Environmental Protection Agency issues Nationwide Drinking Water Warning


The Environmental Protection Agency (EPA) issued an enforcement alert Monday urging water utility systems to take immediate actions to protect the nation’s drinking water from cyberattacks.

According to the EPA, recent federal inspections revealed that 70 percent of U.S. water systems inspected do not fully comply with requirements in the Safe Drinking Water Act. The agency added that some systems have “critical cybersecurity vulnerabilities, such as default passwords that have not been updated and single logins that can easily be compromised.”

Possible impacts of cyberattacks include interruptions to water treatment and storage and damage to pumps and valves, along with alteration of chemical levels to hazardous amounts, the EPA said.

“In many cases, systems are not doing what they are supposed to be doing, which is to have completed a risk assessment of their vulnerabilities that includes cybersecurity and to make sure that plan is available and informing the way they do business,” EPA Deputy Administrator Janet McCabe said in a press release.
When reached by Newsweek via email Monday afternoon, the EPA pointed to additional information in today’s press release and enforcement alert.

The warning said China, Russia and Iran have “disrupted some water systems with cyberattacks and may have embedded the capability to disable them in the future.”
Late last year, an Iranian-linked group, “Cyber Av3ngers,” targeted multiple organizations, including a small Pennsylvania town’s water provider. Earlier this year, a Russian-linked “hactivist” group attempted to disrupt operations at several Texas utilities. In addition, a cyber group linked to China, “Volt Typhoon,” has compromised information technology of multiple infrastructure systems, including drinking water, in the U.S. and its territories, the alert stated.
“By working behind the scenes with these hacktivist groups, now these (nation states) have plausible deniability and they can let these groups carry out destructive attacks. And that to me is a game-changer,” Dawn Cappelli, cybersecurity expert with risk management firm Dragos Inc., told the Associated Press (AP).

Monday’s alert follows a warning in March over concerns about potential cyberattacks against U.S. water systems.
The March letter, sent by the White House and the EPA to all 50 U.S. governors, noted that threat actors affiliated with the Iranian Government Islamic Revolutionary Guard Corps (IRGC) have executed several “malicious cyberattacks” against U.S. infrastructure, such as drinking water systems.
“Drinking water and wastewater systems are an attractive target for cyberattacks because they are a lifeline critical infrastructure sector but often lack the resources and technical capacity to adopt rigorous cybersecurity practices,” Michael S. Regan, EPA administrator, and White House National Security Adviser Jake Sullivan wrote in a March 18 letter to all 50 U.S. governors.

The EPA said it will train water utilities for free to assist with addressing some of the issues. McCabe said water providers shouldn’t use default passwords and need to develop a risk assessment plan that addresses cybersecurity. Also, water systems need functioning backup systems.
However, some fixes are more complex. AP reports that there are approximately 50,000 community water providers in the U.S. Many utility companies have a small staff and a minimal budget, which means the basic needs—clean water and keeping up with the latest regulations—are the primary focus.
“Certainly, cybersecurity is part of that, but that’s never been their primary expertise. So, now you’re asking a water utility to develop this whole new sort of department” to handle cyberthreats, Amy Hardberger, water expert at Texas Tech University, told AP.

Kevin Morley, manager of federal relations with the American Water Works Association, told AP that overhauling a utility system is often arduous and expensive, saying that community water systems are going to need substantial federal funding to develop resources to combat cyberattacks.
He also noted that small and large water companies have unique and evolving needs and resources.
“Let’s bring everybody along in a reasonable manner,” Morley told AP.