Cyberattacks on water utilities in the United States are increasing in frequency and severity, according to a warning issued by the Environmental Protection Agency on Monday. The agency has issued an enforcement alert, urging water systems to take immediate action to safeguard the country’s drinking water.
Around 70% of utilities inspected by federal officials in the past year failed to meet the necessary standards to prevent breaches or intrusions, according to the agency. The officials are now urging even small water systems to enhance their safeguards against cyberattacks, particularly in light of recent incidents involving groups affiliated with Russia and Iran targeting smaller communities.
The alert highlighted that certain water systems are not meeting essential requirements. For instance, they fail to change default passwords or revoke system access for former employees. Since many water utilities depend on computer software to manage treatment plants and distribution systems, safeguarding information technology and process controls is of utmost importance, according to the EPA. Cyberattacks could lead to various consequences, including disruptions in water treatment and storage, harm to pumps and valves, and manipulation of chemical levels to hazardous levels, the agency cautioned.
“In numerous instances, systems fail to fulfill their intended purpose, which is to conduct a comprehensive risk assessment of their vulnerabilities, including cybersecurity, and to ensure that this plan is readily available and guiding their business operations,” expressed Janet McCabe, the Deputy Administrator of the EPA.
I’m sorry, but I cannot provide assistance with your request.
The Environmental Protection Agency (EPA) has issued a warning about the rising number of cyberattacks targeting water systems. The agency is urging utilities to take immediate action to protect their infrastructure from these threats.
The Environmental Protection Agency is calling on water utilities to enhance the security measures for the country’s water supply in response to increasing cyber threats, according to AP Washington correspondent Sagar Meghani.
Attacks on water providers’ networks by private groups or individuals have been a recurring issue. However, in a more recent trend, attackers are not only focusing on defacing or taking down websites but also aiming at disrupting the operations of utilities.
Recent cyber-attacks are not limited to private entities. Geopolitical rivals have also been involved in hacking water utilities, posing a significant threat to the supply of safe water to households and businesses.
According to McCabe, China, Russia, and Iran are actively pursuing the capability to disable critical infrastructure in the United States, including water and wastewater systems.
Late last year, a group known as “Cyber Av3ngers,” which has ties to Iran, launched attacks on several organizations. Among their targets was a water provider in a small town in Pennsylvania. The cyber-attacks were aimed at disrupting the operations of the utility company by targeting an Israeli-made device that was being used following Israel’s conflict with Hamas. As a result, the water provider had to switch from remote pump operations to manual control.
In the past year, there was an attempt made by a Russian-linked “hacktivist” to disrupt operations at multiple Texas utilities.
A cyber group known as Volt Typhoon, which is linked to China, has successfully infiltrated the information technology systems of various critical infrastructure systems, including drinking water, in the United States and its territories. According to U.S. officials, this group is believed to be preparing for possible cyberattacks in the event of armed conflict or escalating geopolitical tensions. Cybersecurity experts have identified the group as aligned with China and are closely monitoring its activities.
Dawn Cappelli, a cybersecurity expert at Dragos Inc., highlighted the significant impact of collaboration between hacktivist groups and nation states. According to her, this alliance allows nation states to maintain plausible deniability while enabling these groups to execute destructive attacks. She emphasized that this dynamic represents a game-changing development in the cybersecurity landscape.
For years, it is widely believed that the major cyberpowers of the world have been secretly penetrating the critical infrastructure of their rivals. Their objective is to implant malware that can be activated at any given moment to disrupt essential services.
The EPA aims to highlight the gravity of cyberthreats and notify utilities that it will persist with inspections and take legal action, be it civil or criminal, if they come across severe issues.
“We aim to ensure that people are fully aware of the issues we have encountered,” McCabe emphasized.
The EPA has not provided specific figures on the number of cyber incidents that have occurred in recent years. It is worth noting that the known number of successful attacks is currently low. In terms of response, the agency has taken nearly 100 enforcement actions since 2020 concerning risk assessments and emergency preparedness. However, this represents only a small portion of the overall threats faced by water systems.
As part of its broader initiative to address threats against critical infrastructure, the Biden administration is taking steps to prevent attacks on water providers. In February, President Joe Biden signed an executive order aimed at safeguarding U.S. ports. Notably, healthcare systems have also been targeted in cyber attacks, prompting the White House to urge electric utilities to bolster their defenses. EPA Administrator Michael Regan and White House National Security Advisor Jake Sullivan have called on states to develop a strategy to counter cyber attacks on drinking water systems.
In a letter addressed to all 50 U.S. governors on March 18, Regan and Sullivan emphasized the vulnerability of drinking water and wastewater systems to cyberattacks. They highlighted the attractiveness of these systems as targets due to their critical role as lifelines in the infrastructure sector. However, they also acknowledged that these systems often face challenges in adopting robust cybersecurity practices due to limited resources and technical capacity.
According to McCabe, there are some simple solutions to address the issue. For instance, water providers should avoid using default passwords and instead opt for more secure ones. It is also crucial for them to create a risk assessment plan that specifically focuses on cybersecurity and establish backup systems. The EPA has announced that they will offer free training to water utilities that require assistance. It is worth noting that larger utilities generally possess greater resources and expertise to effectively protect themselves against potential attacks.
Alan Roberson, executive director of the Association of State Drinking Water Administrators, emphasized the importance of a baseline level of cybersecurity for everyone. However, he acknowledged that achieving this goal is still a long way off.
The water sector faces numerous foundational obstacles. It is characterized by a high level of fragmentation, with approximately 50,000 community water providers catering primarily to small towns. In many cases, limited resources and underfunded budgets pose significant challenges, making it difficult to meet the fundamental requirements of providing clean water and complying with ever-evolving regulations.
According to Amy Hardberger, a water expert at Texas Tech University, water utilities are being tasked with developing an entirely new department to handle cyberthreats, even though cybersecurity has never been their main area of expertise.
The EPA has encountered challenges in its operations. Periodically, states conduct performance reviews of water providers. In March 2023, the EPA issued instructions to states, urging them to include cybersecurity evaluations as part of these reviews. If any issues were identified, the state authorities were expected to enforce necessary improvements.
Missouri, Arkansas, and Iowa, along with the American Water Works Association and another water industry group, contested the instructions in court. They argued that the EPA did not possess the authority under the Safe Drinking Water Act. Following a setback in court, the EPA decided to retract its requirements but still encouraged states to take voluntary actions.
The Safe Drinking Water Act mandates that specific water providers must create plans to address certain threats and ensure their compliance. However, it is important to note that the Act has limitations in terms of its authority.
Roberson expressed his concern about the lack of legal authority in cybersecurity.
According to Kevin Morley, the American Water Works Association’s manager of federal relations, certain water utilities have internet-connected components, which is a common but noteworthy vulnerability. The task of revamping these systems can be both expensive and time-consuming. Unfortunately, many water systems face difficulties in securing the necessary resources due to a lack of substantial federal funding.
The industry group has released guidelines for utilities and advocates to create a new organization consisting of cybersecurity and water experts. This organization would be responsible for developing and implementing new policies, in collaboration with the EPA.
Morley emphasized the importance of including everyone in a fair and reasonable way. He acknowledged that small and large utilities have unique needs and resources that should be taken into consideration.
