Skip to content

Illustration by Security Management, iStock

EPA Issues Another Urgent Alert on Cyber Vulnerabilities of U.S. Water Supply

Two months after its last warning, the U.S. Environmental Protection Agency (EPA) issued another warning about cyberattack vulnerabilities of public water utilities.

“Cyberattacks against [community water systems] are increasing in frequency and severity across the country,” the EPA’s alert reported. “Based on actual incidents we know that a cyberattack on a vulnerable water system may allow an adversary to manipulate operational technology, which could cause significant adverse consequences for both the utility and drinking water consumers. Possible impacts include disrupting the treatment, distribution, and storage of water for the community, damaging pumps and valves, and altering the levels of chemicals to hazardous amounts.”

According to the alert, more than 70 percent of the utilities the EPA inspected in the last year did not meet the standards necessary to repel cyberattacks. Some of the failures were of the basic variety: not changing default passwords and not dissabling the credentials of former employees.

Hackers that gain access could exploit any number of vulnerabilities, from altering chemical composition to poisoning the supply to shutting down systems to damaging pumps and valves.

As part of the announcement, the EPA said it would step up inspection and enforcement actions. “As EPA steps up inspections, the Agency intends to use enforcement authorities to address problems quickly, that it observes in the field such as failure to prepare adequate RRAs [Risk and Resilience Assessments] and ERPs [Emergency Response Plans],” the EPA said in the alert.

The actions show how the EPA is trying to establish its influence in regulating water utilities cyber defenses. However, the EPA’s actions do not come without controversy. In a Security Management article from March 2023, Mea Clift and Tim Maynard described how the American Water Works Association asserted that the EPA’s requirements are not the type of controls needed to safeguard the water supply and would force utilities to divert their limited IT resources away from more meaningful protections.

In a fact sheet developed by the EPA along with the Cybersecurity and Infrastructure Security Agency and the Federal Bureau of Investigation, the agencies list eight actions—with links to additional resources for each action—that water and wastewater utilities should take to reduce their vulnerability to cyber attacks:

  1. Reduce exposure to the public-facing Internet.
  2. Conduct regular cybersecurity assessments.
  3. Change default passwords immediately.
  4. Conduct an inventory of OT-IT assets.
  5. Develop and exercise cybersecurity incident response and recovery plans.
  6. Backup OT/IT systems.
  7. Reduce exposure to vulnerabilities.
  8. Conduct cybersecurity awareness training.