In response to increasing cyber threats, the Environmental Protection Agency (EPA) has issued a critical warning to water utilities across the nation, revealing substantial gaps in cybersecurity compliance. According to the EPA’s recent enforcement alert, more than 70% of inspected water systems fail to meet essential security standards mandated by the Safe Drinking Water Act (SDWA). Common deficiencies include the use of default passwords and a lack of multi-factor authentication.
A Growing Threat
Cyber-attacks targeting water systems are on the rise. Notable incidents include Russian hacktivists disrupting water systems in Texas and Iranian-linked “CyberAv3ngers” defacing U.S. water infrastructure equipment. These attacks underscore the sector’s vulnerability and the urgent need for enhanced cybersecurity measures.
EPA’s Increased Enforcement Measures
To address these threats, the EPA is ramping up inspections and enforcement actions. Deputy Administrator Janet McCabe emphasized the agency’s commitment to protecting the nation’s drinking water from cyberattacks. The EPA’s plan includes:
- Increased Inspections: More frequent checks of community water systems to ensure compliance with cybersecurity standards.
- Civil and Criminal Actions: Potential enforcement actions against non-compliant systems, especially those posing imminent risks.
- Risk and Resilience Assessments: Ensuring utilities conduct mandatory risk assessments and develop robust emergency response plans.
Legal and Regulatory Challenges
Efforts to mandate cybersecurity measures have faced opposition. A proposed EPA update introducing new cyber rules was halted by legal challenges from several states and water trade associations, who argued that the EPA overstepped its authority. In response, the Water Risk and Resilience Organization Establishment Act was introduced to create a dedicated federal regulatory body for cybersecurity in water systems, similar to the electric sector’s regulatory framework.
Collaboration and Future Steps
The EPA, along with the White House, has reached out to state governors, emphasizing the severity of cyber threats and the need for a coordinated response. A meeting with federal officials aims to bolster state-level awareness and readiness.
The EPA’s alert underscores the critical need for water utilities to prioritize cybersecurity, safeguarding public health and ensuring the resilience of essential services against evolving cyber threats. SOURCES: EPA, Smart Water Magazine