CISA needs better collaboration with the EPA and water sector, watchdog says

The nation’s cyber defense agency needs to do a better job of working with the Environmental Protection Agency and external partners to mitigate digital threats to critical water and wastewater services, according to a recent report from the Department of Homeland Security Office of Inspector General.

OIG’s report — released on Jan. 9 — said the Cybersecurity and Infrastructure Security Agency “had extensive products and services available to its stakeholders to manage risks and mitigate cybersecurity threats to critical water and wastewater infrastructure,” but faulted the agency for failing to consistently “leverage and integrate its cybersecurity expertise with stakeholders’ water expertise.”

U.S. water and wastewater systems are one of the 16 critical infrastructure sectors that CISA helps to defend. The watchdog’s audit noted that there are roughly 50,000 community water systems across the country and over 16,000 publicly-owned wastewater treatment systems. 

Recent cyber intrusions targeting water systems have underscored the need to enhance the sector’s resiliency through more direct agency-sector collaboration. The report highlighted several concerning cyber incidents, including a January 2021 episode in which “an unidentified hacker allegedly tried to gain unauthorized access to systems to poison a San Francisco Bay area water treatment plant.” 

Citing an increase in cyberattacks targeting public water systems, EPA issued a memo in March 2023 requiring states to include cybersecurity evaluations in their safety assessments of relevant water systems. The agency subsequently withdrew the proposal in October following a legal challenge from several states. 

As the leading risk management agency for the water sector, the EPA is responsible, in part, for coordinating with CISA to “identify vulnerabilities and help mitigate incidents.” Although OIG’s audit noted that “EPA was mostly satisfied with its collaboration with CISA,” it highlighted “instances in which CISA did not communicate well with EPA.”

The report said “inconsistent collaboration” between the agencies occurred because “CISA had not established formal mechanisms for its interactions with EPA, including a written memorandum of understanding with EPA and internal policies and procedures regarding its collaboration.”

OIG also cited “ineffective collaboration between CISA and other water sector stakeholders” — including the relevant sector coordinating council, or SCC — which the watchdog said occurred “because CISA did not have policies and procedures governing direct interaction with water sector stakeholders.”

Water sector officials raised a number of concerns in the report about their engagement with relevant agencies, including saying that “the relationship between CISA and EPA led to filtering of messages” and that CISA lacked a dedicated water sector liaison “with a clearly defined role” and experience in the water industry.

“A CISA official acknowledged that CISA did not have consistent communication with the Water SCC and said the Water SCC was supposed to report to EPA, but Water SCC officials noted a lack of clear guidance regarding their ability to elevate concerns directly to CISA versus EPA,” the report said. 

The watchdog noted that CISA has already worked to address some of these concerns, including “by recently hiring a full-time water sector liaison who has more than 20 years of water industry experience.” 

OIG’s report made three recommendations to CISA, including calling for the agency to implement a written memorandum of understanding with the EPA, to develop “comprehensive policies and procedures regarding its collaboration with EPA and other water and wastewater systems sector stakeholders” and to develop standard operating procedures to improve communication between the agency and water sector representatives. 

CISA agreed with all three of OIG’s recommendations.