Advertisement

EPA system for water, air and toxics data is vulnerable to threats

The Office of Inspector General found that access security controls for the agency’s Central Data Exchange System did not comply with federal requirements.
Listen to this article
0:00
Learn more. This feature uses an automated voice, which may result in occasional errors in pronunciation, tone, or sentiment.
A bronze sign marking the entrance to the Environmental Protection Agency headquarters building is framed in the flowering trees on Sept. 15, 2024, in Washington, D.C. (Photo by J. David Ake/Getty Images)

The digital warehouse where companies, states, tribal groups and other regulated bodies report their data to the Environmental Protection Agency lacks adequate controls, leaving the system vulnerable to threat actors, according to a new watchdog report.

In an audit of the agency’s Central Data Exchange System (CDX), the EPA Office of Inspector General found that users could submit identity data that didn’t meet EPA and federal requirements. 

Noncompliant data was able to be submitted because the CDX system doesn’t have built-in controls to stop users from entering “questionable and thus unreliable” identity data, the OIG noted.

“Without the EPA having the proper system controls in place, threat actors could create fraudulent CDX accounts that could provide unauthorized access to other EPA systems and environmental data that are used to support the EPA’s mission and strategic goals,” the report stated.

Advertisement

The CDX system — which contains environmental data on various air, water, hazardous waste and toxics programs throughout the country — could be an especially attractive target for threat actors. The EPA and the White House last year warned of “disabling” cyberattacks targeting water systems across the country. 

In a letter to U.S. governors, then-National Security Advisor Jake Sullivan and EPA Administrator Michael Regan wrote that those attacks had “the potential to disrupt the critical lifeline of clean and safe drinking water, as well as impose significant costs on affected communities.”

The OIG report warns specifically about the possibility of adversarial users gaining entry to CDX and entering fake data “that could undermine the credibility of the information these systems aggregate and maintain to support the EPA’s program services and strategic plan.”

“If the EPA does not mitigate its CDX data integrity issues, it cannot provide assurance that its environmental data are accurate and reliable,” the watchdog added.

The EPA’s Office of Mission Support agreed to the watchdog’s recommendation to implement a process to assess identity data in CDX that appears “questionable” and disable any accounts that cannot be verified. The office also signed off on an OIG recommendation to develop and adopt a strategy that does comply with federal and agency-specific input controls for CDX.

Advertisement

Other issues raised by OIG in the report include the EPA’s Office of Pesticide Programs granting non-U.S. users access to a pesticide submission portal without identity verification and the agency not disabling tens of thousands of inactive CDX accounts.

Matt Bracken

Written by Matt Bracken

Matt Bracken is the managing editor of FedScoop and CyberScoop, overseeing coverage of federal government technology policy and cybersecurity. Before joining Scoop News Group in 2023, Matt was a senior editor at Morning Consult, leading data-driven coverage of tech, finance, health and energy. He previously worked in various editorial roles at The Baltimore Sun and the Arizona Daily Star. You can reach him at matt.bracken@scoopnewsgroup.com.

Latest Podcasts