Article Summary –
Cyberattacks against US water utilities are becoming increasingly frequent and severe, prompting the Environmental Protection Agency to issue a warning and urging immediate protective measures, particularly as 70% of utilities inspected by federal officials over the past year violated standards meant to prevent breaches or intrusions. The agency also highlighted the potential impacts of such attacks, including interruptions to water treatment and storage, damage to pumps and valves, and alteration of chemical levels to hazardous amounts. Cyberattacks have been linked to geopolitical rivals such as China, Russia, and Iran, with some targeting utilities’ operations rather than just their websites, leading to fears of disruptions to the supply of safe drinking water to homes and businesses.
Increasing Cyberattacks on Water Utilities Warns the EPA
The Environmental Protection Agency (EPA) issued a pressing alert on Monday concerning escalating cyberattacks against water utilities nationwide. These attacks could potentially impact the security of the country’s drinking water.
Upon inspection over the last year, federal officials found that about 70% of utilities violated standards designed to thwart breaches. The agency urges even minor water systems to bolster their defenses against cyber threats. Attacks by groups affiliated with Iran and Russia targeting smaller communities have recently been on the rise.
Several water systems have not taken elementary precautions such as changing default passwords or preventing access to former employees. The EPA expressed that safeguarding information technology and process controls is vital for water utilities as they heavily depend on computer software for operating treatment plants and distribution systems. Cyberattacks pose risks of interruptions to water treatment and storage; damage to pumps and valves; and hazardous alteration of chemical levels.
Deputy Administrator Janet McCabe stated, “In many cases, systems are not acting as they should, which includes conducting a risk assessment of their vulnerabilities encompassing cybersecurity, and ensuring this plan informs their operation methods.”
Attempts to infiltrate a water provider’s network by private entities are not novel, but recent trends show attacks focusing on utilities’ operations as opposed to merely defacing websites. Even geopolitical rivals have been linked to recent cyberattacks on water utilities, potentially causing disruption of safe water supply to residential and commercial areas.
Countries like China, Russia, and Iran are actively seeking to disable U.S. critical infrastructure, including water and wastewater, according to McCabe. Last year, an Iranian-linked group known as “Cyber Av3ngers” targeted a small Pennsylvania town’s water provider, causing it to switch from remote pump operation to manual handling. Earlier this year, a Russian-linked group tried to disrupt operations at several Texas utilities. A cyber group linked to China, known as Volt Typhoon, has compromised multiple critical infrastructure systems in the U.S, including drinking water.
It is believed that world’s cyber superpowers have been infiltrating rivals’ critical infrastructure, embedding malware that could potentially disrupt basic services. The EPA’s enforcement alert aims to underline the gravity of cyber threats, informing utilities that inspections will continue, possibly leading to civil or criminal penalties upon discovering significant issues.
The number of successful cyberattacks in recent years remains unknown, though it seems to be relatively low. Since 2020, the EPA has issued nearly 100 enforcement actions concerning risk assessments and emergency response. This indicates only a minuscule snapshot of the threats that water systems face.
Some fixes are simple, such as changing default passwords and creating a risk assessment plan that considers cybersecurity. The EPA has promised to offer free training to water utilities in need. Larger utilities generally have more resources and expertise to defend against attacks.
However, some challenges are foundational. With an estimated 50,000 community water providers, most serving small towns, the water sector is highly fragmented. Limited staffing and resources in many locations make it challenging to maintain basics, such as ensuring clean water and keeping up with the latest regulations.
Efforts are being made to combat the issue, but the complexity and cost involved in overhauling internet-connected systems are substantial. Industry groups have published guidance for utilities and advocated for establishing a new organization of cybersecurity and water experts to develop and enforce new policies in partnership with the EPA.
—
Read More Kitchen Table News
