The Environmental Protection Agency has warned that cyberattacks against water utilities in the United States are becoming more frequent and severe. Approximately 70% of utilities inspected by federal officials in the last year have violated standards meant to prevent breaches or intrusions. The agency is urging water systems, including smaller communities, to improve their cybersecurity protections. Recent cyberattacks associated with Russia and Iran have targeted smaller locales. The importance of protecting information technology and process controls for water utilities is crucial as these systems operate treatment plants and distribution networks. Potential impacts of cyberattacks include water treatment interruptions, damage to equipment, and hazardous chemical levels.
Geopolitical rivals such as China, Russia, and Iran are actively seeking the capability to disable critical infrastructure in the United States, including water and wastewater systems. Recent cyberattacks by groups linked to these countries have impacted various utilities across the country. Efforts to infiltrate water providers’ networks and disrupt operations have become increasingly common. The EPA’s enforcement alert emphasizes the seriousness of these cyber threats and warns of potential civil or criminal penalties for serious cybersecurity issues. The agency will continue inspections to ensure water utilities are taking necessary actions to protect against cyberattacks.
President Joe Biden’s administration is focusing on safeguarding critical infrastructure from cyber threats, including water utilities, health care systems, and electric utilities. The absence of resources and technical capacity often hinders water utilities from adopting rigorous cybersecurity practices, making them an attractive target for cyberattacks. States have been urged to develop plans to combat cyberattacks on drinking water systems. The EPA provides free training to water utilities that require assistance in strengthening their cybersecurity measures. The association of State Drinking Water Administrators aims for a baseline level of cybersecurity for all water providers, but acknowledges that achieving this goal will take time.
Numerous challenges hinder water utilities’ ability to enhance cybersecurity measures, including fragmentation within the industry and limited resources for small town providers. The EPA’s attempt to introduce cybersecurity evaluations for water providers faced challenges in court, with states and industry groups questioning the agency’s authority under the Safe Drinking Water Act. Overhauling systems connected to the internet, a significant vulnerability for water utilities, can be a costly endeavor, and lacking substantial federal funding further complicates efforts to strengthen cybersecurity protections. The American Water Works Association advocates for the establishment of a new organization comprised of cybersecurity and water experts to develop and enforce new policies in partnership with the EPA.
Overall, the water sector faces significant obstacles in addressing cybersecurity vulnerabilities, including fragmentation, limited resources, and legal constraints. The EPA’s efforts to introduce cybersecurity evaluations for water providers have faced setbacks in the court, but the agency continues to emphasize the importance of strengthening cybersecurity measures to protect critical infrastructure. Collaborative efforts between water utilities, industry groups, and government agencies are essential in developing and implementing effective cybersecurity policies and initiatives to safeguard water systems from cyber threats. With the increasing frequency and severity of cyberattacks targeting water utilities, ongoing vigilance and proactive measures are critical to ensure the security and resilience of the nation’s drinking water supply.
