EPA cracks down on cybersecurity breaches in U.S. water systems

According to a recently published alert, EPA inspectors have identified “alarming cybersecurity vulnerabilities” in drinking water systems across the country, highlighting the use of default passwords and a single login for all employees.

The Safe Drinking Water Act includes an entire component titled Section 1433 that mandates certain security, risk management, and public notification requirements for community and non-community water systems. However, EPA found that more than 70% of systems inspected since September 2023 were in violation of basic requirements, such as conducting risk and resilience assessments, developing emergency response plans, and establishing procedures to notify the public and law enforcement in the event of a physical or cyber emergency.

The EPA is warning owners and operators of U.S. drinking water systems that the agency “intends to use its enforcement authorities to rapidly address problems,” including failures to prepare emergency response plans or conduct risk and resilience assessments as required by safe drinking water activities.

The agency also encouraged key recommendations for owners and operators of U.S. drinking water systems, including immediately changing passwords, reducing their systems' exposure to the public internet, conducting regular cybersecurity assessments and backing up both operational and information technology systems.

The agency has filed more than 100 enforcement actions against local water systems for violations of Section 1433 since 2020, when local water systems were first required to develop and update emergency response plans and risk and resiliency assessments. He said he had taken action. EPA will use its emergency powers under the Safe Drinking Water Act against owners and operators who violate its requirements or who are found to have intentionally and knowingly provided false certifications. may also impose criminal penalties.

The EPA said it will increase the number of inspections of community water systems focused on cybersecurity as part of a multi-year national enforcement and compliance effort.

According to EPA data, nearly half of the nation's 50,000 regulated drinking water systems will be in violation of at least one drinking water standard in 2022, and about 30% of community water systems will have monitoring and reporting violations. I was holding it.

The EPA, Cybersecurity and Infrastructure Security Agency, and FBI call on the U.S. water industry to strengthen cyber resilience through 2024, warn of increasing threats targeting water systems nationwide, and provide guidance to owners and operators. issued a series of guidance.

Experts told Information Security Media Group that the U.S. water and wastewater sector lacks the financial and technical resources to comply with federal security requirements (see below). Water sector lacks support to meet White House cyber demands). Water industry leaders have also asked Congress in recent months to provide funding and technical expertise to improve the industry's cyber posture amid growing threats.

The EPA appears to be invoking enforcement authority different from the one it used to controversially roll back an administration attempt to require states to conduct cybersecurity assessments of local water systems under the Safe Drinking Water Act in 2023. The move has sparked lawsuits and criticism from the attorneys general of Missouri, Arkansas and Iowa, as well as the American Water Works Association.

An EPA spokesperson told Information Security Media Group that the agency “has issued an enforcement alert regarding cybersecurity threats to drinking water systems, informing local water systems of the immediate steps they should take to ensure compliance.” “We also provided information to help reduce cybersecurity vulnerabilities.”