Critical Infrastructure Security
EPA Cracks Down on US Water System Cybersecurity Violations
Regulator Announces Increased Cybersecurity Enforcement as Threats EscalateThe Environmental Protection Agency is stepping up its cybersecurity oversight on U.S. drinking water systems after recent inspections showed the vast majority of inspected systems practice poor cybersecurity.
See Also: Live Webinar | C-SCRM: CIS Benchmarking & Impending Regulation Changes
EPA inspectors have identified "alarming cybersecurity vulnerabilities" at drinking water systems nationwide, according to a recently published alert that highlights use of default passwords and single logins for all staff.
The Safe Drinking Water Act includes an entire component - titled Section 1433 - mandating certain security, risk management and public notification requirements for community and non-community water systems. But more than 70% of systems inspected since September 2023 are in violation of those basic requirements, according to the EPA, which include conducting risk and resilience assessments, developing emergency response plans and establishing procedures to notify the public and law enforcement in the event of a physical or cyber incident.
The EPA is warning owners and operators of U.S. drinking water systems that the agency "intends to use enforcement authorities to address problems quickly," such as the failure to prepare emergency response plans or to conduct risk and resilience assessments as required by the Safe Drinking Water Act.
The agency also encouraged U.S. drinking water systems owners and operators to immediately change their passwords, reduce their systems' exposure to public-facing internet, conduct regular cybersecurity assessments and backup both their operational and information technology systems, among other key recommendations.
The agency said it has taken over 100 enforcement actions against community water systems for Section 1433 violations since 2020, when those systems were first required to develop and update emergency response plans and risk and resilience assessments. The EPA said it can use emergency powers under the Safe Drinking Water Act against owners and operators in violation of its requirements, or even level criminal sanctions against those found to have knowingly and willfully provided false certifications.
The EPA said it will increase the number of community water systems inspections that focus on cybersecurity as part of a multiyear national enforcement and compliance initiative.
Nearly half of the 50,000 regulated drinking water systems across the U.S. were in violation of at least one drinking water standard in 2022, while nearly 30% of community water systems had monitoring and reporting violations, according to EPA data.
The EPA, the Cybersecurity and Infrastructure Security Agency and the FBI have called on the U.S. water sector to boost cyber resilience throughout 2024, warning of increased threats targeting water systems nationwide and issuing a series of guidance for owners and operators.
Experts have told Information Security Media Group the U.S. water and wastewater sector lacks the funding and technical resources to comply with federal security requirements (see: Water Sector Lacks Support to Meet White House Cyber Demands). Water sector leaders also urged Congress in recent months to provide funding and technical expertise to help improve the industry's cyber posture amid increasing threats.
The EPA appears to be invoking separate enforcement authorities under the Safe Drinking Water Act than those that stirred controversy in 2023 when the administration backed down from attempts to require states conduct cybersecurity evaluations on local water systems. The move was followed by lawsuits and criticism from the attorneys general of Missouri, Arkansas and Iowa, as well as the American Water Works Association.
A spokesperson for the EPA told Information Security Media Group the agency "issued an enforcement alert on cybersecurity threats to drinking water systems to inform community water systems about the immediate steps they should take to ensure compliance" and "to provide information to reduce cybersecurity vulnerabilities."