The Environmental Protection Agency (EPA) warned on Monday that cyberattacks against water utilities in the United States are becoming increasingly frequent and severe. The agency issued an enforcement alert, urging water systems to take immediate action to protect the nation’s drinking water.
The EPA said approximately 70 percent of utilities inspected by federal officials since September 2023 had violated standards meant to avert intrusions. Officials urged all water systems—no matter how small—to improve measures to protect against hackers. Smaller communities have been recently targeted by groups affiliated with Russia and Iran.
Some utilities have failed to take basic measures to protect their public water systems, according to the alert.
“For example, some water systems failed to change basic passwords, use single logins for all staff, or failed to curtail access by former employees,” the EPA said.
The agency emphasized the critical importance of protecting information technology and process controls within water systems, as these often rely on computer software to operate treatment plants and distribution systems. Cyberattacks have the potential to cause interruptions that impact water treatment and storage, damage pumps and valves, and alter chemical levels to hazardous amounts.
“In many cases, systems are not doing what they are supposed to be doing, which is to have completed a risk assessment of their vulnerabilities that includes cybersecurity and to make sure that plan is available and informing the way they do business,” the EPA’s deputy administrator, Janet McCabe, said.
Geopolitical Adversaries
The agency said recent attacks on water utilities have been linked to the nation’s geopolitical adversaries, who aim to disrupt safe water supplies to homes and businesses.Ms. McCabe named China, Russia, and Iran as the countries that are “actively seeking the capability to disable U.S. critical infrastructure, including water and wastewater.”
In late 2023, an Iranian-linked group dubbed “Cyber Av3ngers” targeted multiple organizations, including a small Pennsylvania town’s water provider, forcing it to switch from a remote pump to manual operations. They were targeting an Israeli-made device used by the utility in the wake of the Hamas-Israeli war.
Earlier this year, several Texas water utilities were targeted by a Russian-linked “hacktivist.”
U.S. officials said a Chinese cyber group, Volt Typhoon, has compromised the information technology of multiple critical infrastructure systems, including drinking water, in the United States and its territories.
“By working behind the scenes with these hacktivist groups, now these (nation-states) have plausible deniability, and they can let these groups carry out destructive attacks. And that, to me, is a game-changer,” said Dawn Cappelli, a cybersecurity expert with Dragos Inc., a risk management firm.
The EPA’s enforcement alert emphasizes the seriousness of cyber threats and informs utilities that the EPA plans to continue its inspections and pursue civil or criminal penalties for serious violations.
Combatting Cyberattacks
EPA administrator Michael Regan and the White House’s national security adviser Jake Sullivan have asked states to develop a plan to combat cyberattacks on the nation’s water systems.“Drinking water and wastewater systems are an attractive target for cyberattacks because they are a lifeline critical infrastructure sector but often lack the resources and technical capacity to adopt rigorous cybersecurity practices,” they wrote on March 18 in a joint letter to all 50 U.S. governors.
Ms. McCabe said some of the fixes are straightforward, such as stopping the use of default passwords, but they also need to develop a risk assessment plan that addresses cybersecurity and creates backup systems.
Smaller utilities with fewer resources can receive free assistance and training to help them defend against hackers.
Limited Resources
There are approximately 50,000 community water providers in the United States, most of which serve small towns. Many have limited budgets and staff, making it challenging to maintain basic operations, such as distributing clean water and keeping up with regulations.“Certainly, cybersecurity is part of that, but that’s never been their primary expertise,” said Amy Hardberger, a water expert at Texas Tech University. “So, now you’re asking a water utility to develop this whole new sort of department.”
In March 2023, the EPA instructed states to include cybersecurity evaluations in their periodic performance reviews of water utilities. If problems were discovered, the state was supposed to force improvements.
Those instructions were challenged in court by the states of Arkansas, Missouri, and Iowa, as well as by the American Water Works Association (AWWA) and another water industry group, arguing that the EPA did not have the authority under the Safe Drinking Water Act.
The EPA withdrew its requirement but urged states to take voluntary actions.
The Safe Drinking Water Act requires certain water providers to develop and certify plans against certain threats, but its power is limited.
“There’s just no authority for [cybersecurity] in the law,” Mr. Roberson said.
Kevin Morley, manager of federal relations with the AWWA, said it is common for water utilities to have components that are connected to the internet, which makes them vulnerable to cyberattacks. Overhauling those systems can be challenging and costly. Without substantial federal assistance, many would struggle to find the resources, he explained.
The group has published guidance for establishing a new organization of cybersecurity and water experts that could develop new policies and partner with the EPA to enforce them.
“Let’s bring everybody along in a reasonable manner,” Mr. Morley said, adding that small and large utilities have varying needs and resources.
