During inspections, the EPA identified critical vulnerabilities in numerous facilities, such as default passwords that had never been updated from their initial setup. In response, the agency issued an enforcement alert, urging water system operators to improve their cybersecurity measures. Recommended actions include conducting an inventory of operational assets, implementing cybersecurity training programs, and disconnecting certain systems from the internet to enhance security.
The EPA has announced plans to increase inspections of water infrastructure and, when necessary, take civil and criminal enforcement actions to address any imminent and substantial threats to safety.
Under Section 1433 of the Safe Water Drinking Act, community water systems serving over 3,300 people are required to perform comprehensive safety assessments and update their emergency response plans every five years.
The high failure rate reported by the EPA indicates potential violations of this section, highlighting missed opportunities to protect these essential services through risk and resilience evaluations.
This alert follows a series of cyber incidents over the past year, where nation-state hackers and cybercriminal groups have targeted water systems. These attacks have included unauthorized access to water treatment control systems, manipulation of operational technology, and other forms of sabotage.
The regulatory environment for U.S. water systems is complex, often involving state and local government oversight.
Many rural water operators, unlike their federal counterparts, lack sufficient resources to bolster their digital defenses. While the EPA has attempted to enforce stricter security mandates, these efforts have faced legal challenges from GOP-led states and industry groups. In October, the EPA rescinded a directive that would have required water providers to assess their cybersecurity measures during sanitation surveys.
Nation-state adversaries, including Chinese and Iranian hacking groups, have frequently breached U.S. water infrastructure.
China's Volt Typhoon group has been particularly active, infiltrating critical infrastructure and positioning themselves for further attacks. In one instance, Iranian Revolutionary Guard Corps-backed hackers targeted industrial water treatment systems, and more recently, Russia-linked hackers breached several rural U.S. water systems, posing significant safety risks.
In March, the EPA and the National Security Council issued a joint alert, urging states to remain vigilant against cyber threats targeting the water sector. The alert emphasized that drinking water and wastewater systems are attractive targets for cyberattacks due to their critical role and often limited cybersecurity capabilities.
Moreover, a Federal Energy Regulatory Commission (FERC) official recently testified about the vulnerability of dam systems to cyberattacks, indicating that new cybersecurity guidelines for dams could be developed within the next nine months.
The EPA's report underscores the urgent need for improved cybersecurity measures in U.S. water systems to protect these vital resources from potential cyber threats.
