The Environmental Protection Agency (EPA) said Monday that recent inspections have revealed that more than 70 percent of water systems looked at since September 2023 are in violation of basic Safe Drinking Water Act requirements – thus causing “critical” cybersecurity vulnerabilities.
“EPA inspectors have identified alarming cybersecurity vulnerabilities at drinking water systems across the country,” the EPA’s May 20 enforcement alert said. “For example, some water systems failed to change default passwords, use single logins for all staff, or failed to curtail access by former employees.”
Section 1433 of the Safe Drinking Water Act requires all community water systems serving more than 3,300 people to conduct Risk and Resilience Assessments and develop Emergency Response Plans, but the EPA found that a majority of the nation’s water systems are failing to fully comply with this law.
In its enforcement alert, the EPA warned that it will “step up” its inspections and “intends to use enforcement authorities to address problems quickly.” The agency said this includes the use of emergency powers and criminal sanctions.
“Protecting our nation’s drinking water is a cornerstone of EPA’s mission, and we are committed to using every tool, including our enforcement authorities, to ensure that our nation’s drinking water is protected from cyberattacks,” said EPA Deputy Administrator Janet McCabe. “EPA’s new enforcement alert is the latest step that the Biden-Harris Administration is taking to ensure communities understand the urgency and severity of cyberattacks and water systems are ready to address these serious threats to our nation’s public health.”
The EPA, alongside the FBI and the Cybersecurity and Infrastructure Security Agency, strongly recommend that operators secure their water systems by:
- Reducing exposure to the public-facing internet;
- Conducting regular cybersecurity assessments;
- Changing default passwords immediately;
- Conducting an inventory of OT/IT assets;
- Developing and exercising cybersecurity incident response and recovery plans;
- Backing up OT/IT systems;
- Reducing exposure to vulnerabilities; and
- Conducting cybersecurity awareness training.
Water sector cybersecurity has been top of mind for lawmakers and Federal officials since the discovery of foreign adversaries – including China and Iran – compromising U.S. critical infrastructure and water facilities.
Congress just last month introduced a new bill that would create a new governing body to oversee cybersecurity requirements and recommendations for drinking and wastewater systems.
