EPA reports cybersecurity gaps in 70% of inspected water systems, issues alert

security hack Threats of data leaks and system security
The cyberthreat alert comes on the heels of recently identified hacks of water infrastructure in Texas and Indiana. Photo Credit: MrPanya, stock.adobe.com

In response to the increasing frequency and severity of threats and attacks on U.S. water systems, the Environmental Protection Agency (EPA) has issued an enforcement alert to help guide vulnerable communities that may not be adequately employing cybersecurity protocols.

Recent inspections by the EPA revealed that more than 70% of water systems were out of compliance with Section 1433 requirements of the Safe Drinking Water Act, such as default passwords that have not been updated, or single logins that can easily be compromised, the agency warned.

“The agency will increase the number of planned inspections and, where appropriate, will take civil and criminal enforcement actions, including in response to a situation that may present an imminent and substantial endangerment,” the EPA announced in a statement on May 20. “Inspections will ensure that water systems are meeting their requirements to regularly assess resilience vulnerabilities, including cybersecurity, and to develop emergency response plans.”

The cyberthreat alert comes on the heels of recently identified hacks of water infrastructure in Texas and Indiana. While the Indiana incident appeared to have no impact on plant operations, the hack against Muleshoe, Texas, led to a water tank overflowing for about 30 minutes. Federal officials linked both cyberattacks to Russian hacker organizations. 

Subscribe to our Newsletter!

The latest environmental engineering news direct to your inbox. You can unsubscribe at any time.

The new EPA alert is intended to help close gaps in cyber resilience. It draws attention back to a joint fact sheet it released in February with the Cybersecurity and Infrastructure Security Agency and the Federal Bureau of Investigation. Entitled Top Cyber Actions for Securing Water Systems, the fact sheet outlines steps water systems can take to enhance security.

The steps include: 

  • Reduce exposure to public-facing internet
  • Conduct regular cybersecurity assessments
  • Change default passwords immediately
  • Conduct an inventory of OT/IT assets
  • Develop and exercise cybersecurity incident response and recovery plans
  • Backup OT/IT systems
  • Reduce exposure to vulnerabilities
  • Conduct cybersecurity awareness training.

EPA Administrator Michael Regan and National Security Advisor Jake Sullivan also recently sent a letter to the nation’s governors on the urgency of the threats and the importance of collaboration across federal and state partners to develop comprehensive cybersecurity strategies. Following the meeting, the National Security Council encouraged each state to prepare an action plan presenting the state’s strategy to mitigate the most significant cybersecurity vulnerabilities in the states’ water and wastewater systems by late June.

EPA is also moving forward with the Water Sector Coordinating Council and Water Government Coordinating Council to establish a task force to identify additional near-term actions and strategies to reduce the risk of water and wastewater systems nationwide to cyberattacks. 

No posts to display


Please enter your comment!
Please enter your name here