By Gregory Hale
Cyberattacks, or the potential for them, continue to rise across the water sector and the federal government through varies agencies wants to continue increasing awareness.

That is why the Environmental Protection Agency (EPA) Monday released an enforcement alert outlining the urgent cybersecurity threats and vulnerabilities to community drinking water systems and the steps these systems need to take to comply with the Safe Drinking Water Act.

The alert is part of a government-wide effort – led by the National Security Council and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) – to reduce the nation’s infrastructure and cybersecurity vulnerabilities.

EPA issued this alert because threats to, and attacks on, the nation’s water system have increased in frequency and severity to a point where there needs to be additional action.

Schneider Bold

Improve Cyber Resilience
“Recent threats, such as those from the Volt Typhoon group, have targeted weaknesses in critical infrastructure and OT environments, and we’ve seen CISA and the Five Eyes alliance issuing recent advisories about the dangers posed by this threat group and others targeting critical sectors,” said Eric Knapp, CTO of OT at OPSWAT, a cybersecurity organization focused on protecting critical infrastructure. “CISA and other U.S. government agencies discovered that these hackers’ access extended to the power grids, communications systems and water supplies for military bases within the U.S. and abroad, showing an even more dire need for these water utilities to improve their cyber resilience.

“Water systems remain vulnerable for a few reasons, including outdated legacy systems, the use of interconnected networks, limited resources, and even a lack of enforced regulations. While a new bill was proposed last month to establish a Water Risk and Resilience Organization that would develop risk and resilience standards specifically tailored for the water sector, we strongly recommend water utilities take immediate action to reduce vulnerabilities and chances of falling victim to a cyber incident. These include:

  • First and foremost, change default passwords
  • Adopting standards applicable to other critical infrastructure and OT environments, such as NERC CIP
  • Controlling peripheral media and securely manage the use of USBs, vendor laptops, and other devices entering critical environments
  • Implementing data diodes or unidirectional security gateways to ensure one-way communication and data sharing
  • Developing and maintaining comprehensive incident response plans
  • Providing regular cybersecurity training”

Knapp’s recommendations fall in line with what the EPA is trying to get across in its advisory.

Safe Drinking Water
“Protecting our nation’s drinking water is a cornerstone of EPA’s mission, and we are committed to using every tool, including our enforcement authorities, to ensure that our nation’s drinking water is protected from cyberattacks,” said EPA Deputy Administrator Janet McCabe. “EPA’s new enforcement alert is the latest step that the Biden-Harris Administration is taking to ensure communities understand the urgency and severity of cyberattacks and water systems are ready to address these serious threats to our nation’s public health.”

Additionally, EPA inspections revealed the majority of water systems inspected – over 70 percent – do not fully comply with requirements in the Safe Drinking Water Act and that some of those systems have critical cybersecurity vulnerabilities, such as default passwords not updated or changed, and single logins an attacker could easily compromise.

Moreover, as EPA and its state and federal security and intelligence partners continue to identify vulnerabilities, informed by successful cyberattacks to water systems across the United States, the agency remains committed to working with state and sector organization partners to successfully protect drinking water for communities.

EPA wants to emphasize the importance of its ongoing inspection and enforcement activities under Safe Drinking Water Act section 1433.

To that end, the agency said it will increase the number of planned inspections and, where appropriate, will take civil and criminal enforcement actions, including in response to a situation that may present an imminent and substantial endangerment.

Water Inspections
Additionally, inspections will ensure water systems are meeting their requirements to regularly assess resilience vulnerabilities, including cybersecurity, and to develop emergency response plans. In addition, EPA, CISA, and the FBI recommend system operators take steps outlined in Top Actions for Securing Water Systems:

  • Reduce exposure to public-facing Internet
  • Conduct regular cybersecurity assessments
  • Change default passwords immediately
  • Conduct an inventory of OT/IT assets
  • Develop and exercise cybersecurity incident response and recovery plans
  • Backup OT/IT systems
  • Reduce exposure to vulnerabilities
  • Conduct cybersecurity awareness training

Click here to view the enforcement alert.


Pin It on Pinterest

Share This