[embedded content]
The Environmental Protection Agency on Monday asked water utilities to take immediate action to defend against cyberattacks on public drinking water supplies, citing an uptick in the frequency and severity of attempted intrusions, primarily by hackers in China, Russia, and Iran.
In the last eight months, EPA officials said 70% of public water utilities inspected were found to be in violation of basic standards aimed at protecting against breaches.
“In many cases, systems are not doing what they are supposed to be doing, which is to have completed a risk assessment of their vulnerabilities that includes cybersecurity and to make sure that plan is available and informing the way they do business,” EPA Deputy Administrator Janet McCabe said.
Many of the standards to protect water providers are simple, officials said, such as changing a system’s default login password, requiring staff to use different login information, and making sure former employees no longer have access to their systems.
But the potential for harm from a cyberattack is much greater: By obtaining access to a water system, hackers can disrupt the treatment, distribution, and storage of community water systems, wreak havoc on pumps and valves, and alter levels of chemicals to hazardous amounts, EPA officials said.
The U.S. has seen an increase in cyberattacks from state-sponsored groups and criminal organizations on water systems, heightening the need for new enforcement actions.
These intrusions include an attack on a small Pennsylvania water provider linked to an Iranian-based hacking group, an attack on three Texas water systems carried out by a known Russian “hacktivist” group, and at least three instances in which state-sponsored Chinese hackers targeted critical infrastructure and drinking water since 2021.
In recent months, EPA has announced the creation of a Water Sector Cybersecurity Task Force aimed at helping water systems identify threats and draft strategies to better protect against intrusions.
In March, EPA Administrator Michael Regan and White House national security adviser Jake Sullivan asked states to submit a plan to protect their public water systems from cyberattacks.
CLICK HERE TO READ MORE FROM THE WASHINGTON EXAMINER
Officials said Monday that the enforcement alert underscores the seriousness of the cyber threats and EPA’s willingness to enforce civil or criminal penalties against water systems that fail to implement basic digital hygiene.
“We want to make sure that we get the word out to people that, ‘Hey, we are finding a lot of problems here,’” McCabe said.
