The U.S. Environmental Protection Agency (EPA) has issued a critical warning regarding the cybersecurity vulnerabilities in community drinking water systems. The alert is part of a broader initiative led by the National Security Council and the Cybersecurity and Infrastructure Security Agency (CISA) to enhance the resilience of the nation’s infrastructure. Recent assessments have revealed alarming deficiencies in more than 70% of inspected water systems, underscoring the urgent need for action. The EPA, along with state and federal partners, is intensifying efforts to address these vulnerabilities and protect public health.
The EPA, established in 1970, aims to protect human health and the environment by enforcing regulations based on laws passed by Congress. The agency has been at the forefront of ensuring the safety of the nation’s natural resources, including air, water, and land.
Cyber threats to critical infrastructure have been a growing concern over the years. Previously, water systems have been targets of cyberattacks, with incidents such as the 2021 hacking attempt on a water treatment plant in Florida highlighting the potential dangers. These past events demonstrate the capabilities of hackers to access and manipulate water systems, posing significant risks to public safety. The latest EPA alert builds on these concerns, emphasizing the need for stringent cybersecurity measures to prevent similar incidents.
Comparing the current initiative to past efforts, the increased collaboration between federal agencies and state governments stands out. Historically, cybersecurity measures were often reactive, implemented post-incident. The current approach, however, focuses on proactive measures, including regular assessments, updated protocols, and enhanced coordination. This shift towards a preventative strategy indicates a broader understanding of the evolving nature of cyber threats.
Increasing Frequency and Severity of Attacks
The EPA alert points to a troubling rise in cyber threats targeting the nation’s water systems. These threats are not only becoming more frequent but also increasingly sophisticated, necessitating immediate and robust action. The agency’s recent inspections revealed that many systems still use default passwords and single login mechanisms, making them easy targets for cybercriminals.
Enhanced Inspection and Enforcement Activities
To mitigate these risks, the EPA plans to intensify its inspection and enforcement activities under Section 1433 of the Safe Drinking Water Act. The agency will increase the frequency of its checks and take both civil and criminal enforcement measures as needed. The goal is to ensure that water systems conduct regular vulnerability assessments and have comprehensive emergency response plans in place.
Establishment of a Task Force
The EPA is also forming a task force in collaboration with the Water Sector Coordinating Council and the Water Government Coordinating Council. This task force will develop immediate action plans to bolster the cybersecurity of water and sewer systems nationwide. The agency will provide technical assistance, training, and resources to help water systems enhance their cybersecurity posture.
Recommendations for Water System Operators
Water system operators should take the following concrete actions to enhance their cybersecurity:
- Reduce exposure to public-facing internet.
- Conduct regular cybersecurity assessments.
- Change default passwords immediately.
- Conduct an inventory of OT/IT assets.
- Develop and exercise cybersecurity incident response and recovery plans.
- Backup OT/IT systems.
- Reduce exposure to vulnerabilities.
- Conduct cybersecurity awareness training.
The coordinated efforts of the EPA, CISA, and other federal entities signify a comprehensive approach to addressing cybersecurity vulnerabilities in water systems. By implementing regular inspections, enhancing enforcement activities, and forming dedicated task forces, these agencies aim to fortify the nation’s water infrastructure. Water system operators must adopt the recommended cybersecurity measures to safeguard against potential threats. These proactive steps are crucial in protecting public health and ensuring the safety of drinking water across the country.
