EPA urges water utilities to protect nation's drinking water amid heightened cyberattacks

Cyberattacks targeting water utilities across the country have increased in frequency and severity, the U.S. Environmental Protection Agency warned Monday as it urged community water systems to take immediate steps to reduce cybersecurity vulnerabilities and protect the nation's public drinking water supplies.

The EPA has issued an enforcement alert detailing "urgent cybersecurity threats and vulnerabilities" to community drinking water systems, the agency said in a news release Monday. A majority of water systems — over 70% — inspected by the EPA since last September violated standards in the Safe Drinking Water Act, according to the alert.

The Safe Drinking Water Act was established to protect public health by regulating public drinking water supplies in the country, according to the EPA. Among those inspected, the agency identified "alarming" cybersecurity vulnerabilities in some water systems.

The agency found that some water systems failed to change default passwords and cut off access to former employees in addition to only using single logins for all staff that can be compromised, the alert said. Although many of the EPA's requirements to protect water systems are "basic cyber hygiene practices," the agency said potential cyberattacks can cause significant impacts on both water utilities and consumers.

The EPA also recommended that small water systems improve protections against cybersecurity threats, noting that disruptive cyberattacks have impacted water systems of all sizes. Recent cyberattacks by organizations affiliated with Russia and Iran have targeted utilities in Pennsylvania and Texas.

"Protecting our nation’s drinking water is a cornerstone of EPA’s mission, and we are committed to using every tool, including our enforcement authorities, to ensure that our nation’s drinking water is protected from cyberattacks," EPA Deputy Administrator Janet McCabe said in a statement. "EPA’s new enforcement alert is the latest step that the Biden-Harris Administration is taking to ensure communities understand the urgency and severity of cyberattacks and water systems are ready to address these serious threats to our nation’s public health."

Is yours on our map?70 million Americans drink water from systems reporting PFAS to EPA.

Cyberattacks can disrupt 'critical lifeline of clean and safe drinking water'

According to the EPA, the new alert is part of a government-wide effort led by the National Security Agency and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency. "EPA is issuing this alert because threats to, and attacks on, the nation’s water system have increased in frequency and severity to a point where additional action is critical," the agency said.

Because water systems often depend on computer software to operate treatment plants and distribution systems, the EPA said protecting information technology and process control systems is essential. The agency added that implementing basic cyber hygiene practices can help utilities prevent, detect, respond to, and recover from cyberattacks.

Cyberattacks have the "potential to disrupt the critical lifeline of clean and safe drinking water, as well as impose significant costs on affected communities," according to the EPA. Possible impacts of cyber incidents include disruptions of water treatment, distribution, and storage; damage to pumps and valves; and altered chemical levels to hazardous amounts, the agency said in its alert.

In March, EPA Administrator Michael Regan and National Security Advisor Jake Sullivan sent a letter to all 50 U.S. governors asking states to develop a plan to secure water systems against cyber threats. The request was followed by a meeting in which the National Security Council urged states to present its plans by late June, according to the EPA.

"Drinking water and wastewater systems are an attractive target for cyberattacks because they are a lifeline critical infrastructure sector but often lack the resources and technical capacity to adopt rigorous cybersecurity practices," Regan and Sullivan said in the letter.

Dangers of cybersecurity threats in the U.S.

The new EPA alert sheds light on a growing threat in the United States with federal authorities expressing increasing concerns over public utilities and infrastructure being targeted by foreign cyberattacks.

Federal agencies have issued numerous advisories for cyberattacks against water and wastewater systems by foreign groups, including the Iranian Government Islamic Revolutionary Guard Corps, Russia state-sponsored actors, and China state-sponsored cyber actors, according to the EPA.

Last November, an Iranian-linked cyber group, Cyber Av3ngers, hacked into water authority infrastructure in Aliquippa, Pennsylvania. The group took partial control of a system that regulates water pressure — and one that includes technology manufactured in Israel. Federal authorities said the group was looking to disrupt Israeli-made technology in the United States.

Earlier this year, a Russian-linked hacking group was tied to a cyberattack that caused a water system in the small town of Muleshoe, Texas, to overflow, CNN reported. Town officials told CNN that the incident coincided with at least two other north Texas towns detecting suspicious cyber activity on their networks.

In both incidents in Pennsylvania and Texas, authorities said officials switched to manual operations.

Microsoft revealed last May that a cyber group with ties to China, known as Volt Typhoon, was targeting critical infrastructure organizations in the United States. In February, several federal agencies said Volt Typhoon compromised multiple infrastructure organizations in the communications, energy, transportation, and water sectors.

"Microsoft assesses with moderate confidence that this Volt Typhoon campaign is pursuing development of capabilities that could disrupt critical communications infrastructure between the United States and Asia region during future crises," the company said in a blog post.

Cyberattacks have also disrupted insurance companies and hospital systems in several states in recent years.

Contributing: Claire Thornton, USA TODAY