exposed operational technology, tighten remote access, test manual operations, and push security requirements into OT procurement before the next device lands in a pump station. GAO’s contribution is not that water has cyber risk. It is that the sector’s operating model still assumes guidance can close gaps that adversaries can reach directly.
Published ·Deep Fathom