The Environmental Protection Agency (EPA) is intensifying its scrutiny of essential water infrastructure systems in response to warnings about significant cyber vulnerabilities. The agency released an enforcement alert yesterday, urging utilities to act swiftly to protect the nation’s drinking water from cyber threats. The EPA’s strategy includes ramped-up inspections and the potential for civil and criminal enforcement actions.

The alert highlights the growing frequency and severity of cyberattacks targeting community water systems nationwide. The potential consequences of these cyberattacks are severe, ranging from disrupting the treatment, distribution, and storage of water to damaging pumps and valves and dangerously altering chemical levels. The EPA’s warning underscores the urgency of addressing these threats to ensure the safety and reliability of water supplies.

The alert emphasizes that more than 70 percent of water systems inspected since September 2023 have failed to comply with mandates under the Safe Drinking Water Act (SDWA). These mandates are designed to mitigate the risk of both physical and cyberattacks. The non-compliance issues include neglecting basic cybersecurity practices, such as changing default passwords and restricting access for former employees. Since 2020, the EPA has initiated over 100 enforcement actions against water systems for violations of these SDWA provisions.

A significant concern is the involvement of foreign governments in these cyberattacks. The enforcement alert points to instances where state-sponsored cyber groups have compromised water systems and potentially embedded capabilities to disable them in the future. For example, the alert mentions Volt Typhoon, a cyber group sponsored by the People’s Republic of China, which has infiltrated the IT environments of several critical infrastructure organizations. This information was corroborated by a Department of Homeland Security advisory issued in February.

Additionally, the alert highlights incidents linked to Russian hacktivists, notably those associated with the Sandworm group. In January, a water facility in Texas experienced an overflow caused by a cyberattack attributed to this group, although it did not disrupt customer service. In another instance, a water facility in Pennsylvania had to switch to manual operations following an attack by hackers linked to the Iranian Islamic Revolutionary Guard Corps.

In response to these threats, the EPA’s enforcement alert provides several recommendations for maintaining robust cybersecurity. Utilities are advised to conduct regular cybersecurity awareness training for employees, ensure proper backup of operational technology (OT) and information technology (IT) systems, and avoid making critical systems accessible via public internet connections.

This enforcement alert follows a letter sent earlier this year by EPA Administrator Michael Regan and National Security Advisor Jake Sullivan to state governors, highlighting the cyber risks to the nation’s drinking and wastewater systems. The letter led to a March meeting convened by the National Security Council, which requested each state to develop an action plan to address these vulnerabilities by late June.

The EPA’s proactive measures are a response to the escalating cyber threat landscape. With the increasing sophistication and frequency of cyberattacks, the agency is focused on ensuring that water systems are adequately protected to prevent potentially catastrophic disruptions to water supply and safety.

The Growing Threat of Cyberattacks on Water Systems

Cybersecurity threats to water infrastructure have been rising, posing significant risks to public health and safety. Cyberattacks can disrupt the operations of water treatment plants, alter the chemical composition of water supplies, and compromise the ability to provide safe drinking water. The EPA’s recent enforcement alert underscores the critical need for water utilities to enhance their cybersecurity measures to protect against these threats.

The agency’s findings reveal widespread non-compliance with cybersecurity mandates under the SDWA. Basic cybersecurity practices, such as updating default passwords and revoking access for former employees, are often overlooked. This negligence leaves water systems vulnerable to cyberattacks that can have severe consequences for public health and safety.

Foreign actors have been identified as significant threats to the cybersecurity of water systems. The EPA’s alert cites specific examples of state-sponsored cyber groups that have targeted water infrastructure. These groups have demonstrated the capability to infiltrate critical systems and potentially disrupt water supplies in the future. The involvement of such groups highlights the need for heightened vigilance and robust cybersecurity measures to protect water infrastructure.

The EPA’s recommendations for improving cybersecurity include regular training for employees to raise awareness about cyber threats, maintaining backups of OT and IT systems to ensure continuity of operations, and securing systems against unauthorized internet access. These measures are essential for mitigating the risk of cyberattacks and ensuring the resilience of water infrastructure.

Regulatory and Enforcement Actions

The EPA’s enforcement alert is part of a broader effort to strengthen the cybersecurity of water systems through regulatory and enforcement actions. The agency has taken more than 100 enforcement actions since 2020 for violations of the SDWA related to cybersecurity. These actions demonstrate the EPA’s commitment to holding utilities accountable for failing to comply with cybersecurity mandates.

The alert also highlights the importance of collaboration between federal and state authorities to address cybersecurity risks. The letter from EPA Administrator Michael Regan and National Security Advisor Jake Sullivan to state governors emphasized the need for coordinated efforts to protect water infrastructure. The subsequent meeting convened by the National Security Council underscores the urgency of developing state-level action plans to address cybersecurity vulnerabilities.

The EPA’s proactive approach aims to ensure that water utilities are taking the necessary steps to protect against cyber threats. By increasing inspections and taking enforcement actions, the agency seeks to drive compliance with cybersecurity mandates and improve the resilience of water infrastructure.

Conclusion

The EPA’s recent enforcement alert highlights the critical need for enhanced cybersecurity measures to protect the nation’s water infrastructure from cyber threats. The growing frequency and severity of cyberattacks on water systems pose significant risks to public health and safety. The agency’s findings of widespread non-compliance with cybersecurity mandates underscore the urgency of addressing these vulnerabilities.

By ramping up inspections and taking enforcement actions, the EPA is taking proactive steps to ensure that water utilities are adequately protected against cyber threats. The agency’s recommendations for improving cybersecurity practices are essential for mitigating risks and ensuring the resilience of water infrastructure. The collaboration between federal and state authorities is crucial for developing coordinated strategies to address cybersecurity vulnerabilities.

In an era where cyber threats are becoming increasingly sophisticated and frequent, the EPA’s efforts to strengthen the cybersecurity of water systems are vital for safeguarding public health and ensuring the reliable supply of safe drinking water.