EPA urges water utilities to protect nation's drinking water amid heightened cyberattacks
Cyberattacks on water utilities across the United States have become more frequent and severe, prompting the U.S. Environmental Protection Agency (EPA) to urge community water systems to address cybersecurity vulnerabilities immediately to protect the nation’s public drinking water supplies.
On Monday, the EPA issued an enforcement alert detailing “urgent cybersecurity threats and vulnerabilities” to community drinking water systems. According to the alert, over 70% of water systems inspected by the EPA since last September violated standards in the Safe Drinking Water Act, highlighting “alarming” cybersecurity vulnerabilities.
The Safe Drinking Water Act, established to protect public health by regulating public drinking water supplies, is critical in this context. The EPA found that some water systems failed to change default passwords, did not cut off access to former employees, and used single logins for all staff, making them susceptible to compromise. Despite these being “basic cyber hygiene practices,” the EPA warned that potential cyberattacks could significantly impact water utilities and consumers.
The EPA also emphasized that small water systems should bolster protections against cybersecurity threats, noting that recent cyberattacks have affected water systems of all sizes. Notably, cyberattacks by groups affiliated with Russia and Iran have targeted utilities in Pennsylvania and Texas.
“Protecting our nation’s drinking water is a cornerstone of EPA’s mission,” said EPA Deputy Administrator Janet McCabe. “We are committed to using every tool, including our enforcement authorities, to ensure that our nation’s drinking water is protected from cyberattacks.” She added that the new enforcement alert aims to ensure communities understand the urgency and severity of these threats.
Cyberattacks can disrupt essential services, including clean and safe drinking water, the EPA warned. The new alert is part of a broader government effort led by the National Security Agency and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency. The EPA stressed the importance of protecting information technology and process control systems, as water systems often rely on computer software to operate treatment plants and distribution systems.
The impacts of cyber incidents can be severe, potentially disrupting water treatment, distribution, and storage, damaging pumps and valves, and altering chemical levels to hazardous amounts.
In March, EPA Administrator Michael Regan and National Security Advisor Jake Sullivan sent a letter to all 50 U.S. governors, urging states to develop plans to secure water systems against cyber threats. They followed up with a meeting where the National Security Council asked states to present their plans by late June.
“Drinking water and wastewater systems are an attractive target for cyberattacks because they are a lifeline critical infrastructure sector but often lack the resources and technical capacity to adopt rigorous cybersecurity practices,” Regan and Sullivan stated in the letter.
The new EPA alert highlights the growing threat of cyberattacks on public utilities and infrastructure in the U.S., with federal authorities increasingly concerned about foreign cyberattacks. Federal agencies have warned about attacks by groups linked to the Iranian Government Islamic Revolutionary Guard Corps, Russian state-sponsored actors, and Chinese state-sponsored cyber actors.
For instance, in November, the Iranian-linked group Cyber Av3ngers hacked into water authority infrastructure in Aliquippa, Pennsylvania, taking partial control of a system regulating water pressure. Similarly, a Russian-linked hacking group caused a water system in Muleshoe, Texas, to overflow earlier this year. In both incidents, officials had to switch to manual operations.
Microsoft reported last May that the Chinese-linked group Volt Typhoon targeted critical infrastructure organizations in the U.S., including those in the water sector. The company warned that Volt Typhoon is developing capabilities to disrupt critical communications infrastructure during future crises.
Cyberattacks have also affected insurance companies and hospital systems in several states in recent years, underscoring the pervasive threat of cyber incidents.
