The Environmental Protection Agency issued an enforcement alert urging water utilities to protect the nation’s drinking water against cyberattacks, which are becoming more frequent and severe. About 70% of utilities inspected in the last year violated standards meant to prevent breaches, urging systems to improve protections against hacks. Recent attacks by groups affiliated with Russia and Iran have targeted smaller communities, with some falling short in basic ways like failing to change default passwords or cut off system access to former employees.
Attempts by private groups or individuals to infiltrate water provider networks have been ongoing, but recent attacks have targeted utilities’ operations instead of just websites. Geopolitical rivals like China, Russia, and Iran are actively seeking to disable U.S. critical infrastructure, including water utilities. Recent attacks have targeted multiple organizations, forcing some to switch to manual operations.
A cyber group linked to China called Volt Typhoon has compromised information technology of critical infrastructure systems, including drinking water in the U.S. Cybersecurity experts believe the group is positioning itself for potential cyberattacks in case of armed conflict or rising geopolitical tensions. The enforcement alert emphasizes the seriousness of cyberthreats and informs utilities that the EPA will continue inspections and pursue penalties for serious problems.
The Biden administration is working to combat threats against critical infrastructure, including issuing an executive order to protect U.S. ports and pushing electric utilities to increase defenses. The EPA is urging states to combat cyberattacks on drinking water systems. Some fixes suggested include using stronger passwords, developing risk assessment plans addressing cybersecurity, setting up backup systems, and receiving free training from the EPA.
The water sector is fragmented and lacks resources and technical capacity to adopt rigorous cybersecurity practices. Modest staffing and budgets make it difficult to maintain clean water, meet regulations, and address cybersecurity threats. Larger utilities usually have more resources and expertise to defend against attacks, while smaller utilities struggle to develop cybersecurity departments.
States challenged EPA instructions to include cybersecurity evaluations in water provider reviews, leading to setbacks in implementing cybersecurity measures. The Safe Drinking Water Act has limited power in enforcing cybersecurity requirements for water providers, leaving a gap in oversight and protection against cyberattacks. The American Water Works Association advocates for establishing a new organization of cybersecurity and water experts to develop and enforce policies, addressing the different needs and resources of small and large water utilities.
