EPA Moves to Protect Water Systems From Cyberattacks

EPA Moves to Protect Water Systems From Cyberattacks
The City of Jackson's O.B. Curtis Water Treatment Facility's sedimentation basins in Ridgeland, Miss., Sept. 2, 2022. Rogelio V. Solis/File/AP Photo
Updated:
0:00

The Environmental Protection Agency (EPA) on Friday called on states to boost their cybersecurity practices to protect public drinking water, as attacks against critical infrastructure facilities have been increasing.

The EPA said cyberattacks on public water systems (PWSs) amount to a threat to public health.

“Cyberattacks have the potential to contaminate drinking water,” said EPA Assistant Administrator Radhika Fox.

While some PWSs have taken steps to improve their cyber posture, the EPA said a recent survey found that many have not adopted cyber best practices and are at risk of attack.

The EPA’s memo requires states to survey cyber best practices at PWSs and to include cybersecurity when they conduct periodic audits of water systems, known as “sanitary surveys.”

The EPA said it would help states and water systems with technical know-how. The announcement made no mention of new financial assistance.

A sign marks the Ashokan Reservoir in Shokan, N.Y., Dec. 19, 2007, which supplies water to New York City. (Mike Groll/File/AP Photo)
A sign marks the Ashokan Reservoir in Shokan, N.Y., Dec. 19, 2007, which supplies water to New York City. Mike Groll/File/AP Photo

Some experts questioned whether the EPA’s approach would be effective.

Mike Hamilton, former chief security officer for the city of Seattle, said performing such assessments would be hard to do at scale across water utilities, which vary greatly in size and resources across the country. Tracy Mehan, executive director of government affairs at the American Water Works Association, said the plan puts states in a tough position by saying that such reporting should start immediately.

The American Water Works Association said training for states on cybersecurity risks was still ongoing.

Anne Neuberger, deputy national security adviser for Cyber and Emerging Technologies, said Friday that the EPA’s memo for states would establish minimum cybersecurity measures for municipal water systems after the administration previously did so for pipelines and the rail sector.

“Americans deserve to have confidence in their water systems’ resilience to cyberattackers,” Neuberger said.

The EPA’s memo came a day after the White House released a wide-ranging cybersecurity plan to counter rising threats to government agencies, private industry, schools, hospitals, and other key infrastructure that is often breached. That plan also included measures to hold software companies responsible when their products fail to meet certain standards.

Previous Attacks

Officials said cyberattacks have previously “shut down critical treatment processes, locked up control system networks behind ransomware, and disabled communications used to monitor and control distribution system infrastructure like pumping stations.”

“Including cybersecurity in PWS sanitary surveys, or equivalent alternate programs, is an essential tool to address vulnerabilities and mitigate consequences, which can reduce the risk of a successful cyberattack on a PWS and improve recovery if a cyber incident occurs,” they said.

In February 2021, a hacker infiltrated a Florida water treatment facility and tried to increase the amount of sodium hydroxide to a potentially dangerous level, according to local authorities. A supervisor monitoring a plant console caught the activity and stopped the attack before harm could be done.

Data from the U.S. Cybersecurity and Infrastructure Agency (CISA) show that there have been at least five cyberattacks on U.S. public water systems between 2019 and 2021. Four of the attacks involved the use of ransomware, while the fifth case was related to a former employee who tried to unsuccessfully threaten the drinking water supply by using his user credentials to access the system remotely.

According to CISA, there are approximately 153,000 public drinking water systems in the United States that provide water to more than 80 percent of the U.S. population.

Another 16,000 publicly owned systems provide wastewater treatment services to about 75 percent of the U.S. population.

The Associated Press contributed to this report.