Cyber

EPA system for water, air and toxics data is vulnerable to threats

The Office of Inspector General found that access security controls for the agency’s Central Data Exchange System did not comply with federal requirements.

By Matt Bracken

May 6, 2025

Listen to this article

0:00

This feature uses an automated voice, which may result in occasional errors in pronunciation, tone, or sentiment.

A bronze sign marking the entrance to the Environmental Protection Agency headquarters building is framed in the flowering trees on Sept. 15, 2024, in Washington, D.C. (Photo by J. David Ake/Getty Images)

The digital warehouse where companies, states, tribal groups and other regulated bodies report their data to the Environmental Protection Agency lacks adequate controls, leaving the system vulnerable to threat actors, according to a new watchdog report.

In an audit of the agency’s Central Data Exchange System (CDX), the EPA Office of Inspector General found that users could submit identity data that didn’t meet EPA and federal requirements.

Noncompliant data was able to be submitted because the CDX system doesn’t have built-in controls to stop users from entering “questionable and thus unreliable” identity data, the OIG noted.

“Without the EPA having the proper system controls in place, threat actors could create fraudulent CDX accounts that could provide unauthorized access to other EPA systems and environmental data that are used to support the EPA’s mission and strategic goals,” the report stated.

The CDX system — which contains environmental data on various air, water, hazardous waste and toxics programs throughout the country — could be an especially attractive target for threat actors. The EPA and the White House last year warned of “disabling” cyberattacks targeting water systems across the country.

In a letter to U.S. governors, then-National Security Advisor Jake Sullivan and EPA Administrator Michael Regan wrote that those attacks had “the potential to disrupt the critical lifeline of clean and safe drinking water, as well as impose significant costs on affected communities.”

The OIG report warns specifically about the possibility of adversarial users gaining entry to CDX and entering fake data “that could undermine the credibility of the information these systems aggregate and maintain to support the EPA’s program services and strategic plan.”

“If the EPA does not mitigate its CDX data integrity issues, it cannot provide assurance that its environmental data are accurate and reliable,” the watchdog added.

The EPA’s Office of Mission Support agreed to the watchdog’s recommendation to implement a process to assess identity data in CDX that appears “questionable” and disable any accounts that cannot be verified. The office also signed off on an OIG recommendation to develop and adopt a strategy that does comply with federal and agency-specific input controls for CDX.

Other issues raised by OIG in the report include the EPA’s Office of Pesticide Programs granting non-U.S. users access to a pesticide submission portal without identity verification and the agency not disabling tens of thousands of inactive CDX accounts.