Water treatment plant showing cyber attacks on water systems

EPA to Increase Inspections and Take Enforcement Actions to Protect U.S. Water Systems from Cyber Attacks

The U.S. Environmental Protection Agency (EPA) has issued an enforcement alert to ensure community water systems (CWSs) comply with the Safe Drinking Water Act (SDWA) to prevent disruptive cyber attacks, including those by nation-state actors.

Section 1433 of the Safe Drinking Water Act (SDWA) requires all CWSs serving more than 3,300 people to conduct Risk and Resilience Assessments (RRAs), develop Emergency Response Plans (ERPs) and certify their completion to EPA,” the agency stated.

Additionally, water system operators must review their RRAs and ERPs every five years and possibly revise them while certifying the whole process with the EPA.

“These assessments and plans help water systems to evaluate and reduce risks from both physical and cyber threats,” the agency said.

The move aims to reduce cybersecurity vulnerabilities that adversaries could exploit to disrupt water supply or endanger consumers’ safety.

The EPA noted that “threats to, and attacks on” water and wastewater systems have recently increased in frequency and severity, reaching “to a point where additional action is critical.”

Subsequently, the EPA would increase inspections to ensure compliance and take enforcement actions for violations. The agency also outlined the steps that operators should follow to comply with SDWA and additional resources and tools to improve the water sector’s cyber resiliency.

70% of water systems violate SDWA, risking cyber attacks and consumer safety

EPA warned that most water systems in the United States have failed to comply with SDWA, risking disruptive cyber attacks and consumer safety.

According to EPA inspection data, 70% of water systems inspected since September 2023 failed to fully comply with the Safe Drinking Water Act. During the inspections, the EPA observed numerous “critical cybersecurity vulnerabilities” such as the use of default passwords, easily compromised single logins, employees sharing the same login credentials, and the failure to revoke former employees’ access after departure.

Similarly, some water systems had inadequate Risk and Resilience Assessments or Emergency Response Plans, preventing them from appropriately responding to cyber attacks.

“These failures involve potential violations of 1433 and miss an opportunity to safeguard operations through the RRAs and ERPs,” the EPA warned.

Besides risking enforcement actions, the EPA noted that violating SDWA cybersecurity provisions could result in cyber attacks with disastrous outcomes for water systems and consumers’ safety.

“Possible impacts include disrupting the treatment, distribution, and storage of water for the community, damaging pumps and valves, and altering the levels of chemicals to hazardous amounts,” the agency noted.

Warning that small water systems are not immune from cyber attacks, the EPA noted that basic cyber hygiene practices could make a huge difference in preventing, detecting, responding to, and recovering from cyber attacks.

“Because water utilities often rely on computer software to operate their treatment plants and distribution systems, protecting information technology and process control systems from cyberattacks is vital,” the agency said.

According to Cybersecurity and Infrastructure Security Agency’s Top Actions for Securing Water Systems, operators should limit exposure to public-facing Internet, develop and exercise cybersecurity incident response and recovery plans, maintain an inventory of OT/IT assets, backup systems, reduce vulnerabilities, reset default passwords, and conduct security awareness training.

“Critical infrastructure, specifically water and wastewater systems, remains a primary target of cyber threats,” said Nick Tausek, Lead Security Automation Architect at Swimlane. “Federal entities continue to highlight the vulnerabilities of these systems from state-sponsored threat actors through advisories and alerts.”

EPA to increase inspections and take enforcement actions

To ensure compliance with SDWA Section 1433, the EPA will increase the number of planned inspections and take enforcement actions, including holding violators civilly and criminally responsible.

“The agency will increase the number of planned inspections and, where appropriate, will take civil and criminal enforcement actions, including in response to a situation that may present an imminent and substantial endangerment,” the agency announced.

The inspections will check whether water systems meet EPA’s cybersecurity requirements, which include regularly assessing their system vulnerabilities and developing emergency response plans to address those issues.

“Inspections will ensure that water systems are meeting their requirements to regularly assess resilience vulnerabilities, including cybersecurity, and to develop emergency response plans,” the EPA said.

The agency did not expound on the scope of “civil and criminal enforcement actions,” and whether it could include criminal prosecutions and fines. However, EPA Deputy Administrator Janet McCabe said the agency was “committed to using every tool, including our enforcement authorities,” to protect the water sector from cyber attacks.

“Not only should the EPA enforce the existing rules on the books, but until the punishments of ignoring the rules outweigh the cost of actually hiring cybersecurity professionals to work on these systems, these clear lapses in cyber hygiene will continue,” remarked Tom Marsland, VP of Technology, Cloud Range, and Board Chairman of VetSec.

In March 2024, EPA Administrator Michael S. Regan and National Security Advisor Jake Sullivan sent a letter to all state governors requesting them to collaborate with the federal government in developing strategies to address the cyber threats facing drinking water and wastewater systems.

The request followed a previously rescinded federal recommendation setting minimum cybersecurity requirements for water systems after backlash from state governors.

Roger Grimes, a Data-Driven Defense Evangelist at KnowBe4, is skeptical about the success of the announced EPA’s enforcement action: “This is the umpteenth time the US government has said the same thing,” he said. “Will this time be any different? Probably not. I don’t see anything that makes this warning and recommendation any more likely to be fruitful than the previous hundred saying the same thing.”

“Is there a person in the world working at any organization, much less a critical infrastructure plant, that doesn’t know their job is to keep the bad hackers out? No,” added Grimes. “The problem obviously isn’t knowledge and awareness.  The problem is in the doing. The problem is in the enforcement.”