Time To Tighten Up U.S. Water Supply Defenses

If anything fails 70 percent of the time, It is obviously time to improve whatever it is. When what is failing is vital to every American citizen, repairing the situation becomes crucial.

The Environmental Protection Agency (EPA), an authority on environmental safety, has issued a stark warning. They report a significant increase in cyberattacks against water utilities across the country, with the severity of these attacks also on the rise. The Agency’s enforcement alert is a clear call to action, urging water systems to take immediate steps to protect the nation’s drinking water.

The situation has become dangerous because approximately 70 percent of utilities inspected by federal officials over the last year were not in compliance with the standards designed to prevent cyber-attacks. They noted that China, Russia, and Iran have already impacted water systems across the nation.

EPA Administrator Michael Regan and White House National Security Advisor Jake Sullivan have urged states to develop a strategy to counter cyberattacks on drinking water systems. Regan and Sullivan stressed that the absence of even basic cybersecurity measures at water facilities could lead to a disruptive cyberattack, highlighting the urgent need for action.

In a letter sent to all 50 governors from Reagan and Sullivan, they stated, “We need your support to ensure that all water systems in your state comprehensively assess their current cybersecurity practices.” They went on to say, “Even basic cybersecurity precautions are not in place at water facilities and can mean the difference between business as usual and a disruptive cyberattack.”

EPA Deputy Administrator Janet McCabe stated:

“In many cases, systems are not doing what they are supposed to be doing, which is to have completed a risk assessment of their vulnerabilities that includes cybersecurity and to make sure that plan is available and informing the way they do business.”

She added that China, Russia, and Iran are the countries that are “actively seeking the capability to disable U.S. critical infrastructure, including water and wastewater. We want to make sure that we get the word out to people that ‘Hey, we are finding a lot of problems here.’”

The EPA plans to establish a task force to identify the most significant vulnerabilities of water systems to cyberattacks, among other critical issues. The agency has found that certain water systems are not meeting basic security standards, such as neglecting to change default passwords or revoke system access for former employees. Because water utilities frequently use computer software to run treatment plants and distribution systems, it is essential to protect both the information technology and process controls. Potential impacts of cyberattacks include disruptions to water treatment and storage, damage to pumps and valves, and manipulation of chemical levels to hazardous levels.

Alan Roberson, the Executive Director of the Association of State Drinking Water Administrators, said, “In an ideal world, we would like everybody to have a baseline level of cybersecurity and be able to confirm that they have that.”

However, that goal is easier said than done. There are approximately 50,000 community water providers, many of which serve small towns. Limited staffing and insufficient budgets in many locations make it challenging to maintain the essentials, such as providing clean water and keeping up with the latest regulations.

In March 2023, the EPA instructed states to add cybersecurity evaluations to their reviews. If they found problems, the state was supposed to force improvements.

Yet after that suggestion, Missouri, Arkansas, and Iowa, along with the American Water Works Association and another water industry group, challenged the instructions in court. They argued that the EPA did not have the authority under the Safe Drinking Water Act. Following the court setback, the EPA withdrew its requirements but still encouraged states to voluntarily step up their defenses.

Late last year, a group called “Cyber Av3ngers,” linked to Iran, targeted multiple organizations, including a small Pennsylvania town’s water provider. This forced the provider to switch from a remote pump to manual operations. The group was specifically targeting an Israeli-made device used by the utility in the aftermath of Israel’s conflict with Hamas.

Earlier this year, a Russian-linked “hacktivist” tried to disrupt operations at several Texas utilities. In addition, U.S. officials have reported that a cyber group known as Volt Typhoon, linked to China, has compromised the information technology of multiple critical infrastructure systems, including drinking water, in the United States and its territories.

Dawn Cappelli, a cybersecurity expert with the risk management firm Dragos Inc. stated:

“By working behind the scenes with these hacktivist groups, now these (nation-states) have plausible deniability, and they can let these groups carry out destructive attacks, and that to me is a game-changer.”

With approximately 150,000 public water systems, cyber-attack security is daunting. That said, the threat is real, and every water system needs to find a way to upgrade its security against this danger.