The Environmental Protection Agency (EPA) issued an enforcement alert warning of an increasing number of cyberattacks against water utilities in the United States. About 70% of utilities inspected by federal officials over the past year have violated standards meant to prevent breaches or intrusions. The alert urged water systems of all sizes to enhance protections against hacks, highlighting issues such as failure to change default passwords or deactivate system access for former employees. Cyberattacks on water systems can lead to disruptions in water treatment and storage, damage to critical equipment such as pumps and valves, and alteration of chemical levels to dangerous levels.
EPA Deputy Administrator Janet McCabe emphasized the importance of water utilities conducting risk assessments of their vulnerabilities, including cybersecurity measures, and ensuring that these plans inform their operations. In recent years, cyberattacks on water utilities have shifted from targeting websites to attacking operations directly. Some of these attacks are linked to geopolitical rivals of the United States, such as Russia, China, and Iran, posing a significant threat to the consistent supply of safe water to homes and businesses. The use of hacktivist groups as proxies to carry out attacks on critical infrastructure has raised concerns among cybersecurity experts.
The EPA’s enforcement alert comes as part of the Biden administration’s broader efforts to address cybersecurity threats to critical infrastructure. The White House has previously taken steps to protect U.S. ports, healthcare systems, and electric utilities from cyberattacks. In a joint letter to all 50 U.S. governors, EPA Administrator Michael Regan and White House National Security Advisor Jake Sullivan emphasized the need for states to develop plans to combat cyber threats to drinking water systems. While larger water utilities generally have more resources and expertise to defend against cyber threats, the EPA is offering free training to those in need of assistance.
Despite the urgency of the situation, implementing robust cybersecurity measures in water utilities faces significant challenges. The water sector is highly fragmented, with approximately 50,000 community water providers, most of which serve small towns. Limited staffing and budgets make it difficult for many water utilities to prioritize cybersecurity alongside their primary goal of providing clean water and complying with regulations. The EPA’s attempts to enforce cybersecurity evaluations through state reviews have faced legal challenges, highlighting the limitations under the Safe Drinking Water Act and the need for additional support and resources to improve cybersecurity in the water sector.
Kevin Morley of the American Water Works Association highlighted the vulnerability of water utilities with components connected to the internet and the substantial cost involved in overhauling these systems. The industry group advocates for the establishment of a new organization comprised of cybersecurity and water experts to develop and enforce policies in collaboration with the EPA. Differentiating between the needs and resources of small and large utilities is crucial in developing effective cybersecurity measures. Ultimately, addressing cybersecurity threats in water utilities requires a multi-faceted approach that involves federal support, industry collaboration, and a focus on enhancing the technical capacity and resources of water systems to combat cyber threats effectively.
