The Environmental Protection Agency (EPA) issued an urgent alert on 20 May to the nation's water utilities, emphasizing the rising cybersecurity threats and announcing increased security-focused inspections and enforcement activities. The EPA's findings revealed that over 70% of inspected water systems are not fully compliant with cybersecurity requirements under the Safe Drinking Water Act (SDWA). Key issues identified include reliance on default passwords and lack of multi-factor authentication (US EPA).
Source: https://eastcoastwaterquality.com/news/russian-hackers-cyber-attack-on-us-water-utilities/
EPA Deputy Administrator Janet McCabe stressed the importance of safeguarding drinking water from cyberattacks, emphasizing the EPA’s commitment to using all available tools, including enforcement authorities, to ensure water systems are secure. This alert is part of the broader efforts by the Biden-Harris Administration to address the severity of cyber threats and prepare water systems accordingly (Inside EPA).
Recent Cyber Incidents Highlight Vulnerabilities
Recent cyber incidents underscore the vulnerabilities within the U.S. water sector. In April, Russian hacktivists, operating under the banner of the Cyber Army of Russia Reborn, targeted several water systems in Texas (EastCoast). These attacks led to an overflow at a utility in Muleshoe and involved direct manipulations of human-machine interfaces (HMIs), causing potentially dangerous disruptions. Another significant attack involved the Cyb3r Avengers, linked to Iran’s military intelligence, who defaced programmable logic controllers. Video evidence posted on Telegram by the Cyber Army of Russia Reborn showcased their intrusions, not only in Texas but also at a wastewater treatment plant in Poland and a water mill in France, which they misrepresented as a hydroelectric dam (US EPA) (Inside EPA).
This escalation from indirect cyber warfare tactics to direct engagement with critical infrastructure systems signals a strategic evolution within Russian cyber operations, potentially leading to more aggressive actions against international targets in the future (CyberScoop).
Enforcement and Compliance Challenges
The EPA identified significant gaps in compliance, such as the failure to conduct risk and resilience assessments and develop emergency response plans, as required by the SDWA. Since the 2020 deadline for these requirements, the EPA has taken over 100 enforcement actions and plans to increase inspections and enforce compliance more rigorously (CyberScoop).
Legislative and Regulatory Landscape
The EPA's attempts to impose cybersecurity mandates have faced legal challenges from states and water trade associations. Industry groups advocate for the establishment of a federal regulatory body for the water sector, similar to the electric sector's regulatory framework. Legislation, such as the Water Risk and Resilience Organization Establishment Act, has been introduced to create such a governing body focused on cybersecurity and water systems.
Primer on U.S. Critical Infrastructure Sectors
The US Government has defined 16 sectors of critical infrastructure that are vital to the continuity of the nation. Some of these sectors are clearly defined and labeled, making them easily understood. For example, sectors such as Dams, Energy, and Government Facilities are self-explanatory. Some sectors have very specific or very broad applicability. On the “more specific” end of the scale might be the Defense Industrial Base, and on the broad end of the scale, the Critical Manufacturing (MFG) Sector.
Using the nomenclature “sector” implies that they are independent verticals that operate alongside each other. In reality, some organizations operate in more than one sector due to having multiple products and services or multiple uses for a specific product, creating a more complex alignment with sector descriptions.
A way to describe how the sectors operate would be as “nodes” within an interconnected ecosystem. Each node has multiple inputs and outputs and a multi-dimensional supply chain of dependencies on each other. The infrastructure within each sector needs maintenance, repairs, retrofits, and other inputs to continue operating. These day-to-day needs create a heavy demand for raw and finished goods, which subsequently need to be transported to other critical sectors to sustain the infrastructure and their operations.
As shown in the figure above, organizations generating electric power take inputs of natural gas, which is reliant on the transportation systems sector for transport and so on. Ensuring the continuity of these disparate industries that supply the sector ecosystem is critical to maintaining and sustaining operations within each sector.
Broader Implications for Critical Infrastructure
The vulnerabilities in the water sector serve as a critical reminder for other sectors of critical infrastructure, such as energy, transportation, and healthcare. The rising cybersecurity threats highlight the urgent need for robust security measures across all essential services. Each sector must take proactive steps to assess their vulnerabilities, implement rigorous cybersecurity practices, and develop comprehensive emergency response plans (US EPA) (EnviroSciMag).
Ensuring the resilience and security of the nation’s essential services is crucial. As cyber threats continue to evolve, all sectors must prioritize cybersecurity to safeguard public safety and maintain the integrity of critical infrastructure. Regular security assessments, the adoption of advanced security technologies, and comprehensive incident response planning are essential to mitigate risks.
By learning from the water sector’s challenges and enhancing cybersecurity protocols, other critical infrastructure sectors can better protect against the growing threat landscape, ensuring the resilience and security of the nation’s essential services.
Conclusion
The EPA’s alert underscores the escalating cybersecurity threats to the nation’s water utilities and the necessity for stringent security measures. This serves as a crucial call to action for all critical infrastructure sectors to prioritize cybersecurity, ensuring the protection of essential services and public safety.
For further details on the EPA's initiatives and resources, visit the EPA's cybersecurity page.