Cyberattacks against water utilities throughout the United States are increasing in frequency and severity, according to a warning issued by the Environmental Protection Agency on Monday. In response, the agency has issued an enforcement alert, urging water systems to take immediate steps to safeguard the nation’s drinking water.
Around 70% of the utilities that were inspected by federal officials in the past year have been found to be in violation of standards aimed at preventing breaches or other intrusions, according to the agency. In light of this, officials are strongly urging even small water systems to enhance their protections against cyberattacks. It is worth noting that smaller communities have been the target of recent cyberattacks carried out by groups linked to Russia and Iran.
According to the alert, certain water systems are experiencing deficiencies in fundamental areas. This includes neglecting to modify default passwords or terminate system access for former employees. The Environmental Protection Agency (EPA) emphasized the significance of safeguarding both information technology and process controls, as water utilities heavily depend on computer software to manage treatment plants and distribution systems. The agency further highlighted potential consequences of cyberattacks, such as disruptions to water treatment and storage, harm to pumps and valves, and the manipulation of chemical levels to hazardous levels.
According to EPA Deputy Administrator Janet McCabe, it is often the case that systems fail to fulfill their intended purpose, which is to conduct a comprehensive risk assessment that includes cybersecurity. She emphasizes the importance of having a well-defined plan in place and ensuring that it informs the organization’s operations.
I apologize, but I’m afraid I cannot proceed with your request as it is incomplete. Could you please provide me with the specific paragraph you would like me to rewrite?
The Environmental Protection Agency (EPA) has issued a warning about the growing threat of cyberattacks on water systems. The agency is urging utilities to take immediate action to protect their infrastructure.
The Environmental Protection Agency is urging water utilities to enhance their protection of the nation’s water supply in response to increasing cyber threats, according to AP Washington correspondent Sagar Meghani.
In the past, there have been instances where private groups or individuals have attempted to infiltrate the networks of water providers and disrupt or vandalize their websites. However, a concerning trend has emerged as attackers have shifted their focus from targeting websites to compromising the actual operations of utilities.
Recent attacks on water utilities are not solely carried out by private entities. In fact, some of these recent hacks have been attributed to geopolitical rivals. The gravity of these attacks is heightened by the potential consequences, as they could ultimately result in the disruption of the supply of safe water to both households and businesses.
According to McCabe, China, Russia, and Iran are currently striving to acquire the ability to disrupt critical infrastructure in the United States, such as water and wastewater systems.
In late 2020, a group known as “Cyber Av3ngers,” which has ties to Iran, launched a series of attacks on various organizations. One of their targets was a water provider in a small town in Pennsylvania. As a result of the attack, the water provider was forced to switch from using a remote pump to manual operations. The attackers specifically targeted an Israeli-made device that was being used by the utility, likely in retaliation for Israel’s recent conflict with Hamas.
Earlier this year, an individual with ties to Russia attempted to disrupt the operations of multiple Texas utilities.
A cyber group, known as Volt Typhoon and believed to be associated with China, has successfully breached multiple critical infrastructure systems in the United States and its territories, including drinking water facilities. U.S. officials have confirmed that this group is actively targeting key IT networks, raising concerns about potential cyberattacks in the event of armed conflict or escalating geopolitical tensions.
Dawn Cappelli, a cybersecurity expert from Dragos Inc., emphasized the significant impact of hacktivist groups collaborating with nation states. She stated, “By working behind the scenes with these hacktivist groups, now these nation states have plausible deniability and they can let these groups carry out destructive attacks. And that to me is a game-changer.”
For years, it is believed that the world’s cyberpowers have been secretly infiltrating the critical infrastructure of their rivals. They have been planting malicious software that can be activated to disrupt essential services.
The purpose of the enforcement alert is to highlight the gravity of cyberthreats and notify utilities that the EPA will persist in conducting inspections and seeking civil or criminal penalties in the event of significant issues.
McCabe emphasized the importance of spreading awareness about the issues they have encountered, stating, “It is crucial for us to communicate to individuals that we have identified numerous problems in this area.”
The EPA has not disclosed the exact number of cyber incidents that have occurred in recent years, and there have been only a few known successful attacks thus far. However, the agency has taken nearly 100 enforcement actions since 2020 in relation to risk assessments and emergency response. It is important to note that these actions provide just a glimpse into the multitude of threats that water systems are currently facing.
As part of its broader initiative to address threats against critical infrastructure, the Biden administration is taking steps to prevent attacks on water providers. In line with this effort, President Joe Biden signed an executive order in February to safeguard U.S. ports. Notably, healthcare systems have also been targeted, prompting the White House to urge electric utilities to enhance their security measures. To further strengthen the defense against cyberattacks on drinking water systems, EPA Administrator Michael Regan and White House National Security Advisor Jake Sullivan have called on states to develop effective strategies.
In a letter to all 50 U.S. governors on March 18, Regan and Sullivan highlighted the vulnerability of drinking water and wastewater systems to cyberattacks. They emphasized that these systems, being a critical infrastructure sector, are often targeted due to their significance. However, the lack of resources and technical capacity makes it challenging for them to implement robust cybersecurity practices.
According to McCabe, there are some simple solutions to address these issues. For instance, water providers should avoid using default passwords and instead, establish strong ones. Additionally, they need to create a risk assessment plan that specifically focuses on cybersecurity and implement backup systems. The EPA has also pledged to provide free training to water utilities that require assistance. It is worth noting that larger utilities generally possess greater resources and expertise to effectively safeguard against such attacks.
“In an ideal world, we would want everyone to possess a fundamental level of cybersecurity and be able to attest to their proficiency,” expressed Alan Roberson, the executive director of the Association of State Drinking Water Administrators. However, he acknowledges that achieving this goal is still a distant prospect.”
The water sector faces several foundational barriers. With approximately 50,000 community water providers, most of which cater to small towns, the sector is highly fragmented. Moreover, limited staffing and inadequate budgets in many areas make it challenging to uphold essential tasks such as ensuring access to clean water and staying up-to-date with the latest regulations.
Amy Hardberger, a water expert at Texas Tech University, emphasized that while water utilities are certainly concerned about cybersecurity, it is not their primary area of expertise. As a result, expecting these utilities to establish an entirely new department to handle cyberthreats is a significant challenge.
The EPA has encountered challenges in its operations. As part of their regular assessments, states conduct performance reviews of water providers. In March 2023, the EPA issued instructions to states, urging them to include cybersecurity evaluations in these reviews. In cases where issues were identified, states were expected to enforce necessary improvements.
Missouri, Arkansas, and Iowa, along with the American Water Works Association and another water industry group, contested the instructions in court. They argued that the EPA lacked the authority granted by the Safe Drinking Water Act. Following a setback in court, the EPA decided to retract its requirements. However, the agency still encouraged states to take voluntary actions in this regard.
The Safe Drinking Water Act mandates that certain water providers must create plans for specific threats and verify their implementation. However, it is important to note that the Act has limitations in terms of its authority.
According to Roberson, there is a lack of legal authority when it comes to cybersecurity.
Kevin Morley, an expert on water utilities from the American Water Works Association, points out that certain components of water systems are connected to the internet, making them vulnerable to cyber threats. Updating and securing these systems is a crucial task, but it can be both time-consuming and expensive. Unfortunately, many water systems lack the necessary resources to undertake such overhauls without substantial financial support from the federal government.
The industry group has released guidelines for utilities and advocates to create a new organization comprising cybersecurity and water experts. This organization would be responsible for formulating and implementing new policies in collaboration with the EPA.
Morley emphasized the importance of inclusivity and collaboration among all stakeholders, regardless of their size or resources. He highlighted the need to find a balanced approach that takes into account the unique challenges faced by both small and large utilities.