The U.S. Environmental Protection Agency (EPA) issued a stern warning on May 20th, 2024, highlighting the escalating cyber threats to the nation’s drinking water systems while outlining stricter enforcement measures to protect water-related critical infrastructure.
The Environmental Protection Agency is an independent U.S. agency responsible for protecting human health and the environment. These responsibilities include making sure that Americans have clean air, land and water and overseeing the implementation of federal laws related to these matters.
The alert comes as part of a wider government initiative to strengthen national security and address vulnerabilities in critical infrastructure.
Environmental Protection Agency Concerned By Recent Inspection Results
Recent EPA inspections have revealed alarming cybersecurity gaps in a majority of water systems. More than 70% of inspected systems were found to be non-compliant with the Safe Drinking Water Act, with some exhibiting severe vulnerabilities such as unchanged default passwords and single logins.
These weaknesses leave systems susceptible to cyberattacks, which have been observed by the agency to have become increasingly more frequent and severe in recent times.
In response to the escalating threat, the EPA is ramping up its enforcement activities under the Safe Drinking Water Act. This includes increasing the number of inspections, initiating civil and criminal enforcement actions where necessary, and ensuring that water systems are adhering to the requirements of risk assessment and emergency response planning.
The EPA is also working closely with federal and state partners, including the Cybersecurity and Infrastructure Security Agency (CISA) and the FBI, to fortify the nation’s water systems against cyber threats. This collaboration includes providing technical assistance, guidance, training, and resources to help water systems implement crucial security measures.
“Defending our nation’s water supply is central to our mission at the EPA,” emphasized Deputy Administrator Janet McCabe. We are leveraging all available tools, including enforcement, to shield our water from cyber threats.
The alert reflects the current government’s dedication to dealing with the urgency of cyber threats to critical infrastructure, and ensuring that water systems are adequately equipped to counteract these risks to public health.
EPA’s Key Recommendations for Water Systems
The EPA’s enforcement alert warned that cyberattacks on water systems could have devastating consequences, potentially disrupting treatment, distribution, and storage of water, damaging critical infrastructure, and even manipulating chemical levels to hazardous amounts. The alert added that small water systems are not exempt from this threat, as recent attacks by nation-state actors have targeted systems of all sizes.
The EPA, Cybersecurity and Infrastructure Security Agency (CISA), and the FBI strongly recommend that water systems implement the following cybersecurity measures:
- Reduce exposure to the public-facing internet.
- Conduct regular cybersecurity assessments.
- Immediately change default passwords.
- Conduct an inventory of operational technology (OT) and information technology (IT) assets.
- Develop and practice cybersecurity incident response and recovery plans.
- Backup OT/IT systems.
- Reduce exposure to vulnerabilities.
- Conduct cybersecurity awareness training.
The EPA and CISA are offering free assistance to water systems to help them implement these crucial changes. Utilities can contact the EPA through its Cybersecurity Technical Assistance Form or email CISA Cyber Hygiene Services at [email protected] with the subject line ‘Requesting Cyber Hygiene Services’.
The EPA’s heightened enforcement measures reflect the urgency of the threat facing the nation’s water systems. By working together with federal and state partners and implementing recommended security practices, water systems can significantly enhance their resilience and protect this critical resource from malicious threat actors.
Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.
