The Environmental Protection Agency (EPA) has issued a stern warning about the increasing frequency and severity of cyberattacks targeting water utilities across the United States. In an enforcement alert released Monday, the EPA urged immediate action to safeguard the nation’s drinking water systems.
According to the EPA, approximately 70% of water utilities inspected in the past year have failed to meet standards designed to thwart cyberthreats. The agency stressed the importance of even small water systems enhancing their cybersecurity measures, especially in light of recent attacks from nation states like Russia and Iran, which have targeted utilities of all sizes.
Common vulnerabilities include the failure to change default passwords and not revoking system access from former employees. The reliance on computer systems for operating treatment plants and distribution networks makes protecting information technology and process controls vital. Cyberattacks can disrupt water treatment and storage, damage infrastructure, and alter chemical levels to dangerous amounts.
EPA Deputy Administrator Janet McCabe emphasized the need for water systems to conduct comprehensive risk assessments, including cybersecurity, and to ensure these plans are actively guiding their operations. She noted that many systems have not met these basic requirements.
“In many cases, systems are not doing what they are supposed to be doing, which is to have completed a risk assessment of their vulnerabilities that includes cybersecurity and to make sure that plan is available and informing the way they do business,” she said.
The EPA’s alert highlighted a series of recent attacks, including an incident involving the Iranian-linked group “Cyber Av3ngers,” which targeted a small Pennsylvania town’s water provider, and attempts by a Russian-linked hacktivist group to disrupt Texas utilities. Additionally, the Chinese-linked group “Volt Typhoon” has compromised the IT systems of multiple critical infrastructures, including drinking water.
EPA Administrator Michael Regan and White House National Security Advisor Jake Sullivan have called on states to develop plans to combat cyberattacks on water systems. In their letter to U.S. governors, they highlighted the unique vulnerabilities of water utilities and the need for enhanced cybersecurity practices.
The EPA is also offering free training to help water utilities bolster their defenses and ensure the safe supply of drinking water to communities across the nation.
Alan Roberson, executive director of the Association of State Drinking Water Administrators, said in a statement, “In an ideal world … we would like everybody to have a baseline level of cybersecurity and be able to confirm that they have that.”