In a recent alert, the Environmental Protection Agency (EPA) has issued a warning stating that cyberattacks on water utilities across the United States are escalating both in frequency and severity. The agency revealed that nearly 70% of utilities inspected over the past year have violated standards meant to prevent breaches, prompting the EPA to urge immediate action to safeguard the nation's drinking water.

This alarming trend has seen cyberattacks targeting water systems becoming more prevalent, including those carried out by groups linked to Russia and Iran, often focusing on smaller communities. The EPA emphasized that even small water systems must enhance their cybersecurity measures to protect against these threats to ensure the uninterrupted supply of safe water to homes and businesses.

The enforcement alert highlighted several concerning issues among water systems. Many were found to have neglected basic security practices, such as failure to change default passwords or revoke system access for former employees. Given the heavy reliance of water utilities on computer software to operate treatment plants and distribution systems, protecting information technology and process controls has become crucial, stressed the EPA.

The potential consequences of successful cyberattacks on water utilities are severe and can include disruptions to water treatment and storage, damage to essential infrastructure like pumps and valves, and hazardous changes in chemical levels, according to the agency.

Janet McCabe, Deputy Administrator of the EPA, expressed concern over the lack of comprehensive vulnerability assessments that incorporate cybersecurity in the way water systems operate. McCabe specifically named China, Russia, and Iran as countries actively seeking to disable critical U.S. infrastructure, including water and wastewater.

Recent incidents have illustrated the escalating threats. In one case, an Iranian-linked group targeted a small Pennsylvania town's water provider, compelling it to switch to manual operations after hacking an Israeli-made device. Texas utilities also faced an attempted disruption by a Russian-linked "hacktivist" earlier this year. Additionally, a China-aligned group known as Volt Typhoon has compromised critical infrastructure systems, including drinking water, in the United States and its territories, officials stated.

Experts in cybersecurity have noted the growing collaboration between nation-states and private groups or hacktivist organizations. This newfound cooperation provides attackers with plausible deniability and the ability to carry out destructive attacks. Dawn Cappelli, a cybersecurity expert with Dragos Inc., described this development as a game-changer.

To address these cybersecurity risks, the EPA plans to continue inspections and emphasizes the potential for civil or criminal penalties for serious vulnerabilities found. The Biden administration has also prioritized protecting critical infrastructure, including water systems, from cyber threats. In a letter to all 50 U.S. governors, EPA Administrator Michael Regan and White House National Security Advisor Jake Sullivan called for a plan to combat cyberattacks on drinking water systems.

However, the fragmented nature of the water sector and the limited resources and technical capacity of many water providers pose significant challenges. With around 50,000 community water providers, mostly serving small towns, limited staffing and budgets make it difficult to prioritize cybersecurity in an already resource-strained environment.

While there is currently no specific authority for cybersecurity in the Safe Drinking Water Act, there are calls from experts and industry groups for stronger policies and enforcement. The American Water Works Association suggests establishing a new organization of cybersecurity and water experts to develop and enforce cybersecurity practices in partnership with the EPA.

In light of the EPA's warning and the increasing cyber threats facing water utilities, it is evident that immediate action must be taken to protect the nation's water supply and critical infrastructure.