WASHINGTON — Cyberattacks on water utilities across the country are becoming more frequent and severe, the Environmental Protection Agency warned Monday, issuing an alert calling on water systems to take immediate action to protect the nation’s drinking water.
About 70% of utilities inspected by federal officials over the past year violated standards designed to prevent violations or other intrusions, according to the agency. Officials have called on even small water systems to improve their security against break-ins. Recent cyberattacks by groups linked to Russia and Iran have targeted smaller communities.
The warning said some water systems were failing to cope with basic tasks, including the inability to change default passwords or cut off system access for former employees. Because water utilities often rely on computer software to operate treatment plants and distribution systems, protecting information technology and process controls is critical, the EPA said. Possible consequences of cyberattacks include disruptions in water treatment and storage; damage to pumps and valves; and changes in chemical levels to hazardous levels, the agency said.
“In many cases, systems do not do what they are supposed to do, which is to complete a risk assessment of their vulnerabilities, including cybersecurity, and to ensure that the plan is accessible and informs how they conduct business,” the EPA said. Deputy Administrator Janet McCabe.
Attempts by private groups or individuals to infiltrate water supply networks and remove or deface websites are not new. However, recently, attackers have attacked not only websites, but also the work of public utilities.
The recent attacks are not just carried out by private individuals. Some recent hacks of water utilities involve geopolitical competitors and could disrupt the supply of safe water to homes and businesses.
McCabe identified China, Russia and Iran as countries that are “actively seeking opportunities to disrupt critical U.S. infrastructure, including water and wastewater.”
Late last year, an Iran-linked group called “Cyber Av3ngers” targeted several organizations, including a water supplier in a small Pennsylvania town., causing it to switch from remote pump to manual control. They were going after an Israeli-made device used by the utility after Israel’s war against Hamas.
Earlier this year, a Russia-linked “hacktivist” tried to disrupt several Texas utility companies.
Cyber group linked to China and known as Volt-Typhoon, compromised the information technology of several critical infrastructure systems. including drinking water, in the United States and its territories, U.S. officials said. Cybersecurity experts believe the China-linked group is preparing for potential cyberattacks in the event of armed conflict or rising geopolitical tensions.
“By working behind the scenes with these hacktivist groups, these (nation states) now have plausible deniability and can allow these groups to carry out destructive attacks. And for me, this is a game changer,” said Dawn Cappelli, a cybersecurity expert at industrial cybersecurity company Dragos Inc.
The world’s cyber powers are believed to have been infiltrating competitors’ critical infrastructure for years, introducing malware that could disrupt essential services.
The law enforcement alert is intended to highlight the seriousness of cyber threats and to inform utilities that the EPA will continue its inspections and pursue civil or criminal penalties if they find serious problems.
“We want to make sure we get the message out to people, ‘Hey, we’re finding a lot of problems here,’” McCabe said.
The Environmental Protection Agency has not said how many cyber incidents have occurred in recent years, and the number of successful attacks is still low. Since 2020, the agency has taken about 100 enforcement actions related to risk assessment and emergency response, but said these are only a fraction of the threats facing water systems.
Preventing attacks on water suppliers is part of the Biden administration’s broader efforts to combat threats to critical infrastructure. President Joe Biden signed the executive order in February. to protect US ports. Health systems were attacked. The White house pushed electric utilities to strengthen their defenses, too much. Environmental Protection Agency Administrator Michael Regan and White House National Security Adviser Jake Sullivan have asked states to develop a plan to combat cyberattacks on drinking water systems.
“Drinking water and wastewater systems are attractive targets for cyberattacks because they are a vital infrastructure sector, but they often lack the resources and technical capabilities to implement stringent cybersecurity measures,” Regan and Sullivan wrote in a March 18 letter to all 50 US governors.
Some fixes are simple, McCabe said. Water suppliers, for example, should not use default passwords. They need to develop a risk assessment plan that takes cybersecurity into account and set up backup systems. The Environmental Protection Agency says they will provide free training to water utilities that need help. Large utilities typically have more resources and expertise to defend against attacks.
“In an ideal world … we would want everyone to have a basic level of cybersecurity and be able to prove that they have it,” said Alan Roberson, executive director of the Association of State Drinking Water Administrators. – But it’s very far away.
Some barriers are fundamental. The water sector is highly fragmented. There are approximately 50,000 local water suppliers, most of which serve small towns. Meager staffing levels and anemic budgets in many places make it difficult to maintain basic necessities—providing clean water and complying with the latest regulations.
“Of course cybersecurity is part of it, but it has never been their core competency. So now you’re asking the water utility to create a whole new department to combat cyber threats,” said Amy Hardberger, a water resources expert at Texas Tech University.
The Environmental Protection Agency has faced setbacks. States periodically inspect the performance of water suppliers. In March 2023, the Environmental Protection Agency directed states to add cybersecurity assessments to these reviews. If they found problems, the government had to make improvements.
But Missouri, Arkansas and Iowa, joined by the American Water Works Association and another water industry group, challenged the guidelines in court on the grounds that the EPA lacks authority under the Safe Drinking Water Act. Following the legal setback, the EPA withdrew its demands, but urged states to take voluntary action anyway.
The Safe Drinking Water Act requires some water suppliers to develop action plans to address certain hazards and certify that they are in compliance. But his power is limited.
“There is simply no mandate in the law for cybersecurity,” Roberson said.
Kevin Morley, federal affairs manager for the American Water Works Association, said some water utilities have Internet-connected components, which is a common but significant vulnerability. Overhauling these systems can be a major and expensive job. And without significant federal funding, water systems are struggling to find resources.
The industry group has published guidance for utilities and is advocating for the creation of a new organization of cybersecurity and water experts that would develop and enforce new policies in partnership with the Environmental Protection Agency.
“Let’s bring everyone together in a smart way,” Morley said, adding that small and large utilities have different needs and resources.