EPA says water utilities must do more to stop more frequent cyberattacks

Cyberattacks on water utilities across the country are becoming more frequent and more serious, the Environmental Protection Agency warned Monday as it issued an alert urging water systems to take immediate action to protect the country’s drinking water.

About 70% of utilities inspected by federal authorities in the last year violated standards intended to prevent breaches or other intrusions, the agency said. Officials urged even small water systems to improve their protection against hacks. Recent cyberattacks by groups affiliated with Russia and Iran have targeted smaller communities.

Some water systems have fundamental flaws, the alert says, including failing to change default passwords or cutting off access to the system for former employees. Because water utilities often rely on computer software to operate treatment plants and distribution systems, protecting information technology and process controls is crucial, the EPA said . Possible impacts of cyberattacks include disruptions to water treatment and storage; damage to pumps and valves; and alteration of chemical levels to dangerous quantities, the agency said.

“In many cases, systems are not doing what they are supposed to do, which is to have completed a risk assessment of their vulnerabilities that includes cybersecurity and ensuring that this plan is available and informs how they conduct their business,” the EPA said. Assistant Administrator Janet McCabe.

Attempts by private groups or individuals to access a water provider’s network and take down or deface websites are not new. However, more recently, attackers have not just gone after websites, but rather targeted utility operations.

Recent attacks are not just the work of private entities. Some recent water utility hacks are linked to geopolitical rivals and could lead to disruption of drinking water supplies to homes and businesses.

McCabe singled out China, Russia and Iran as countries that are “actively pursuing the ability to disable U.S. critical infrastructure, including water and wastewater.”

Late last year, an Iran-linked group called “Cyber Av3ngers” targeted several organizations, including the water supplier of a small Pennsylvania town, forcing it to switch from one Remote pump for manual operations. They attacked a device manufactured in Israel and used by the public service following Israel’s war against Hamas.

Earlier this year, a Russia-linked “hacktivist” attempted to disrupt the operations of several Texas utilities.

A China-linked cybergroup known as Volt Typhoon has compromised information technology in several critical infrastructure systems, including drinking water, in the United States and its territories, U.S. officials said . Cybersecurity experts say the China-aligned group is positioning itself for potential cyberattacks in the event of armed conflict or growing geopolitical tensions.

“By working behind the scenes with these hacktivist groups, these (nation states) now have plausible deniability and can let these groups carry out destructive attacks. And for me, that’s a game changer,” said Dawn Cappelli, a cybersecurity expert with industrial cybersecurity company Dragos Inc.

Global cyber powers are believed to have for years infiltrated their rivals’ critical infrastructure and planted malware that could be unleashed to disrupt basic services.

The enforcement alert is intended to highlight the seriousness of cyber threats and inform utilities that EPA will continue its inspections and pursue civil or criminal penalties if it discovers serious problems.

“We want to make sure we let people know that, ‘Hey, we’re finding a lot of problems here,'” McCabe said.

The EPA has not said how many cyber incidents have occurred in recent years, and the number of known attacks so far is small. The agency has issued nearly 100 enforcement actions since 2020 regarding risk assessments and emergency responses, but said that was a small snapshot of the threats water systems face .

Preventing attacks on water providers is part of the Biden administration’s broader efforts to combat threats to critical infrastructure. In February, President Joe Biden signed an executive order aimed at protecting U.S. ports. Health systems have been attacked. The White House has also pushed electric utilities to strengthen their defenses. EPA Administrator Michael Regan and White House National Security Advisor Jake Sullivan have asked states to develop a plan to combat cyberattacks on drinking water systems.

“Drinking water and sanitation systems are an attractive target for cyberattacks because they are a vital infrastructure sector, but often lack the resources and technical capacity to adopt rigorous cybersecurity practices,” they wrote Regan and Sullivan in a March 18 letter to all 50 U.S. governors.

Some of the solutions are simple, McCabe said. Water suppliers, for example, should not use default passwords. They must develop a risk assessment plan that addresses cybersecurity and put backup systems in place. The EPA says it will provide free training to water utilities that need help. Larger utilities typically have more resources and the expertise to defend against attacks.

“In an ideal world … we would like everyone to have a basic level of cybersecurity and be able to confirm that they have it,” said Alan Roberson, executive director of the Association of State Drinking Water Administrators. “But it’s far.”

Some obstacles are fundamental. The water sector is very fragmented. There are approximately 50,000 community water suppliers, most of which serve small towns. Understaffing and anemic budgets in many places make it hard enough to maintain the basics: providing clean drinking water and complying with the latest regulations.

“Of course, cybersecurity is part of it, but it has never been their primary expertise. So now you’re asking a water utility to develop this whole new type of department” to handle cyber threats, said Amy Hardberger, a water expert at Texas Tech University.

The EPA has faced setbacks. States periodically review the performance of water suppliers. In March 2023, the EPA required states to add cybersecurity assessments to these reviews. If they encountered problems, the state was supposed to impose improvements.

But Missouri, Arkansas and Iowa, joined by the American Water Works Association and another water industry group, challenged the instructions in court on the grounds that the EPA lacked authority under the Safe Drinking Water Act. After a legal setback, the EPA withdrew its requirements but still urged states to take voluntary action.

The Safe Drinking Water Act requires certain water suppliers to develop plans for certain threats and certify that they have done so. But its power is limited.

“There is simply no (cybersecurity) authority in the law,” Roberson said.

Kevin Morley, federal relations manager with the American Water Works Association, said some water utilities have components connected to the Internet — a common but important vulnerability. Redesigning these systems can be a large and costly task. And without substantial federal funding, water systems struggle to find resources.

The industry group issued guidelines for utilities and called for the creation of a new organization of cybersecurity and water experts that would develop new policies and enforce them, in partnership with the EPA.

“Let’s get everyone involved in a reasonable way,” Morley said, adding that small and large utilities have different needs and resources.

Photo: Aliquippa Municipal Water Authority, Pennsylvania. Cyberattacks on water utilities across the country are becoming more frequent and more serious, the Environmental Protection Agency has warned. (AP Photo/Gene J Puskar, file)

The subjects
Pollution