EPA warns of cyberattacks on drinking water systems

Policy

The warning from the EPA also comes after the White House informed all state governments across the country in a letter that they must likewise safeguard against cyberattacks on water facilities.

The agency will therefore elevate the number of inspections they conduct and “take civil and criminal enforcement actions” to ensure systems regularly assess cyber vulnerabilities. File Image.

Officials at the Environmental Protection Agency issued an alert cautioning that there exist “cybersecurity threats and vulnerabilities” to drinking water systems across the country.

The federal agency revealed on Monday that recent inspections show more than 70% of community water systems “do not fully comply” with the Safe Drinking Water Act and have “critical cybersecurity vulnerabilities.” The alert comes as entities from China, Russia, Iran, and other hostile powers increasingly attack American drinking water infrastructure.

“Protecting our nation’s drinking water is a cornerstone of EPA’s mission, and we are committed to using every tool, including our enforcement authorities, to ensure that our nation’s drinking water is protected from cyberattacks,” EPA Deputy Administrator Janet McCabe said.

The agency will therefore elevate the number of inspections they conduct and “take civil and criminal enforcement actions” to ensure systems regularly assess cyber vulnerabilities. Officials recommended that the facilities decrease exposure to public-facing internet, change passwords immediately, and conduct cybersecurity awareness training, among other actions.

The planned enforcement actions come months after an Iranian cyber group infiltrated a drinking water system in Aliquippa, Pennsylvania, since their software system has components that are owned by Israel. The hackers also claimed responsibility for ten attacks on water facilities in Israel following the start of the war in Gaza. Another cyberattack was carried out by Russian actors against water infrastructure in Hale Center, Texas, and other small towns.

Microsoft said last year that they had uncovered malicious activity from a Chinese state-sponsored entity called Volt Typhoon, which appears to be gathering data on critical infrastructure to disrupt communications between the United States and Asia. The group is seeking to collect credentials from infrastructure systems and keep the stolen data.

The warning from the EPA also comes after the White House informed all state governments across the country in a letter that they must likewise safeguard against cyberattacks on water facilities. “Drinking water and wastewater systems are an attractive target for cyberattacks because they are a lifeline critical infrastructure sector but often lack the resources and technical capacity to adopt rigorous cybersecurity practices,” the document said.