The US Environmental Protection Agency (EPA) warned on Monday that cyber attacks on American water utilities are becoming increasingly frequent and severe. The agency issued an enforcement alert urging water systems to take immediate action to protect the nation’s drinking water.
Since September 2023, federal officials have found that about 70% of the water companies inspected have violated intrusion prevention standards. Officials are urging all water systems, regardless of size, to enhance measures to guard against hackers. Recently, some smaller communities have become targets of organizations linked to Russia and Iran.
The alert stated that some water companies have failed to take basic measures to protect their public water systems. For example, some water systems have not changed default passwords, use a single login for all employees, or have failed to restrict access for former employees.
EPA emphasized the critical importance of safeguarding the IT and process controls within water systems, as these systems often rely on computer software to operate treatment plants and distribution systems. Cyber attacks could potentially cause disruptions, impacting water treatment and storage, damaging pumps and valves, and altering chemical concentrations to dangerous levels.
“In many cases, systems are not doing what they are supposed to do, such as completing risk assessments of their vulnerabilities, including cybersecurity, and ensuring plans are available to guide their operations,” said EPA Deputy Director Janet McCabe.
Attempts to infiltrate water utilities’ networks, shut down, or damage websites are not new, but recently attackers have not only disrupted websites but targeted utilities’ operations.
The agency stated that recent attacks on water companies are tied to America’s geopolitical adversaries, aiming to compromise the safety of homes and businesses’ water supply.
McCabe listed China, Russia, and Iran as “actively seeking to cripple critical American infrastructure, including water and wastewater treatment facilities.”
At the end of 2023, an organization linked to Iran called the “Cyber Av3ngers” attacked several suppliers, including a small town’s water supplier in Pennsylvania, forcing them to switch from remote pumps to manual operations. They targeted Israeli-made equipment used by the water utility since the Hamas-Israel conflict.
Earlier this year, several water utilities in Texas fell victim to hackers associated with Russia.
US officials stated that Chinese cyber organization Volt Typhoon has compromised information technology systems of several critical infrastructure systems in the US and its territories, including drinking water.
“By clandestinely working with these hacking groups, these countries now have plausible deniability to allow these groups to conduct destructive attacks. To me, it changes the game,” said Dawn Cappelli, a cybersecurity expert at risk management firm Dragos Inc.
EPA’s enforcement alert underscored the seriousness of cyber threats and notified water companies that EPA plans to continue inspections and pursue civil or criminal liability for severe non-compliance.
“We hope to convey the message to people: ‘Hey, we’ve found a lot of problems here,'” said McCabe.
EPA Director Michael Regan and White House National Security Adviser Jake Sullivan have requested all states to develop corresponding plans to combat cyber attacks on the national water supply system.
In a joint letter to all 50 US governors on March 18, they wrote, “Drinking water and wastewater treatment systems are an attractive target for cyber attacks because they are critical lifeline infrastructure sectors but often lack the resources and technical capabilities to take strict cyber security measures.”
McCabe noted there are some simple fixes, such as ceasing the use of default passwords, but they also need to create risk assessment plans to address cybersecurity issues and establish backup systems.
Resource-strapped small water companies can access free assistance and training to help them fend off hackers.
“In an ideal world, we’d like everyone to have a baseline level of cybersecurity and to be able to verify that they have achieved that level,” said Alan Roberson, Executive Director of the Association of State Drinking Water Administrators. “But there’s still a long way to go.”
There are approximately 50,000 community water suppliers in the US, most of which serve small towns. Many companies operate on limited budgets and personnel, making maintaining basic operations, such as providing clean water and complying with regulations, challenging.
“Of course, cyber security is part of that, but it’s never been their primary expertise,” said water expert Amy Hardberger from Texas Tech University. “So now you’re asking a water company to develop an entirely new department.”
In March 2023, EPA directed states to incorporate cybersecurity assessments into regular performance reviews of water companies. If issues are identified, state governments should enforce improvements.
These directives faced challenges in court from Arkansas, Missouri, and Iowa as well as the American Water Works Association and another water industry organization, questioning EPA’s authority under the Safe Drinking Water Act.
EPA withdrew the requirement but urged states to take voluntary action.
The Safe Drinking Water Act mandates certain water suppliers to develop and certify plans against specific threats, but its authority is limited.
“There is no authorization for (cybersecurity) in the law,” said Roberson.
Kevin Morley, Federal Relations Manager at AWWA, stated water companies often possess components connected to networks, making them susceptible to cyber attacks. Updating these systems could be challenging and costly. He explained that without substantial federal aid, many companies would struggle to find resources.
The organization released guidelines for establishing a new organization comprising cybersecurity and water experts to formulate new policies and collaborate with EPA in their enforcement.
“Let’s bring everyone along in a reasonable way,” said Morley, adding that small and large water utilities have different needs and resources.