Continued Cybersecurity Concerns May Impact Upcoming EPA Recompetes

Last month, the Environmental Protection Agency (EPA) warned U.S. governors that the increasing frequency and severity of cyberattacks against the nation’s water supply had reached a level where “additional action is critical."

Because these utilities use computer software for treatment plant and distribution operations, they are vulnerable to cyberattacks that could disrupt or disable water treatment, distribution, and storage capabilities, damage infrastructure such as pumps and valves, and change system chemical amounts to dangerous levels. Recent cyber activity confirmed the increased activity and severity of attacks on the utilities.

The White House and EPA hosted discussions with the governors in mid-March to improve safeguards and implement methods to mitigate risks to the water sector infrastructure. In their invitation letter, EPA Administrator Michael Regan and National Security Advisor Jake Sullivan described recent cyber events, stressing the potential disruption of the “critical lifeline” of clean and safe drinking water and the potentially significant cost to the affected communities.  

In November 2023, an attack by a component of the Iranian Islamic Revolutionary Guard Corps on an Israeli manufacturer breached and damaged programmable logic controllers used in a Pennsylvania utility system. In April 2024, attacks linked to the Russian Sandworm group targeted multiple Texas water systems resulting in a utility overflow. And the Volt Typhoon cyber group sponsored by the People’s Republic of China previously compromised multiple information technology systems associated with water systems in the U.S. and its territories.

While these three incidents were not catastrophic, they revealed the level of the country’s water utilities vulnerability. According to the EPA, recent inspections showed that more than 70% of the inspected systems violated basic Section 1433 security requirements. This included a lack of basic cybersecurity precautions such as using multi-factor authentication processes, changing default passwords, updating update software to address known vulnerabilities, and not using single logins for staff. 

On May 20, the EPA followed up with an Enforcement Alert as part of a government-wide cybersecurity effort led by the Department of Homeland Security’s Cybersecurity and Infrastructure Agency (CISA), and the National Security Council. The alert stated EPA’s intent to enforce the Safe Drinking Water Act Section 1433, including civil and criminal enforcement actions for situations that could present an imminent and substantial danger. Section 1433 requires community drinking water systems (CWSs) serving more than 3,300 people to conduct Risk and Resilience Assessments (RPAs), develop Emergency Response Plans (ERPs), and certify completion to EPA. According to the alert, the agency had already taken more than 100 enforcement actions against CWSs for Section 1433 violations since 2020, the first deadline for systems to develop and update their RRAs and ERPs.

On May 21, the Government Accountability Office (GAO) added a new priority recommendation to the EPA’s priority list. This recommendation included improving the nation’s water quality, addressing the data and risk communication issues related to drinking water and wastewater infrastructure, and ensuring cybersecurity at EPA. While the agency had made progress by updating an internal assessment procedure, it still lacks a process for conducting the assessments, leaving the nation vulnerable, the GAO said. But these issues were not new.

Background

In 2011, the GAO recommended that EPA resume data verification audits to routinely evaluate drinking water data quality on health-based and monitoring violations reported to the agency and enforce associated corrective actions. In July 2019, the GAO recommended the agency establish a process for conducting an organization-wide cybersecurity assessment. In December 2023, the GAO listed overseeing, protecting, and investing in water and wastewater systems as one of the agency’s Top Management Challenges for 2023.

EPA's April 2024 response explained they did not resume the audits due to budgetary constraints but would continue evaluating its data quality via the Compliance Monitoring Data Portal, automated data quality assurance tools, and state file reviews. The agency reported that the Safe Drinking Water Information System (SDWIS) modernization continues with plans to begin state transitions by early 2026. Furthermore, the agency said it previously attempted to impose cybersecurity mandates but withdrew efforts due to state and water trade associations' legal claims that it overstepped its authority; The U.S. Court of Federal Claims upheld the claims. Finally, EPA Information Technology and Cybersecurity Director Marisol Cruz Cain reported the agency is on track to establish the cybersecurity risk assessment process by November 22 and will establish the Water Sector Cybersecurity Task Force to identify near-term actions and strategies to address these risks. EPA also provides tools, training, resources, guidance, and technical assistance along with CISA’s Top Cyber Actions for Securing Water Systems.

Contractor Implications

The EPA FY 2025 budget requests roughly $769M to strengthen compliance with environmental laws. This includes $171.7M for the Compliance Monitoring program (a $57.3M increase over the FY 2024 enacted level) including enforcement technology improvements, inspection software, and software solutions that will improve field inspectors’ efficiency and field inspection effectiveness. The program will also increase compliance monitoring resource efficiency and expedite inspection reports to necessary organizations, communities, and the public. EPA requests approximately $260M for civil enforcement and $67.3M to develop and implement the National Enforcement and Compliance Initiatives (NECIs) to address the most serious environmental violations, including those under the SDWA. An additional $25M investment supports a grant program to advance cybersecurity infrastructure capacity and protections.

Contracts supporting EPA SDWA Compliance efforts are nearing completion. Recompete procurements of these contracts may include more specific requirements to identify, address, and mitigate cybersecurity threats and attacks, including the use of Artificial Intelligence to manipulate utility systems and infrastructure. Budget investments will also trickle down to the contract level as EPA continues modernization and efforts to address the GAO recommendations. Expiring contracts and their SWDA-related requirements include those in the table below. Learn more about these contracts through Deltek's GovWin IQ solution.