The Environmental Protection Agency (EPA) issued an enforcement alert on Monday, warning of the increasing frequency and severity of cyberattacks targeting water utilities across the United States. The agency highlighted that about 70% of utilities inspected in the past year had violated standards aimed at preventing breaches and intrusions.
The alert emphasized the importance of immediate action to safeguard the nation's drinking water supply. It pointed out common vulnerabilities in water systems, such as the continued use of default passwords and failure to revoke system access for former employees.
With the reliance of water utilities on computer software to operate treatment plants and distribution systems, protecting information technology and process controls is crucial, according to the EPA. The potential impacts of cyberattacks on water systems include interruptions to treatment and storage processes, damage to essential equipment like pumps and valves, and the alteration of chemical levels to hazardous levels.
EPA Deputy Administrator Janet McCabe stressed the need for utilities to conduct comprehensive risk assessments that include cybersecurity measures and to have plans in place to address vulnerabilities.
The recent cyberattacks on water utilities have not only been carried out by private entities but also by geopolitical rivals. Countries such as China, Russia, and Iran have been identified as actively seeking the capability to disrupt critical infrastructure in the U.S., including water and wastewater systems.
The EPA's enforcement alert serves to underscore the seriousness of cyber threats and the agency's commitment to inspecting utilities and imposing penalties for significant deficiencies. The Biden administration has been focusing on enhancing cybersecurity measures across critical infrastructure sectors, including water utilities.
While larger utilities may have more resources and expertise to defend against cyber threats, smaller water systems often struggle due to limited funding and technical capacity. The fragmented nature of the water sector, with approximately 50,000 community water providers, poses challenges in implementing robust cybersecurity practices.
Efforts to address cybersecurity vulnerabilities in water utilities face obstacles, including legal limitations and the need for substantial funding for system upgrades. The EPA has encouraged states to take voluntary actions to enhance cybersecurity in water systems, despite setbacks in implementing mandatory cybersecurity evaluations.
The American Water Works Association has advocated for the establishment of a new organization comprising cybersecurity and water experts to develop and enforce policies in collaboration with the EPA.