Cyberattacks on water utilities across the country are becoming more frequent and severe, the Environmental Protection Agency warned Monday as it issued an enforcement alert calling on water systems to take immediate action to protect the nation’s drinking water.
About 70% of utilities inspected by federal officials in the past year violated standards designed to prevent breaches or other violations, the agency said. Officials urged even small water systems to improve protections against hacks. Recent cyber attacks by groups affiliated with Russia and Iran have targeted smaller communities.
Some water systems are failing in fundamental ways, the warning said, including failing to change default passwords or cutting off system access to former employees. Because water utilities often rely on computer software to operate treatment plants and distribution systems, protecting information technology and process controls is critical, the EPA said. Possible consequences of cyber attacks include disruptions to water treatment and storage; damage to pumps and valves; and altering chemical levels to dangerous levels, the agency said.
“In many cases, systems are not doing what they should be doing, which is having completed a risk assessment of their vulnerabilities, including cybersecurity, and ensuring that plan is available and informing the way they do business,” EPA said. Deputy Administrator Janet McCabe.
Attempts by private groups or individuals to gain access to a water supplier’s network and remove or deface websites are not new. Lately, however, attackers have not only gone after websites, but have also targeted the activities of utilities instead.
Recent attacks have not only come from private entities. Some recent hacks of water utilities are linked to geopolitical rivals and could disrupt the supply of safe water to homes and businesses.
EPA has not said how many cyber incidents have occurred in recent years, and the number of successful attacks to date is small.
McCabe named China, Russia and Iran as the countries “actively seeking the ability to eliminate U.S. critical infrastructure, including water and wastewater.”
Late last year, an Iran-affiliated group called “Cyber Avengers” launched targeted several organizations, including the water supplier of a small town in Pennsylvania, forcing it to switch from a remote pump to manual control. They were looking for an Israeli-made device used by the utility in the aftermath of Israel’s war against Hamas.
Earlier this year, a Russia-linked “hacktivist” attempted to disrupt the operations of several Texas utilities.
A cyber group with ties to China and known as Volt Typhoon has compromised the information technology of multiple critical infrastructure systems, including drinking water, in the United States and its territories, U.S. officials said. Cybersecurity experts believe the China-focused group is positioning itself for possible cyberattacks in the event of armed conflict or rising geopolitical tensions.
“By working behind the scenes with these hacktivist groups, these (nation states) now have plausible deniability and can allow these groups to carry out destructive attacks. And that for me is a game-changer,” said Dawn Cappelli, a cybersecurity expert at industrial cybersecurity company Dragos Inc.
The world’s cyber powers are believed to have been infiltrating rivals’ critical infrastructure for years, planting malware that can be activated to disrupt basic services.
The enforcement alert is intended to highlight the seriousness of cyber threats and to inform utilities that the EPA will continue its inspections and impose civil or criminal penalties if they find serious problems.
“We want to make sure we let people know that, ‘Hey, we’re having a lot of problems here,’” McCabe said.
Preventing attacks on water suppliers is part of the Biden administration’s broader efforts to combat threats against critical infrastructure. In February, President Joe Biden signed an executive order to protect American ports. Healthcare systems have been attacked. The White House has prompted electric utilities to strengthen their defenses, at. EPA Administrator Michael Regan and White House National Security Advisor Jake Sullivan have asked states to come up with a plan to combat cyber attacks on drinking water systems.
“Drinking water and wastewater systems are attractive targets for cyber attacks because they are a critical infrastructure sector but often lack the resources and technical capacity to implement rigorous cybersecurity practices,” Regan and Sullivan wrote in a March 18 letter to all 50 American governors.
Some solutions are simple, McCabe said. For example, water suppliers are not allowed to use default passwords. They must develop a risk assessment plan that addresses cybersecurity and establish backup systems. The EPA says they will provide free training to water companies that need help. Larger utilities typically have more resources and expertise to defend against attacks.
“In an ideal world… we would like everyone to have a basic level of cybersecurity and be able to confirm that they have it,” said Alan Roberson, executive director of the Association of State Drinking Water Administrators. “But that is still a long way off.”
Some barriers are fundamental. The water sector is highly fragmented. There are approximately 50,000 water suppliers in the community, most of which serve small towns. Modest workforces and anemic budgets in many places make it difficult enough to maintain basic services: providing clean water and complying with the latest regulations.
“Certainly, cybersecurity is part of that, but that has never been their primary expertise. So now you’re asking a water utility to develop a whole new kind of department to tackle cyber threats, says Amy Hardberger, a water expert at Texas Tech University.
The EPA has faced setbacks. States periodically assess the performance of water suppliers. In March 2023, the EPA directed states to add cybersecurity assessments to those assessments. If they discovered problems, the state had to enforce improvements.
But Missouri, Arkansas and Iowa, joined by the American Water Works Association and another water industry group, challenged the instructions in court on the grounds that EPA did not have the authority under the Safe Drinking Water Act. After a court setback, the EPA withdrew its demands but urged states to take voluntary action anyway.
The Safe Drinking Water Act requires certain water suppliers to develop plans for certain threats and certify that they have done so. But its power is limited.
“There’s just no authority for (cybersecurity) in the law,” Roberson said.
Kevin Morley, federal relations manager at the American Water Works Association, said some water utilities have components connected to the Internet — a common but significant vulnerability. Overhauling these systems can be a significant and expensive job. And without substantial federal funding, water systems struggle to find resources.
The industry group has published guidance for utilities and is calling for the creation of a new organization of cybersecurity and water experts that would develop and enforce new policies, in collaboration with the EPA.
“Let’s include everyone in a reasonable way,” Morley said, adding that small and large utilities have different needs and resources.
