The Environmental Protection Agency said Monday that cyberattacks on water utilities across the country are becoming more common and serious, issuing an enforcement alert urging water systems to take immediate action to protect the nation’s drinking water.
According to the EPA, over 70% of utilities inspected by federal officials in the past year violated criteria designed to prevent breaches or other intrusions. Officials advised even minor water utilities to strengthen their security measures against hacking. Recent cyberattacks by Russian and Iranian forces have targeted smaller towns.
Related posts
Some water systems are failing in simple ways, such as failing to change default passwords or denying former employees access to the system, according to the alert. Because water utilities frequently rely on computer software to operate treatment plants and distribution systems, the EPA stressed the importance of protecting information technology and process controls. Cyberattacks could disrupt water treatment and storage, damage pumps and valves, and cause chemical levels to rise to dangerous levels, according to the agency.
“In many cases, systems are not doing what they are supposed to be doing, which is to have completed a risk assessment of their vulnerabilities that includes cybersecurity and to make sure that plan is available and informing the way they do business,” said Janet McCabe, Deputy Administrator of the EPA.
AP According to Washington correspondent Sagar Meghani, the Environmental Protection Agency is urging water utilities to strengthen their protection of the nation’s water supply in the face of increasing cyber threats.
Attempts by private groups or individuals to gain access to a water provider’s network and remove or deface websites are not new. Recently, however, attackers have not only targeted websites but also utility operations.
Recent attacks are not limited to private entities. Some recent water utility hacks have been linked to geopolitical rivalries, potentially disrupting the supply of safe water to homes and businesses.
According to McCabe, China, Russia, and Iran are “actively seeking the capability to disable U.S. critical infrastructure, including water and wastewater.”
Late last year, an Iranian-linked group known as “Cyber Av3ngers” targeted several organizations, including a small Pennsylvania town’s water provider, forcing it to switch from a remote pump to manual operation. They were looking for an Israeli-made device used by the utility in the aftermath of Israel’s war with Hamas.
Earlier this year, a Russian-affiliated “hacktivist” attempted to disrupt operations at several Texas utilities.
A Chinese-linked cyber group known as Volt Typhoon has compromised the information technology of multiple critical infrastructure systems in the United States and its territories, including drinking water, according to US officials. According to cybersecurity experts, the China-aligned group is preparing for potential cyberattacks in the event of armed conflict or rising geopolitical tensions.
โBy working behind the scenes with these hacktivist groups, now these (nation states) have plausible deniability, and they can let these groups carry out destructive attacks. And that to me is a game-changer,โ said Dawn Cappelli, a cybersecurity expert with the industrial cybersecurity firm Dragos Inc.
The worldโs cyberpowers are believed to have been infiltrating rivalsโ critical infrastructure for years, planting malware that could be triggered to disrupt basic services.
The enforcement alert is meant to emphasize the seriousness of cyberthreats and inform utilities that the EPA will continue its inspections and pursue civil or criminal penalties if they find serious problems.
โWe want to make sure that we get the word out to people that โHey, we are finding a lot of problems here,โโ McCabe said.
The EPA did not say how many cyber incidents have occurred in recent years, and the number of attacks known to be successful so far is few. The agency has issued nearly 100 enforcement actions since 2020 regarding risk assessments and emergency response, but said thatโs a small snapshot of the threats water systems face.
Preventing attacks against water providers is part of the Biden administrationโs broader effort to combat threats against critical infrastructure. In February, President Joe Biden signed an executive order to protect U.S. ports. Health care systems have been attacked. The White House has pushed electric utilities to increase their defenses, too. EPA Administrator Michael Regan and White House National Security Advisor Jake Sullivan have asked states to come up with a plan to combat cyberattacks on drinking water systems.
“Drinking water and wastewater systems are an attractive target for cyberattacks because they are a lifeline critical infrastructure sector, but they often lack the resources and technical capacity to adopt rigorous cybersecurity practices,” Regan and Sullivan wrote in a March 18 letter to all 50 U.S. governors.
Some of the fixes are straightforward, McCabe said. Water providers, for example, shouldnโt use default passwords. They need to develop a risk assessment plan that addresses cybersecurity and set up backup systems. The EPA says they will train water utilities that need help for free. Larger utilities usually have more resources and the expertise to defend against attacks.
โIn an ideal world, we would like everybody to have a baseline level of cybersecurity and be able to confirm that they have that,โ said Alan Roberson, executive director of the Association of State Drinking Water Administrators. โBut thatโs a long way away.โ
Some barriers are foundational. The water sector is highly fragmented. There are roughly 50,000 community water providers, most of which serve small towns. Modest staffing and anemic budgets in many places make it hard enough to maintain the basicsโpproviding clean water and keeping up with the latest regulations.
โCertainly, cybersecurity is part of that, but thatโs never been their primary expertise. So, now youโre asking a water utility to develop this whole new sort of departmentโ to handle cyberthreats, said Amy Hardberger, a water expert at Texas Tech University.
The EPA has faced setbacks. States periodically review the performance of water providers. In March 2023, the EPA instructed states to add cybersecurity evaluations to those reviews. If they found problems, the state was supposed to enforce improvements.
But Missouri, Arkansas, and Iowa, joined by the American Water Works Association and another water industry group, challenged the instructions in court on the grounds that the EPA didnโt have the authority under the Safe Drinking Water Act. After a court setback, the EPA withdrew its requirements but urged states to take voluntary actions anyway.
The Safe Drinking Water Act requires certain water providers to develop plans for some threats and certify theyโve done so. But its power is limited.
โThereโs just no authority for cybersecurity in the law,โ Roberson said.
Kevin Morley, manager of federal relations with the American Water Works Association, said some water utilities have components that are connected to the internetโaa common but significant vulnerability. Overhauling those systems can be a significant and costly job. Water systems struggle to find resources without substantial federal funding.
The industry group has published guidance for utilities and advocated for establishing a new organization of cybersecurity and water experts that would develop and enforce new policies in partnership with the EPA.
โLetโs bring everybody along in a reasonable manner,โ Morley said, adding that small and large utilities have different needs and resources.
