The EPA said cyberattacks against public drinking water systems have increased in recent years and pose a threat to public health and safety. The Safe Drinking Water Act requires ensuring the cybersecurity of systems.
However, EPA's preliminary testing found that more than 70% of the systems tested were unsafe. Some systems used default passwords and single logins, making them vulnerable to cybercriminals and threat actors, authorities said.
In its enforcement alert on Monday, the EPA said it would increase the number of planned inspections to ensure systems are secure and have emergency response plans. The agency urged systems to follow recommendations made by the EPA, the Cybersecurity and Infrastructure Security Agency and the Federal Bureau of Investigation. The recommendations include conducting regular cybersecurity risk assessments, holding cybersecurity awareness training and securing public internet interfaces.
The agency said failure to fully comply with this law could result in civil or criminal enforcement action by the EPA.
EPA Deputy Administrator Janet McCabe said, “EPA's new enforcement alert is the latest step the Biden-Harris administration is taking to help communities understand the urgency and seriousness of cyberattacks, and will continue to impact water systems. “We are prepared to address these serious threats to our nation's public health.” In a press release.
EPA's increased oversight is part of a broader effort by the National Security Council (NSC) and Department of Homeland Security to strengthen the cybersecurity of the nation's infrastructure. The NSC is asking states to identify their most vulnerable water systems and develop strategies to reduce those risks by late June. Government agencies say they are asking businesses and infrastructure entities to start reporting significant cyber incidents.
