Growing Cyber Risks Push EPA to Modernize Water Sector Security
EPA is expanding cybersecurity guidance and technical support to help water systems defend against increasingly sophisticated cyberattacks.
Increasing cyberattacks on the nation’s critical infrastructure have prompted the Environmental Protection Agency (EPA) to expand cybersecurity resources to better secure water systems.
Cyberattacks on the critical infrastructure sectors have become more frequent and severe over the past few years, and “gaps in basic cybersecurity practices” have enabled bad actors to gain access to operating systems, EPA Office of Water Emergency Response and Cybersecurity Director David Travers told GovCIO Media & Research in a recent interview.
Travers said both information and operational technology networks need to be examined to prevent threat actors from moving laterally within an organization.
“We are seeing an increased focus in accessing and manipulating the operational technology networks. [Bad actors] are seeking a tactical advantage in a geopolitical context to either thwart U.S. engagement abroad or trigger cyberattacks,” Travers said.
Expanding Resources to Strengthen Cyber Resilience
EPA released new planning materials last month to bolster water and wastewater systems’ cyber response. The updated resources provide guidance by adding new incident response templates, revised vendor security evaluation criteria and updated best practices. The initiative is part of the EPA’s broader strategy, released at the beginning on President Donald Trump’s second administration, to modernize critical infrastructure and strengthen system resilience.
To further bolster critical infrastructure resilience, the EPA’s 2026 budget request included $10 million for a new competitive water sector cybersecurity grant program that will improve water and wastewater systems’ ability to “proactively mitigate” cyberattacks.
The agency is also proactively scanning equipment at water systems for vulnerabilities that could be exploited by bad actors. An EPA spokesperson told GovCIO Media & Research that the agency has “eliminated over 400 potential vulnerabilities” by notifying utilities and providing clear guidance on mitigating risks.
“We’re looking at these vulnerabilities within water systems and providing a mitigation plan to eliminate them,” said Travers. “Our response has evolved to focus on providing direct technical assistance to water utilities.”
Developing Partnerships to Democratize Resources
Smaller water systems may lack the technical resources to design and implement cybersecurity programs and often require assistance to protect utilities, Travers explained. He added that partnerships with industry and other federal agencies provide additional resources for smaller systems to increase cybersecurity efforts.
The EPA incorporated the Cybersecurity and Infrastructure Security Agency’s Secure by Design pledge into its cybersecurity procurement evaluation checklist, which now includes specific criteria for integrators and managed service providers that oversee and deliver IT services and products.
“Given that many water and wastewater systems rely on vendors and consultants for their IT/OT environments, this evaluation process empowers them to make risk-informed decisions regarding supplier cybersecurity practices,” an EPA spokesperson said in a statement to GovCIO Media & Research.
This is a carousel with manually rotating slides. Use Next and Previous buttons to navigate or jump to a slide with the slide dots
-
Executive Order Speeds Up Post-Quantum Cryptography Timelines
A new White House executive order and OMB guidance call for faster post-quantum cryptography migration for federal agencies.
3m read -
Endpoint Visibility, Faster Patching Key to Federal Cybersecurity Amid Calls for Speed
Federal agencies face pressure to accelerate patching, improve endpoint visibility and streamline cybersecurity operations.
16m watch -
White House Centralizes Cyber Oversight of Nat Sec Systems
A new memo directs agencies on modern cybersecurity architecture, continuous oversight and standardized reporting.
3m read -
DOT Pushes Toward Passwordless Future as Zero Trust Matures
Enterprise Security Architect Austin Clark says zero-trust adoption is accelerating as users embrace faster, more secure authentication experiences.
10m watch