On Monday, the Environmental Protection Agency sounded the alarm, warning that cyberattacks targeting water utilities nationwide are escalating in frequency and severity. In an enforcement alert, the agency urgently urged water systems to implement immediate protective measures to safeguard the nation’s drinking water supply.
Alarmingly, the EPA revealed that approximately “70% of utilities inspected by federal officials over the last year violated standards meant to prevent breaches or other intrusions.” Officials emphasized the critical need for even small water systems to bolster their defenses against hacking attempts. Recent cyberattacks linked to groups affiliated with Russia and Iran have specifically targeted smaller communities.
The alert highlighted that some water systems are falling short on basic cybersecurity practices, such as “failure to change default passwords or cut off system access to former employees.” Janet McCabe, EPA Deputy Administrator, underscored the importance of securing information technology and process controls, as water utilities often rely on computer software to operate treatment plants and distribution systems. “In many cases, systems are not doing what they are supposed to be doing, which is to have completed a risk assessment of their vulnerabilities that includes cybersecurity and to make sure that plan is available and informing the way they do business,” McCabe stated.
The EPA warned that potential impacts of cyberattacks could include “interruptions to water treatment and storage; damage to pumps and valves; and alteration of chemical levels to hazardous amounts.”
These recent attacks are not merely perpetrated by private entities. McCabe named “China, Russia and Iran as the countries that are ‘actively seeking the capability to disable U.S. critical infrastructure, including water and wastewater.'” Last year, an Iranian-linked group called “Cyber Av3ngers” targeted a small Pennsylvania town’s water provider, forcing it to switch to manual operations. Earlier this year, a Russian-linked “hacktivist” attempted to disrupt operations at several Texas utilities.
Dawn Cappelli, a cybersecurity expert with Dragos Inc., expressed concern about nation-states working with hacktivist groups, stating, “By working behind the scenes with these hacktivist groups, now these [nation states] have plausible deniability and they can let these groups carry out destructive attacks. And that to me is a game-changer.”
The enforcement alert aims to emphasize the gravity of cyberthreats and inform utilities that the EPA will continue inspections and pursue civil or criminal penalties if serious problems are found. “We want to make sure that we get the word out to people that ‘Hey, we are finding a lot of problems here,'” McCabe said.
While the EPA did not disclose the number of cyber incidents in recent years, the agency has issued nearly 100 enforcement actions since 2020 regarding risk assessments and emergency response.
In response to the EPA’s warning, Alan Roberson, executive director of the Association of State Drinking Water Administrators, acknowledged, “In an ideal world … we would like everybody to have a baseline level of cybersecurity and be able to confirm that they have that, but that’s a long ways away.”