Skip to content

The Environmental Protection Agency (EPA) has issued an enforcement alert advising water utility systems to take immediate action to safeguard the nation’s drinking water from cyberattacks.

This alert underscores the growing concern about the vulnerability of critical infrastructure to malicious cyber activities. The EPA recently reported that 70% of the water systems inspected in the U.S. do not fully comply with the requirements of the Safe Drinking Water Act. The agency also found that some of these systems have critical cybersecurity vulnerabilities, such as default passwords that have not been updated and single logins that can easily be compromised.

What could all of this mean? The EPA stated that possible impacts of cyberattacks include disruptions to water treatment and storage, damage to pumps and valves, and alteration of chemical levels to hazardous amounts.

EPA Deputy Administrator Janet McCabe said in a press release, “In many cases, systems are not doing what they are supposed to be doing, which is to have completed a risk assessment of their vulnerabilities that includes cybersecurity and to make sure that plan is available and informing the way they do business.”

The EPA highlighted additional information in the press release and enforcement alert. The warning stated that China, Russia, and Iran have disrupted some water systems with cyberattacks and may have embedded the capability to disable them in the future.

Late last year, a group linked to Iran called “Cyber Av3ngers” targeted multiple organizations, including a small Pennsylvania town’s water provider. Earlier this year, a group of “hactivists” linked to Russia attempted to disrupt operations at several Texas utilities. Also, according to the alert, a cyber group linked to China, known as “Volt Typhoon,” has compromised the information technology of multiple infrastructure systems, including drinking water, in the U.S. and its territories.

“By working behind the scenes with these hacktivist groups, now these (nation-states) have plausible deniability, and they can let these groups carry out destructive attacks. And that, to me, is a game-changer,” said Dawn Cappelli, a cybersecurity expert with the risk management firm Dragos Inc., in an interview with the Associated Press (AP).

This latest alert is in response to a previous warning issued in March regarding potential cyberattacks against U.S. water systems. The letter, sent by the White House and the EPA to all 50 U.S. governors, highlighted concerns that threat actors affiliated with the Iranian Government Islamic Revolutionary Guard Corps (IRGC) have carried out “malicious cyberattacks” against U.S. infrastructure, including drinking water systems.

In the March 18 letter, Michael S. Regan, EPA administrator, and White House National Security Adviser Jake Sullivan wrote to all 50 U.S. governors warning that:

Drinking water and wastewater systems are an attractive target for cyberattacks because they are a lifeline critical infrastructure sector but often lack the resources and technical capacity to adopt rigorous cybersecurity practices.

The EPA said it would provide free training for water utilities to address these issues. Water providers should avoid using default passwords, create a cybersecurity risk assessment plan, and have functioning backup systems. Many of the 50,000 U.S. water providers have limited staff and budgets, primarily focusing on meeting basic needs and regulations.

Kevin Morley, from the American Water Works Association, stressed that revamping utility systems is difficult and costly. He stated that community water systems need substantial federal funding to combat cyberattacks. He also noted that small and large water companies have unique and evolving needs, suggesting a reasonable approach for everyone.

All of this just serves as a reminder that it’s a good idea to have a backup or emergency supply of potable water. FEMA & the CDC recommend one gallon per person, per day. In other words, a two-week supply of water for a family of four is at least 56 gallons!

Whether because of a natural disaster, train-derailment, or cyber attack, it’s critical to have a plan B!