EPA warns of increasing cyberattacks on water systems, urges utilities to take immediate action

Cyberattacks on water utilities across the country are becoming increasingly frequent and severe, the Environmental Protection Agency warned Monday, issuing an enforcement alert urging water systems to take immediate action to protect the nation’s drinking water.

About 70% of public facilities inspected by federal authorities last year had violations or other anti-trespass standards, the agency said. Officials called for better protection against hacking, even for small water systems. Recent cyberattacks by groups linked to Russia and Iran have targeted small communities.

Watchdog agency sends $3 billion to states for EPA lead pipe replacement program based on unverified data

Some water systems are failing in fundamental ways, such as failing to change default passwords or cutting off access to systems for former employees, the warning said. Because water utilities often rely on computer software to operate treatment plants and distribution systems, it is critical to protect information technology and process controls, the EPA said. Possible impacts of a cyber attack include disruption of water treatment and storage. Damage to pumps or valves. The levels of the chemicals then increased to dangerous levels, authorities said.

This photo provided by the City of Aliquippa Water Department shows the screen of a hacked Unitronics device on Saturday, November 25, 2023 in Aliquippa, Pennsylvania. Cyberattacks against water utilities across the country are becoming more frequent and severe. The Environmental Protection Agency issued an enforcement alert on Monday, May 20, 2024, advising water systems to take immediate action to protect the nation’s drinking water from electronic threats. (Aliquippa City Water Department, via AP)

“In many cases, systems are not doing what they are supposed to do: complete risk assessments for vulnerabilities, including cybersecurity, and ensure plans are available and inform the way business is done.” EPA stated. Deputy Administrator Janet McCabe.

Attempts by private organizations and individuals to infiltrate water utility networks and delete or deface websites are not new. But these days, attackers aren’t just targeting her website, they’re also targeting utility operations.

Recent attacks have not been solely by civilian groups. Some recent hacks of water utilities have been linked to geopolitical rivals and could disrupt the supply of safe water to homes and businesses.

McCabe cited China, Russia, and Iran as countries that are “actively seeking the ability to disable U.S. critical infrastructure, including water and wastewater systems.”

Late last year, an Iran-linked group called “Cyber ​​Av3ngers” targeted multiple organizations, including a water utility in a small town in Pennsylvania, forcing them to switch from remote pumping to manual operations. They were following Israeli-made equipment used by power companies after Israel’s war against Hamas.

Earlier this year, Russian-linked “hacktivists” tried to disrupt the operations of several power companies in Texas.

A Chinese-linked cybergroup known as Bolt Typhoon has compromised the information technology of multiple critical infrastructure systems, including drinking water, in the United States and its territories, U.S. officials announced. Cybersecurity experts believe that groups aligned with China are preparing for potential cyberattacks in the event of armed conflict or heightened geopolitical tensions.

“By collaborating behind the scenes with these hacktivist groups, these (states) now have legitimate deniability and are able to force these groups to carry out devastating attacks. It’s a game changer for me,” said cybersecurity expert Dawn Cappelli. Risk management company Dragos Inc.

The world’s cyber powers are believed to have spent years infiltrating rivals’ critical infrastructure and planting malware that could disrupt basic services.

The enforcement warning is intended to highlight the seriousness of the cyber threat and notify utilities that the EPA will continue to inspect and may impose civil or criminal penalties if significant issues are found.

“We want to make sure that people are saying, ‘We’re finding a lot of problems here,'” McCabe said.

Preventing attacks on water utilities is part of the Biden administration’s broader efforts to combat threats to critical infrastructure. In February, President Joe Biden signed an executive order to protect U.S. ports. The health system is under attack. The White House is also asking power companies to strengthen their defenses. EPA Administrator Michael Regan and White House National Security Adviser Jake Sullivan urged states to develop plans to counter cyberattacks on drinking water systems.

“Drinking water and wastewater systems are critical infrastructure sectors that make them attractive targets for cyberattacks,” Regan and Sullivan wrote in a March 18 letter to all 50 state governors. “However, they often lack the resources and technical capacity to implement rigorous cybersecurity practices.” .

Some of the fixes are simple, McCabe said. For example, water utilities should not use default passwords. You should develop a risk assessment plan to address cybersecurity and set up backup systems. The EPA says it will provide free training to water utilities that need assistance. Larger utilities typically have more resources and expertise to defend against attacks.

“In an ideal world, we’d like to have a base level of cybersecurity and be able to make sure that everyone has it,” said Alan Roberson, executive director of the Association of State Drinking Water Officials. “But we’re a long way from that.”

Some of the barriers are fundamental. The water sector is highly fragmented. There are approximately 50,000 community water utilities, most of which serve small towns. Modest staffing and meager budgets in many locations make it extremely difficult to maintain the basics of providing clean water and keeping up with the latest regulations.

“Certainly cybersecurity is part of it, but it hasn’t been their primary expertise, so now you’re asking water utilities to develop a whole new kind of department that deals with cyber threats,” said Amy Hardberger, a water expert at Texas Tech University.

EPA faces setbacks. The state regularly reviews the performance of water utilities. In March 2023, EPA directed states to add cybersecurity assessments to these reviews. If problems were found, the state was supposed to force improvements.

But Missouri, Arkansas and Iowa, joined by the American Water Works Association and another water industry group, challenged the directive in court, arguing that the EPA lacked authority under the Safe Drinking Water Act. Following the court defeat, the EPA withdrew that requirement, but urged states to take voluntary action anyway.

The Safe Drinking Water Act requires certain water utilities to certify that they have developed and implemented plans for some threats. However, there are limits to its power.

“The law has no authority (on cybersecurity) at all,” Roberson said.

Kevin Morley, federal relations manager for the American Water Works Association, said some water utilities have components connected to the Internet, a common but significant vulnerability. Ta. Complete refurbishment of these systems can be a significant and expensive undertaking. And without sufficient funding from the federal government, water utilities will struggle to find resources.


Industry groups have issued guidelines for utility companies and are advocating for a new organization of cybersecurity and water experts to work with the EPA to develop and enforce new policies.

“Let’s bring everyone along in a way that makes sense,” Morley said, adding that small and large utilities have different needs and resources.