Cyberattacks on water utilities nationwide are becoming more frequent and severe, the Environmental Protection Agency (EPA) warned last Monday. The agency issued an enforcement alert, urging water systems to take immediate action to safeguard the nation’s drinking water.
According to the EPA, about 70% of utilities inspected by federal officials over the past year failed to meet standards designed to prevent breaches or intrusions. The agency emphasized the need for even small water systems to enhance their cybersecurity measures.
The alert highlighted that some water systems are neglecting basic security measures, such as changing default passwords and revoking access for former employees. Given the reliance on computer software for operating treatment plants and distribution systems, the EPA stressed the importance of protecting both information technology and process controls. Potential impacts of cyberattacks include interruptions to water treatment and storage, damage to pumps and valves, and hazardous alterations to chemical levels.
EPA Deputy Administrator Janet McCabe stated, “Many systems are not fulfilling their obligation to conduct a risk assessment of their vulnerabilities, including cybersecurity, and to use that plan to guide their operations.”
Recent hacks linked to geopolitical rivals threaten the supply of safe water to homes and businesses.
McCabe identified China, Russia, and Iran as countries actively seeking to disable U.S. critical infrastructure, including water and wastewater systems.
U.S. officials reported that a Chinese cyber group, Volt Typhoon, has compromised multiple critical infrastructure systems, including drinking water, positioning itself for potential attacks amid rising geopolitical tensions.
The enforcement alert aims to highlight the gravity of cyber threats and inform utilities that the EPA will continue inspections and pursue civil or criminal penalties for significant security lapses.
Water and wastewater systems are critical infrastructure and attractive targets for cyberattacks, but often lack the resources and technical capacity for rigorous cybersecurity practices. Simple measures, such as avoiding default passwords and developing a cybersecurity risk assessment plan, are essential. The EPA offers free training to help water utilities improve their defences.
Kevin Morley, manager of federal relations with the American Water Works Association, noted that many water utilities have internet-connected components, posing significant vulnerabilities. Overhauling these systems can be costly, and without substantial federal funding, water systems struggle to find necessary resources. The industry group advocates for establishing a new organization of cybersecurity and water experts to develop and enforce policies in collaboration with the EPA.