EPA Warns of Rising Cyberattacks on Water Systems, Urges Immediate Action from Utilities

The Environmental Protection Agency (EPA) cautioned on Monday that cyberattacks targeting water utilities nationwide are growing in frequency and severity, prompting an enforcement alert urging these systems to take swift measures to safeguard the nation’s drinking water.

According to the agency, approximately 70% of utilities examined by federal officials over the past year failed to meet standards designed to prevent breaches or other security breaches. The EPA stressed the importance of even small water systems enhancing protections against cyber intrusions, especially in light of recent attacks by groups affiliated with Russia and Iran, which have specifically targeted smaller communities.

The alert highlighted several deficiencies in some water systems, including the failure to change default passwords or terminate system access for former employees. Given the reliance of water utilities on computer software for the operation of treatment plants and distribution systems, safeguarding information technology and process controls is paramount, the EPA emphasized. Potential impacts of cyberattacks range from disruptions to water treatment and storage to damage to pumps, valves, and alterations of chemical levels to hazardous amounts.

“In many cases, systems are not doing what they are supposed to be doing, which is to have completed a risk assessment of their vulnerabilities that includes cybersecurity and to make sure that plan is available and informing the way they do business,” said EPA Deputy Administrator Janet McCabe.

While previous attempts by private groups or individuals to infiltrate water provider networks and disrupt or deface websites are not uncommon, recent attacks have targeted utilities’ operations directly.

Some recent cyber intrusions into water utilities have been attributed to geopolitical adversaries and could potentially disrupt the supply of safe water to homes and businesses. McCabe identified China, Russia, and Iran as countries actively seeking to disable critical U.S. infrastructure, including water and wastewater systems.

The enforcement alert aims to underscore the severity of cyber threats and inform utilities that the EPA will continue inspections and pursue civil or criminal penalties for serious deficiencies.

Preventing attacks against water providers is part of the Biden administration’s broader effort to combat threats against critical infrastructure. The EPA, along with the White House, has urged states to develop plans to combat cyberattacks on drinking water systems, emphasizing the need for enhanced cybersecurity measures to protect the nation’s vital water resources.

In light of the fragmented nature of the water sector, with most water providers serving small towns and facing staffing and budget constraints, the EPA recognizes the challenges in implementing robust cybersecurity practices universally. Nonetheless, the agency remains committed to supporting water utilities in enhancing their cybersecurity posture, offering free training and resources to those in need.