EPA Alerts Water Systems: Cybersecurity Threats at Critical Level

The U.S. Environmental Protection Agency (EPA) is intensifying its oversight of critical water infrastructure due to the escalating threat of cyberattacks. Recently, the agency issued a warning urging municipal services to take immediate measures to protect against cyber threats. Shortly, the number of inspections will increase, and if necessary, penalties and even criminal charges will be imposed on violators.

Volt Typhoon group

Protecting our nation’s drinking water is a cornerstone of EPA’s mission, and we are committed to using every tool, including our enforcement authorities, to ensure that our nation’s drinking water is protected from cyberattacks,” said EPA Deputy Administrator Janet McCabe. “EPA’s new enforcement alert is the latest step that the Biden-Harris Administration is taking to ensure communities understand the urgency and severity of cyberattacks and water systems are ready to address these serious threats to our nation’s public health.

More than 70% of the facilities inspected since September 2023 do not comply with the requirements of the Safe Drinking Water Act. Key violations include the use of standard passwords, failure to disable access for former employees, and other lapses in information security. Over the past three years, the agency has issued more than 100 fines for these violations.

An example cited was the activity of the Chinese hacker group Volt Typhoon. According to a February warning from the U.S. Department of Homeland Security, these hackers managed to breach IT systems at several critical infrastructure sites.

In January of this year, hacktivists, allegedly associated with the Sandworm group, caused an overflow at a water facility in Texas. Although this incident did not affect consumer water supplies, it underscored the vulnerability of these systems. Last year, a facility in Pennsylvania had to switch to manual control following a hacker attack carried out by a group affiliated with Iran’s Islamic Revolutionary Guard Corps.

The EPA urges water supply services to adhere to recommendations for ensuring cybersecurity and information system hygiene. These recommendations include regular staff training, backup of production and information systems, and strict measures to prevent accidental or intentional connections to public networks.

Earlier this year, EPA Administrator Michael Regan and National Security Advisor Jake Sullivan sent a letter to state governors highlighting the high risks of cyberattacks in this critical infrastructure sector. This letter prompted a March meeting, after which the National Security Council directed each state to develop a specific action plan to address identified vulnerabilities by the end of June.