Industries News.Net

Utilities must do more to stop cyberattacks on water supplies: US

Robert Besser
26 May 2024

WASHINGTON, D.C.: The Environmental Protection Agency (EPA) warned that cyberattacks on water utilities in the U.S. are increasing in frequency and severity, issuing an alert for water systems to bolster their defenses.

A recent EPA inspection revealed that about 70 percent of utilities failed to meet cybersecurity standards, leaving them vulnerable to breaches. The agency urged even smaller water systems to improve their cybersecurity measures. Recent cyberattacks by groups affiliated with Russia and Iran have targeted smaller communities.

"In many cases, systems are not doing what they are supposed to be doing, which is to have completed a risk assessment of their vulnerabilities that includes cybersecurity and to make sure that plan is available and informing the way they do business," said EPA Deputy Administrator Janet McCabe. Basic lapses such as not changing default passwords and not revoking access for former employees are common issues.

Water utilities rely heavily on computer systems to manage treatment plants and distribution, making cybersecurity essential. The EPA noted that cyberattacks could disrupt water treatment, damage infrastructure, or alter chemical levels to dangerous amounts.

McCabe identified China, Russia, and Iran as countries actively seeking the capability to disrupt U.S. critical infrastructure, including water systems. A notable incident involved an Iranian-linked group, Cyber Av3ngers, which forced a small Pennsylvania town's water provider to switch from remote to manual operations. Other attacks linked to Russian and Chinese groups have also been reported.

"By working behind the scenes with these hacktivist groups, now these (nation states) have plausible deniability and they can let these groups carry out destructive attacks. And that to me is a game-changer," said Dawn Cappelli, a cybersecurity expert with the industrial cybersecurity firm Dragos Inc.

The EPA's alert is part of a broader effort by the Biden administration to safeguard critical infrastructure. In February, President Joe Biden signed an executive order to protect U.S. ports, and similar measures have been taken for healthcare and electric utilities.

The EPA's enforcement alert emphasizes the importance of cybersecurity for water utilities and warns that continued inspections may lead to civil or criminal penalties for serious violations. "We want to make sure that we get the word out to people that 'Hey, we are finding a lot of problems here,'" McCabe said.

Despite these efforts, foundational challenges remain. The water sector is highly fragmented, with roughly 50,000 community water providers, most serving small towns with limited resources. Alan Roberson, executive director of the Association of State Drinking Water Administrators, noted the difficulty in achieving a baseline level of cybersecurity across all utilities.

States have faced setbacks in implementing cybersecurity evaluations. After a legal challenge from Missouri, Arkansas, and Iowa, the EPA withdrew its mandatory requirements but encouraged voluntary actions.

Without substantial federal funding, water utilities struggle to overhaul vulnerable systems. The American Water Works Association has published guidance and advocates for a new organization to develop and enforce cybersecurity policies in partnership with the EPA.

"Let's bring everybody along in a reasonable manner," said Kevin Morley, manager of federal relations with the American Water Works Association, emphasizing the different needs and resources of small and large utilities.

Copyright ©1998-2024 Industries News.Net | Mainstream Media Limited - All rights reserved