Cyberattacks against water utilities across the country are becoming more frequent and more serious, the Environmental Protection Agency warned Monday as it issued an enforcement alert urging water systems to take immediate action. to protect the country’s drinking water.
About 70% of utilities inspected by federal authorities last year violated standards intended to prevent breaches or other intrusions, the agency said. Officials have urged even small water systems to improve protections against hacks. Recent cyberattacks by groups affiliated with Russia and Iran have targeted smaller communities.
Some water systems are failing in basic aspects, the alert said, including failing to change default passwords or cutting off access to the system for former employees. Because water utilities often rely on computer software to operate treatment plants and distribution systems, securing information technology and process controls is crucial, the EPA said. Potential impacts of cyberattacks include disruptions to water treatment and storage; damage to pumps and valves; and change of chemical levels to dangerous amounts, the agency said.
“In many cases, systems are not doing what they should be doing, which is having completed a risk assessment of their vulnerabilities that includes cybersecurity and ensuring that that plan is available and informs the way they do business,” the EPA said . Assistant Administrator Janet McCabe.
Attempts by private groups or individuals to break into a water supplier’s network and take down or deface websites are not new. More recently, however, attackers have not only targeted websites but also targeted utility operations.
Recent attacks are not just perpetrated by private entities. Some recent attacks on water utilities are linked to geopolitical rivals and could lead to the disruption of drinking water supplies to homes and businesses.
McCabe appointed ChinaRussia and Iran are the countries that “actively seek the ability to disable critical US infrastructure, including water and wastewater.”
Late last year, an Iranian-linked group called “Cyber Av3ngers” targeted several organizations, including a small The Pennsylvania city’s water supplier, forcing him to switch from a remote pump to manual operations. They were chasing an Israeli-made device used by the dealership after the Israel’s war against Hamas.
Earlier this year, a Russia-linked “hacktivist” attempted to disrupt operations at several Texas utility companies.
A China-linked cyber group known as Volt Typhoon has compromised the information technology of several critical infrastructure systems, including drinking water, in the United States and its territories, U.S. officials said. Cybersecurity experts believe the China-aligned group is positioning itself for potential cyberattacks in the event of armed conflict or rising geopolitical tensions.
“By working behind the scenes with these hacktivist groups, these (nation-states) now have plausible deniability and can allow these groups to carry out destructive attacks. And that to me is a game changer,” said Dawn Cappelli, cybersecurity expert at risk management firm Dragos Inc.
The world’s cyber powers are believed to have infiltrated rivals’ critical infrastructure for years, planting malware that could be triggered to disrupt basic services.
The enforcement alert is intended to emphasize the severity of cyber threats and inform utilities that EPA will continue its inspections and impose civil or criminal penalties if they find serious problems.
“We want to make sure we convey to people that ‘Hey, we’re finding a lot of problems here,'” McCabe said.
Preventing attacks against water suppliers is part of the Biden administration’s broader effort to combat threats against critical infrastructure. In February, President Joe Biden signed an executive order to protect US ports. Health systems were attacked. The White House also pressured electricity companies to increase their defenses. EPA Administrator Michael Regan and White House national security adviser Jake Sullivan have called on states to come up with a plan to combat cyberattacks on drinking water systems.
“Drinking water and wastewater systems are an attractive target for cyberattacks because they are a vital sector of critical infrastructure, but they often lack the resources and technical capacity to adopt rigorous cybersecurity practices,” Regan and Sullivan wrote in a March 18 letter to all 50 U.S. governors. .
Some of the solutions are simple, McCabe said. Water suppliers, for example, should not use default passwords. They need to develop a risk assessment plan that addresses cybersecurity and create backup systems. The EPA says it will train water utilities that need help free of charge. Larger utilities generally have more resources and experience to defend themselves against attacks.
“In an ideal world … we would like everyone to have a basic level of cybersecurity and be able to confirm that they have it,” said Alan Roberson, executive director of the Association of State Drinking Water Administrators. “But that’s a long way off.”
Some barriers are fundamental. The water sector is highly fragmented. There are about 50,000 community water suppliers, most of which serve small towns. Modest staffing and anemic budgets in many places make it difficult enough to maintain the basics – providing clean water and keeping up with the latest regulations.
“Certainly, cybersecurity is part of that, but that was never their primary specialty. So now you’re asking a water utility to develop this whole new kind of department” to deal with cyber threats, said Amy Hardberger, a water expert at Texas Tech University.
The EPA has faced setbacks. States periodically review the performance of water suppliers. In March 2023, the EPA directed states to add cybersecurity assessments to these reviews. If they found problems, the state should force improvements.
But Missouri, Arkansas and Iowa, joined by the American Water Works Association and another water industry group, challenged the instructions in court on the grounds that the EPA lacked authority under the Safe Drinking Water Act. After a court setback, the EPA withdrew its demands but urged states to take voluntary action anyway.
The Safe Drinking Water Act requires certain water suppliers to develop plans for some threats and certify that they have done so. But its power is limited.
“There is simply no authority for (cybersecurity) in the law,” Roberson said.
Kevin Morley, federal relations manager for the American Water Works Association, said some water utilities have Internet-connected components — a common but significant vulnerability. Overhauling these systems can be significant and expensive work. And without substantial federal funding, water systems struggle to find resources.
The industry group has published guidance for utilities and advocates for the establishment of a new organization of cybersecurity and water experts that would develop new policies and enforce them, in partnership with the EPA.
“We’re going to bring everyone in reasonably,” Morley said, adding that small and large businesses have different needs and resources.