Skip to content
Menu
menu

Illustration by Security Management, iStock

EPA Issues Another Urgent Alert on Cyber Vulnerabilities of U.S. Water Supply

By Scott Briscoe
21 May 2024

Today in Security

Two months after its last warning, the U.S. Environmental Protection Agency (EPA) issued another warning about cyberattack vulnerabilities of public water utilities.

“Cyberattacks against [community water systems] are increasing in frequency and severity across the country,” the EPA’s alert reported. “Based on actual incidents we know that a cyberattack on a vulnerable water system may allow an adversary to manipulate operational technology, which could cause significant adverse consequences for both the utility and drinking water consumers. Possible impacts include disrupting the treatment, distribution, and storage of water for the community, damaging pumps and valves, and altering the levels of chemicals to hazardous amounts.”

According to the alert, more than 70 percent of the utilities the EPA inspected in the last year did not meet the standards necessary to repel cyberattacks. Some of the failures were of the basic variety: not changing default passwords and not dissabling the credentials of former employees.

Hackers that gain access could exploit any number of vulnerabilities, from altering chemical composition to poisoning the supply to shutting down systems to damaging pumps and valves.

As part of the announcement, the EPA said it would step up inspection and enforcement actions. “As EPA steps up inspections, the Agency intends to use enforcement authorities to address problems quickly, that it observes in the field such as failure to prepare adequate RRAs [Risk and Resilience Assessments] and ERPs [Emergency Response Plans],” the EPA said in the alert.

The actions show how the EPA is trying to establish its influence in regulating water utilities cyber defenses. However, the EPA’s actions do not come without controversy. In a Security Management article from March 2023, Mea Clift and Tim Maynard described how the American Water Works Association asserted that the EPA’s requirements are not the type of controls needed to safeguard the water supply and would force utilities to divert their limited IT resources away from more meaningful protections.

In a fact sheet developed by the EPA along with the Cybersecurity and Infrastructure Security Agency and the Federal Bureau of Investigation, the agencies list eight actions—with links to additional resources for each action—that water and wastewater utilities should take to reduce their vulnerability to cyber attacks:

  1. Reduce exposure to the public-facing Internet.
  2. Conduct regular cybersecurity assessments.
  3. Change default passwords immediately.
  4. Conduct an inventory of OT-IT assets.
  5. Develop and exercise cybersecurity incident response and recovery plans.
  6. Backup OT/IT systems.
  7. Reduce exposure to vulnerabilities.
  8. Conduct cybersecurity awareness training.

Focus on Toxic Workplaces

Tough Talk or Toxic? A Guide to Navigating Difficult Workplace Conversations

Infographic: What Support Do Workers Want from Employers?

How Security Managers Can Curb Toxicity and Promote a Positive Workplace Culture

Is Your Workplace Toxic? Here's What You Need to Do

Fast Facts: What Makes a Workplace Toxic?

Publicly Humiliating Events: A Precursor to Workplace Violence?

Best of Security Management

Is Your Workplace Toxic? Here's What You Need to Do

How Climate and Security Are Connected

Safeguarding the 2024 Olympics in Paris: A Comprehensive Security Approach

Infographic: How to Create Inclusive Evacuation Plans

The Fundamentals of Alerting Employees About Their Daily Commutes

3 Lessons for Building a Stronger School Security Culture
arrow_upward