The Environmental Protection Agency is ramping up its inspections of critical water infrastructure after warning of “alarming vulnerabilities” to cyberattacks.
The agency issued an enforcement alert yesterday warning utilities to take quick action to mitigate threats to the nation’s drinking water. The EPA plans to increase inspections and says it will take civil and criminal enforcement actions as needed.
“Cyberattacks against [community water systems] are increasing in frequency and severity across the country,” the alert says. “Possible impacts include disrupting the treatment, distribution, and storage of water for the community, damaging pumps and valves, and altering the levels of chemicals to hazardous amounts.”
“Cyberattacks against [community water systems] are increasing in frequency and severity across the country.”
More than 70 percent of water systems inspected since September 2023 failed to comply with mandates under the Safe Drinking Water Act (SDWA) that are meant to reduce the risk of physical and cyberattacks, the EPA said. That includes failing to take basic steps like changing default passwords or cutting off former employees’ access to facilities. Since 2020, the EPA has taken more than 100 enforcement actions for violations of that section of the SDWA.
“Foreign governments have disrupted some water systems with cyberattacks and may have embedded the capability to disable them in the future,” the enforcement alert says. One example it cites is Volt Typhoon, a People’s Republic of China state-sponsored cyber group that has “compromised the IT environments of multiple critical infrastructure organizations,” according to a Department of Homeland Security advisory issued in February.
The EPA’s enforcement alert asks utilities to follow recommendations for maintaining cyber hygiene, including conducting awareness training for employees, backing up OT / IT systems, and avoiding public-facing internet.
It follows a letter EPA administrator Michael Regan and national security advisor Jake Sullivan sent to state governors earlier this year warning them of cyber risks to the nation’s drinking and wastewater systems. It led to a March convening where the National Security Council asked each state to come up with an action plan to address those vulnerabilities by late June.
