The Environmental Protection Agency (EPA) has issued a stark warning to the nation's water utilities, highlighting significant gaps in cybersecurity compliance amid a growing wave of cyber threats. Announced on Monday, the EPA's new enforcement alert reveals that over 70% of inspected water systems fail to meet critical security standards set out by the Safe Drinking Water Act (SDWA). Deficiencies include reliance on default passwords and lack of multi-factor authentication.
Amid escalating cyber-attacks on the water sector, the EPA is intensifying its inspections and enforcement measures. "Protecting our nation’s drinking water is a cornerstone of EPA’s mission," said EPA Deputy Administrator Janet McCabe. "We are committed to using every tool, including our enforcement authorities, to ensure our nation’s drinking water is protected from cyberattacks."
“EPA’s new enforcement alert is the latest step that the Biden-Harris Administration is taking to ensure communities understand the urgency and severity of cyberattacks and water systems are ready to address these serious threats to our nation’s public health,” she added.
Recent incidents underscore the sector's vulnerability. In April, Russian hacktivists targeted several water systems in Texas, causing disruptions although services remained operational. Similarly, in November, Iranian-linked Cyb3r Avengers defaced equipment used in U.S. water systems, further highlighting the sector’s exposure to international cyber threats.
The EPA's findings show many utilities have not conducted the required risk and resilience assessments or developed emergency response plans. In response, the EPA plans to increase inspections of community water systems and, where appropriate, will take civil and criminal enforcement actions, including in response to a situation that may present an imminent and substantial endangerment. Inspections will ensure that water systems are meeting their requirements to regularly assess resilience vulnerabilities, including cybersecurity, and to develop emergency response plans.
Efforts to impose cybersecurity mandates have faced legal challenges. Last year, an EPA update proposing new cyber rules was stalled by opposition from several states and water trade associations. Critics argue the EPA overstepped its authority, advocating instead for a dedicated federal regulatory body modeled after the electric sector. This has led to the introduction of the Water Risk and Resilience Organization Establishment Act, aiming to create such a body focused on cybersecurity and water systems.
The EPA and the White House have jointly reached out to state governors, warning about cyber threats and inviting them to a meeting with federal officials. The letter highlights threats from groups like the Chinese-linked Volt Typhoon, which could potentially disrupt U.S. infrastructure in a conflict scenario.
With the threat landscape evolving, the EPA's alert signals a critical push to bolster cybersecurity defenses across the nation's water utilities, ensuring the protection of public health and essential services.
