Cyberattacks Threaten U.S. Water Systems, EPA Warns

On Monday, the Environmental Protection Agency (EPA) issued a dire warning about cyberattacks targeting community drinking water systems across the nation. The EPA's inspections revealed that over 70% of these systems failed to fully comply with the Safe Drinking Water Act, exposing critical cybersecurity vulnerabilities.

The EPA highlighted several issues, including the failure to update default passwords and the use of single logins, which leave systems susceptible to attacks. The agency recommended that system operators reduce exposure to public-facing internet, conduct regular cybersecurity assessments, immediately change default passwords, and conduct an inventory of operational technology (OT) and information technology (IT) assets.

• Over 70% of water systems are not fully compliant with cybersecurity requirements.

• Critical vulnerabilities include outdated passwords and single login usage.

• Recommended actions: reduce public internet exposure, regular assessments, change passwords, inventory OT/IT assets.

EPA Deputy Administrator Janet McCabe emphasized the urgency of the situation, noting that many systems have not completed necessary risk assessments that include cybersecurity measures. These vulnerabilities are particularly concerning given that adversarial nations like China, Russia, and Iran are actively seeking capabilities to disable U.S. critical infrastructure, including water and wastewater systems.

In May 2023, Microsoft reported that state-backed Chinese hackers, known as Volt Typhoon, targeted U.S. infrastructure systems, including drinking water. Similarly, in November 2023, the Municipal Water Authority of Aliquippa reported a cyberattack on one of their booster stations by a group called Cyber Av3ngers, backed by Iran.

Just last month, a Russian hacktivist group breached a Texas town's water system. "There were 37,000 attempts in four days to log into our firewall," said Mike Cypert, city manager of Hale Center. Cybersecurity expert Dawn Cappelli warned that these nation-states use hacktivist groups to carry out attacks, providing plausible deniability and increasing the threat's severity.

Alan Roberson, executive director of the Association of State Drinking Water Administrators, acknowledged the challenges ahead: "In an ideal world … we would like everybody to have a baseline level of cybersecurity and be able to confirm that they have that, but that’s a long ways away."

As cyber threats continue to evolve, it is crucial for water systems to strengthen their cybersecurity measures to protect America's drinking water infrastructure from potentially devastating attacks.

Please share this article and subscribe to our newsletter for more updates on national security.