In a recent enforcement alert, the Environmental Protection Agency (EPA) has cautioned water utilities about the growing frequency and severity of cyberattacks in the United States. The agency revealed that approximately 70% of the utilities inspected by federal officials in the past year have violated standards designed to prevent breaches or intrusions.

According to the EPA, even smaller water systems must enhance their protections against cyber threats. Recent attacks, primarily carried out by groups affiliated with Russia and Iran, have targeted smaller communities. The enforcement alert highlighted various weaknesses in the water systems, including the failure to change default passwords or disable access for former employees.

As water utilities heavily rely on computer software to operate treatment plants and distribution systems, safeguarding information technology and process controls is of utmost importance, emphasized the EPA. The potential consequences of cyberattacks on these utilities include disruptions in water treatment and storage, damage to pumps and valves, and the alteration of chemical levels to hazardous amounts.

EPA Deputy Administrator Janet McCabe expressed concern over the lack of risk assessment and cybersecurity planning by many water systems. She stated, "In many cases, systems are not doing what they are supposed to be doing, which is to have completed a risk assessment of their vulnerabilities that includes cybersecurity and to make sure that plan is available and informing the way they do business."

While attempts by private groups or individuals to breach water provider networks have been observed in the past, recent attacks have increasingly targeted the operational capabilities of utilities instead of their websites. Alarming reports indicate that some recent hacks are linked to geopolitical rivals and could potentially disrupt the supply of safe water to homes and businesses.

The EPA specifically named China, Russia, and Iran as countries actively seeking the capability to disable critical U.S. infrastructure, including water and wastewater systems. Incidents from late last year involved an Iranian-linked group called "Cyber Av3ngers," which targeted a small Pennsylvania town's water provider. Additionally, a Russian-linked "hacktivist" attempted to disrupt operations at several Texas utilities earlier this year.

U.S. officials have also pointed to a China-aligned group known as Volt Typhoon, which has compromised the information technology of various critical infrastructure systems, including drinking water, in the United States and its territories. Cybersecurity experts believe that this group is positioning itself for potential attacks in the event of armed conflict or rising geopolitical tensions.

Criminal penalties could be imposed by the EPA if serious cybersecurity problems are identified during inspections. The agency's enforcement alert serves as a stern reminder of the need to address cyber threats and protect critical infrastructure within the water sector. The Biden administration, recognizing the gravity of the situation, has already taken steps to combat threats against critical infrastructure, including the protection of U.S. ports and increased security measures for electric utilities.

The EPA, alongside White House National Security Advisor Jake Sullivan, has called on states to develop plans to combat cyberattacks on drinking water systems. However, the fragmented nature of the water sector, with approximately 50,000 community water providers mainly serving small towns, poses significant challenges in implementing comprehensive cybersecurity practices. Limited resources and expertise further hinder water utilities from effectively responding to cyber threats.

As the EPA continues its efforts to promote cybersecurity in the water sector, the need for increased collaboration, training, and support for smaller utilities becomes evident. While achieving a baseline level of cybersecurity across all water utilities may be a long-term goal, the protection of the nation's drinking water remains a pressing priority in the face of escalating cyber risks.