EPA alerts drinking water systems on cybersecurity vulnerabilities, increasing enforcement actions
The U.S. Environmental Protection Agency (EPA) disclosed Monday that over 70 percent of the drinking water systems that it has inspected since last September violate basic Safe Drinking Water Act (SDWA) 1433 requirements including missing specific sections of the Risk and Resilience Assessments (RRAs) and Emergency Response Plans (ERPs). Against this backdrop, the water agency published an enforcement alert warning drinking water agencies to address their cybersecurity vulnerabilities. The agency is also increasing enforcement actions to ensure drinking water systems address cybersecurity threats.
“When on-site, EPA inspectors have identified alarming cybersecurity vulnerabilities at drinking water systems across the country and taken actions to address them,” the EPA detailed in its enforcement alert. “For example, some water systems failed to change default passwords, use single logins for all staff, or failed to curtail access by former employees.”
EPA also has found instances of inadequate RRAs and/or ERPs because analysts did not, for example, include an assessment of the resilience of systems or strategies and resources to improve the resilience of the cybersecurity of those systems. These failures involve potential violations of 1433 and miss an opportunity to safeguard operations through the RRAs and ERPs.
The enforcement alert provides community water systems (CWSs) with information on immediate steps they can take to ensure compliance with SDWA Section 1433 and reduce cybersecurity vulnerabilities.
It added that cyberattacks against CWSs are increasing in frequency and severity across the country. “Based on actual incidents we know that a cyberattack on a vulnerable water system may allow an adversary to manipulate operational technology, which could cause significant adverse consequences for both the utility and drinking water consumers. Possible impacts include disrupting the treatment, distribution, and storage of water for the community, damaging pumps and valves, and altering the levels of chemicals to hazardous amounts.”
The agency suggests ‘implementing basic cyber hygiene practices can help your utility prevent, detect, respond to, and recover from cyber incidents. Because water utilities often rely on computer software to operate their treatment plants and distribution systems, protecting information technology and process control systems from cyberattacks is vital.’
EPA highlighted that small water systems are not immune from cyberattacks. “Recently, disruptive cyberattacks from adversarial nation-states have impacted water systems of all sizes, including many small systems. As a result of these increased threats, EPA is increasing its enforcement activity to protect our nation’s drinking water,” it added.
As part of EPA’s multi-year drinking water National Enforcement and Compliance Initiative, Increasing Compliance with Drinking Water Standards, inspectors are assessing CWS compliance with SDWA Section 1433. Given the vulnerabilities and attacks on systems, the EPA will increase the number of CWS inspections that focus on cybersecurity. Where vulnerabilities are identified and may present an imminent and substantial endangerment to public health, enforcement actions may be appropriate under SDWA Section 1431 to mitigate those risks.
The enforcement alert added that the EPA has taken over 100 SDWA enforcement actions nationally against CWSs for violations of Section 1433 since 2020, which was the first deadline for systems to develop and update their RRAs and ERPs. “These enforcement actions have been based on various findings, including failure to certify, and not addressing the statutorily required elements in the RRAs and ERPs, which include looking at cyber threats.”
As EPA steps up inspections, the agency intends to use enforcement authorities to address problems that it observes in the field such as failure to prepare adequate RRAs and ERPs (SDWA, Section 1433). The water agency also has a range of enforcement options available, including emergency powers and criminal sanctions.
The EPA alert coincides with alerts from various federal agencies, including the Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), National Security Agency, and EPA. These agencies have issued multiple advisories warning about cyberattacks targeting information networks and process control systems at water and wastewater facilities by nation-state entities.
Organizations across the water sector have faced threats from the Iranian Government Islamic Revolutionary Guard Corps, Russian state-sponsored actors, and People’s Republic of China (PRC) state-sponsored cyber actors, known as Volt Typhoon, Vanguard Panda, among others. Foreign governments have already disrupted some water systems through cyberattacks and may possess the capability to disable them in the future.
In March, the U.S. White House and the EPA warned state governors of the threat of cyberattacks targeting water and wastewater systems. These attacks have the potential to disrupt the essential supply of clean and safe drinking water, leading to significant costs for affected communities.
The EPA, CISA, and the FBI have called upon asset owners and operators to secure water systems by reducing exposure to public-facing internet; conducting regular cybersecurity assessments; changing default passwords immediately; conducting an inventory of OT/IT (operational technology/information technology) assets; developing and exercising cybersecurity incident response and recovery plans; backing up OT/IT systems; reducing exposure to vulnerabilities; and conducting cybersecurity awareness training.
Webinar: A Sense of Urgency - Industrial Cybersecurity and Compliance Under the NIS2 Directive
Register: June 27, 2024 2pm CETRelated
