More than 70% of surveyed water systems failed to meet EPA cyber standards

More than 70% of water systems examined since last September failed to meet certain safety standards set by the Environmental Protection Agency, exposing them to cyberattacks that can cripple wastewater and water sanitation systems across the country, the EPA said Monday.

At some facilities, recent EPA inspections discovered “critical” vulnerabilities, including default passwords that were used during initial setup to log in to platforms and other operational technologies but were never updated with new credentials.

The figure was part of an enforcement alert from the agency urging owners and operators of water systems to strengthen the security of their networks by, among other things, conducting an inventory of their operational assets, conducting cybersecurity training and disconnecting certain systems from the internet.

The EPA will also increase inspections of water infrastructure and, in certain cases, “take civil and criminal enforcement actions, including in response to a situation that could pose an imminent and significant threat,” the agency said in a news release.

Section 1433 of the Safe Water Drinking Act requires community water systems serving more than 3,300 people to conduct a series of safety assessments and revise their response plans every five years. “These outages represent potential 1433 violations and represent a missed opportunity to secure operations,” the agency said, based on risk and resiliency assessments of the 70% failure rate.

The warning was triggered by several incidents over the past year in which government hackers and affiliated cybercrime groups breached water systems, displayed messages on front-facing water treatment displays or sabotaged other functions.

The U.S. water landscape is a complex regulatory environment in which law enforcement and management are often supported by state and local governments. Unlike federal institutions, many rural water utilities do not have the access to funding or resources needed to improve their digital defenses.

The EPA has tried to impose stricter security requirements on water operators, but in October the agency revoked a memorandum that would have directed providers to assess the cyberdefenses of their water systems when conducting sanitation surveys. The measure, which the agency said was permitted under the Safe Water Drinking Act, faced legal opposition from Republican-led states and trade groups.

Several nation-state adversaries have succeeded in breaching water infrastructure across the country. China has deployed its extensive and pervasive Volt Typhoon hacking collective, burrowing into large critical infrastructure segments and positioning itself along compromised internet routing devices to carry out further attacks, national security officials said previously.

In November, IRGC-backed cyber agents broke into industrial water treatment controls and targeted programmable logic controllers from the Israeli company Unitronics. Most recently, Russian-linked hackers were confirmed to have breached a number of rural water systems in the US, at times posing a threat to physical security.

The EPA and the National Security Council in March urged states to remain vigilant against cyber threats targeting the water sector. “Drinking water and wastewater systems are an attractive target for cyberattacks because they are a vital sector of critical infrastructure, but often lack the resources and technical capacity to implement rigorous cybersecurity practices,” their letter said.

A FERC official also recently testified that dam systems are at risk of cyberattacks and said new policies on dam cybersecurity could usefully be developed within the next nine months.

You might also like

Comments are closed.