Advertisement

EPA will step up inspections of water sector cybersecurity

A new enforcement alert said that the majority of inspected water systems do not fully comply with federal requirements.
A pipe carrying potable water is seen in a water purification plant. (Getty Images)

The Environmental Protection Agency issued an alert Monday warning the nation’s water utilities that as cybersecurity threats continue to rise the agency will also increase its security-focused inspections and enforcement activities.

The EPA said in a statement that the agency has found that more than 70% of inspected water systems do not fully comply with certain security requirements in the Safe Drinking Water Act (SDWA). Some of the water systems are missing basic cybersecurity practices, the agency said, such as not relying on default passwords and not using multi-factor authentication.

The EPA said that attacks on the water sector “have increased in frequency and severity to a point where additional action is critical.”

“Protecting our nation’s drinking water is a cornerstone of EPA’s mission, and we are committed to using every tool, including our enforcement authorities, to ensure that our nation’s drinking water is protected from cyberattacks,” EPA Deputy Administrator Janet McCabe said in the statement. “EPA’s new enforcement alert is the latest step that the Biden-Harris Administration is taking to ensure communities understand the urgency and severity of cyberattacks and water systems are ready to address these serious threats to our nation’s public health.”

Advertisement

A series of incidents over the past year has shown just how vulnerable water systems in the United States are to malicious hackers. In April, Russian hacktivists targeted several water systems in Texas, including one incident that caused a utility in Muleshoe to experience an overflow, although services remained operational. 

While the attacks themselves were fairly pedestrian – highlighting just how easy it is for  nation-backed hackers to hack U.S. water systems – security researchers have linked the hacktivists to Sandworm, Russia’s most notorious hacking group that has repeatedly brought down Ukraine’s grid.

In November, an attack on the Israeli firm Unitronics, which manufactures industrial control equipment, resulted in programmable logic controllers used in U.S. water systems being defaced. The defacements were claimed by the Cyb3r Avengers, which officials have linked to the military intelligence arm of Iran’s Islamic Revolutionary Guard Corps.

The EPA said that many inspected utilities have failed to conduct risk and resilience assessments or develop emergency response plans, both of which are called for under the SDWA. The agency is planning on stepping up the number of inspections of community water systems, a term used for systems that provide drinking water to the same area year-round and serve more than 3,300 people.

The EPA said it has already taken more than 100 SDWA enforcement actions against those water systems since the 2020 deadline to develop risk assessments and response plans and warned that it will continue to use enforcement authorities to “address the problem quickly,” warning that  criminal sanctions are possible in response to false certifications.

Advertisement

The agency has tried to impose cybersecurity mandates on the sector before. Last year, EPA issued an update that would require utilities to follow new cyber rules but held off after legal challenges from several states and water trade associations through existing state sanitation laws. Opponents to the rule said the agency overstepped its authority.

Industry groups like the American Water Works Association have been advocating for a new body to take the role of federal regulator for the water sector modeled after the electric sector. Reps. Rick Crawford, R-Ark., and John Duarte, R-Calif., recently introduced a measure known as the Water Risk and Resilience Organization Establishment Act, which would create such a governing body with a specific focus on both cybersecurity and water systems.

The EPA and the White House recently sent a letter to governors both to warn about the cyber threats to water systems and to invite state officials to a meeting with EPA and White House officials. The letter pointed to threats like the Chinese-linked hacking group dubbed Volt Typhoon, which administration officials might seek to disrupt U.S. critical infrastructure in the event of a conflict between the United States and China.

Latest Podcasts