The Environmental Protection Agency (EPA) on Friday called on states to boost their cybersecurity practices to protect public drinking water, as attacks against critical infrastructure facilities have been increasing.
The EPA said cyberattacks on public water systems (PWSs) amount to a threat to public health.
“Cyberattacks have the potential to contaminate drinking water,” said EPA Assistant Administrator Radhika Fox.
While some PWSs have taken steps to improve their cyber posture, the EPA said a recent survey found that many have not adopted cyber best practices and are at risk of attack.
The EPA said it would help states and water systems with technical know-how. The announcement made no mention of new financial assistance.
Some experts questioned whether the EPA’s approach would be effective.
Mike Hamilton, former chief security officer for the city of Seattle, said performing such assessments would be hard to do at scale across water utilities, which vary greatly in size and resources across the country. Tracy Mehan, executive director of government affairs at the American Water Works Association, said the plan puts states in a tough position by saying that such reporting should start immediately.
The American Water Works Association said training for states on cybersecurity risks was still ongoing.
Anne Neuberger, deputy national security adviser for Cyber and Emerging Technologies, said Friday that the EPA’s memo for states would establish minimum cybersecurity measures for municipal water systems after the administration previously did so for pipelines and the rail sector.
“Americans deserve to have confidence in their water systems’ resilience to cyberattackers,” Neuberger said.
Previous Attacks
Officials said cyberattacks have previously “shut down critical treatment processes, locked up control system networks behind ransomware, and disabled communications used to monitor and control distribution system infrastructure like pumping stations.”“Including cybersecurity in PWS sanitary surveys, or equivalent alternate programs, is an essential tool to address vulnerabilities and mitigate consequences, which can reduce the risk of a successful cyberattack on a PWS and improve recovery if a cyber incident occurs,” they said.
In February 2021, a hacker infiltrated a Florida water treatment facility and tried to increase the amount of sodium hydroxide to a potentially dangerous level, according to local authorities. A supervisor monitoring a plant console caught the activity and stopped the attack before harm could be done.
According to CISA, there are approximately 153,000 public drinking water systems in the United States that provide water to more than 80 percent of the U.S. population.
Another 16,000 publicly owned systems provide wastewater treatment services to about 75 percent of the U.S. population.
