Officials are concerned as Chinese, Iranian, and Russian criminals are targeting American drinking water supplies
In an enforcement alert sent on Monday, the Environmental Protection Agency said that cyberattacks against water utilities nationwide are become more frequent and serious, and that water systems should take prompt precautions to safeguard the country’s drinking water supply.
According to the government, about 70% of utilities inspected by federal officials in the past year broke rules intended to stop breaches or other intrusions. Even tiny water systems were urged by officials to strengthen their defenses against hackers. Russian and Iranian cyber gangs have recently targeted smaller villages with their cyberattacks.
According to the advisory, some water systems are not meeting basic requirements, such as changing default passwords or denying access to former staff. Protecting information technology and process controls is essential because water utilities frequently rely on computer software to run treatment plants and distribution networks, according to the EPA. According to the EPA, disruptions in water treatment and storage, harm to pumps and valves, and changes in chemical levels to dangerous levels are all potential consequences of cyberattacks.
Deputy Administrator Janet McCabe of the EPA stated, “In many cases, systems are not doing what they should be doing, which is to have completed a risk assessment of their vulnerabilities, including cybersecurity, and to make sure that plan is available and informing the way they do business.”
There have long been attempts by private organizations or individuals to breach a water provider’s network in order to take down or alter websites. Attackers have, however, recently shifted their focus from websites to the functioning of utilities.
Not simply private entities have launched recent strikes. The supply of clean water to homes and businesses may be disrupted as a result of several recent breaches targeting water utilities that are connected to geopolitical adversaries.
The EPA does not disclose the number of cyber events that have happened recently, and there have only been a few reported successful attempts to yet.
The nations that are “actively seeking the capability to disable U.S. critical infrastructure, including water and wastewater,” according to McCabe, are China, Russia, and Iran.
A group known as “Cyber Av3ngers,” with ties to Iran, attacked a number of businesses late last year, forcing the water provider of a small Pennsylvania town to convert from a remote pump to manual operations. They were pursuing an Israeli-manufactured gadget that the utility had been using following Israel’s war with Hamas.
A “hacktivist” with ties to Russia attempted to interfere with the operations of multiple Texas utilities earlier this year.
According to U.S. officials, a cyber gang called Volt Typhoon that is associated with China has gained access to the information technology of several vital infrastructure systems, including drinking water systems, in the United States and its territories. Experts in cybersecurity think the organization allied with China is setting itself up for possible cyberattacks in the event of armed conflict or escalating geopolitical tensions.
“By collaborating behind the scenes with these hacktivist groups, these [nation states] can now grant these groups plausible deniability and allow them to carry out damaging attacks.” And that, in my opinion, is a game-changer,” stated Dawn Cappelli, a cybersecurity specialist employed by Dragos Inc., an industrial cybersecurity company.
It is thought that the world’s cyberpowers have been infiltrating the vital infrastructure of their competitors for years, installing malware that may be activated to interfere with fundamental functions.
The purpose of the enforcement alert is to alert utilities to the gravity of cyberthreats, to continue EPA inspections, and to pursue civil or criminal fines if significant issues are discovered.
McCabe stated, “We want to make sure that we let people know that we are finding a lot of problems here.”
The Biden administration is attempting to counter threats to vital infrastructure in part by preventing assaults against water providers. President Joe Biden issued an executive order in February to safeguard American ports. Attacks have been made against healthcare systems. Electric providers have also being pressured by the White House to strengthen their security.
The White House National Security Advisor Jake Sullivan and EPA Administrator Michael Regan have requested that states develop a strategy to counteract cyberattacks on drinking water systems.
Regan and Sullivan sent a letter to all 50 U.S. governors on March 18 stating, “Drinking water and wastewater systems are an attractive target for cyberattacks because they are a lifeline critical infrastructure sector but often lack the resources and technical capacity to adopt rigorous cybersecurity practices.”
Several of the adjustments are simple, according to McCabe. For example, water providers must not to utilize default passwords. They must set up backup systems and create a risk assessment plan that takes cybersecurity into account. The EPA claims to provide free training to water companies in need of assistance. Bigger utilities typically have greater resources and know-how to ward off intrusions.
“In a perfect world, everyone would be able to verify that they possess a basic level of cybersecurity,” stated Alan Roberson, the executive director of the Association of State Drinking Water Administrators. “But it’s quite a distance away.”
There are fundamental barriers. The water industry is very dispersed. The majority of the 50,000 or so community water providers serve small towns. It’s challenging enough to maintain the necessities, like supplying clean water and adhering to the most recent rules, in many regions due to meager staffing levels and inadequate funding.
Cybersecurity is undoubtedly a component of it, but it has never been their area of expertise. Amy Hardberger, a Texas Tech University water expert, said, “So, now you’re asking a water utility to develop this whole new sort of department” to manage cyberthreats.
There have been setbacks for EPA. States evaluate water providers’ performance on a regular basis. The EPA directed states to include cybersecurity assessments in those examinations by March 2023. If they discovered issues, the government was meant to compel fixes.
However, Missouri, Arkansas, and Iowa, along with the American Water Works Association and another water industry group, contested the directives in court, arguing that the Safe Drinking Water Act gave the EPA insufficient jurisdiction. Following a legal defeat, the EPA removed its mandate but still encouraged states to take voluntary steps.
According to the Safe Drinking Water Act, some water companies must create strategies for potential hazards and attest to having done so. However, its potency is restricted.
“The law just does not have the authority to address cybersecurity,” Roberson stated.
According to Kevin Morley, manager of federal affairs at the American Water Works Association, there is a common yet serious vulnerability with some internet-connected components found in water utilities. Redesigning those systems can be a big and expensive undertaking. Water systems also have trouble finding resources in the absence of significant federal financing.
The business group has released recommendations for utilities and promotes the creation of a new cadre of water and cybersecurity specialists who would work with the EPA to create and implement new regulations.
Morley stated, “Let’s move everyone along in a reasonable manner,” noting that big and small utilities have distinct requirements and means.
