• EPA increasing enforcement to protect drinking water systems from cyberattacks.
• Over 70% of inspected systems were found in violation of basic cybersecurity requirements.
• EPA urging systems to take immediate steps to address vulnerabilities.
• Free resources available to help systems improve cybersecurity.
• EPA may take enforcement actions against systems that fail to address risks.

May 22, 2024 –– In a statement updated Monday, the Environmental Protection Agency (EPA) warned that cybersecurity concerns are on the rise.

According to the EPA, cyberattacks targeting community water systems (CWSs) are becoming increasingly frequent and sophisticated, posing a significant threat to public health. These attacks can disrupt water treatment, distribution, and storage, potentially leading to harmful consequences for both utilities and consumers. In response to these escalating threats, the EPA is ramping up its enforcement activities to ensure the nation’s drinking water security.

Alarming Vulnerabilities Exposed.

Recent EPA inspections have revealed “alarming cybersecurity vulnerabilities” in drinking water systems nationwide. Over 70% of inspected systems were found to be in violation of basic cybersecurity requirements under the Safe Drinking Water Act (SDWA). Some common violations included failure to change default passwords, inadequate access controls, and insufficient risk assessments and emergency response plans.  The EPA states:

The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), National Security Agency, EPA, and other federal entities have issued numerous advisories for cyberattacks against information networks and process control systems at water and wastewater systems by nation state organizations, including the Iranian Government Islamic Revolutionary Guard Corps, Russia state-sponsored actors, and the People’s Republic of China (PRC) state-sponsored cyber actors (known as Volt Typhoon, Vanguard Panda and other names). Foreign governments have disrupted some water systems with cyberattacks and may have embedded the capability to disable them in the future.

Urgent Action Needed.

The EPA is urging all water systems to take immediate action to address these vulnerabilities. This includes implementing basic cyber hygiene practices, conducting regular cybersecurity assessments, and developing robust incident response and recovery plans. The EPA, along with other federal agencies, is offering free resources and technical assistance to help water systems improve their cybersecurity posture.

EPA Enforcement Actions.

The EPA has already taken enforcement action against over 100 CWSs for violations of SDWA cybersecurity requirements since 2020. The agency intends to continue its enforcement efforts, using a range of tools including emergency powers and criminal sanctions if necessary, to ensure that water systems take the necessary steps to protect public health.

Available Resources.

Water utilities can find helpful information and resources on cyber risks and mitigation strategies on the EPA’s Office of Water website and the joint EPA and CISA Water and Wastewater Cybersecurity website.

Image:

Water tower at the former train station in Ely, Nevada, USA.  Public domain.

Related posts:

Utah State University researchers explore Colorado River issues Regulatory burdens: Senator fights for affordable water in Wyoming’s rural areas New Mexico makes it easier for public to comment Supreme Court rules against Navajo Nation in landmark water rights case