Cyberattacks on U.S. Water Utilities Requires Immediate Action, says the Environmental Protection Agency

China, Iran, and Russia are Targeting Critical Infrastructures

The cyberattacks have been linked to geopolitical rivals. China, Iran, and Russia are said to be actively involved in disabling critical infrastructures in the U.S., including water and wastewater utilities, says EPA Deputy Administrator, Janet McCabe. This can lead to the disruption of water supplies to homes and businesses.

Furthermore, federal officials have found that about 70% of the nation’s water utilities that they inspected during the last 12 months do not adhere to the standards required to prevent intrusions and other breaches.

Most water utilities rely on computer software to operate distribution systems and treatment plants but become soft targets for cyberattacks when failing to protect process controls and information technology. The EPA says water utilities become vulnerable when overlooking basic protection methods such as the need to change default passwords or deny access to former employees.

Recent Cyberattacks in the U.S.

Recent cyberattacks on utilities include Cyber Av3ngers, an Iranian-linked group that targeted several organizations, including a smalltown water utility in Pennsylvania. The utility was forced to switch to manual operations.

VoltTyphoon, a China-linked cyber group that compromised several critical infrastructures, including drinking water utilities.

Hackvist, a Russia-linked group that tried to disrupt infrastructures at several Texas water utilities.

While the EPA has not revealed the number of cyberattacks that have occurred in the U.S. in recent years, successful attacks are known to have been few. The EPA says it will continue to conduct inspections of water utilities and failure to comply with the enforcement alert could result in criminal or civil penalties.

Preventing cyberattacks against water utilities is part of President Joe Biden’s effort to combat critical infrastructure threats. All 50 U.S. governors have been informed about the vulnerability of water utilities. “Drinking water and wastewater systems are attractive cyberattack targets because they are a lifeline critical infrastructure sector.”

The EPA Faces Several Barriers

The EPA, however, faces several barriers in its attempt to make essential infrastructure utilities safe from cyberattack. Water utilities in the U.S. are fragmented with about 50,000 community service providers in small towns. Many of these utilities have modest work forces and small budgets, making it difficult for them to keep pace with the latest regulations.

When the EPA instructed states to enforce cybersecurity improvements early last year, its efforts were thwarted by Arkansas, Iowa, and Missouri who joined forces with the American Water Works Association to challenge the instructions. The EPA was subsequently forced to withdraw its requirements when a court found that the agency did not have the authority in terms of the Safe Drinking Water Act.

Takeaways

The EPA is offering to train staff to safeguard water utilities free of charge. The EPA’s Deputy Administrator, Janet McCabe, says some measures to withstand cyberattacks are straightforward. A simple fix is to stop using default passwords. McCabe says utilities must develop risk assessment plans and introduce backup systems.

Water utilities that are connected to the internet are vulnerable says Kevin Morley, manager of federal relations with the American Water Works Association. Overhauling computer systems can be costly and requires federal funding for smaller water utilities with modest budgets and restricted resources.

In an ideal world, all critical infrastructure utilities in American would have baseline cybersecurity says Alan Robertson, the executive director of the Association of State Drinking Water Administrators.