In response to the increasing frequency and severity of threats and attacks on the nation’s drinking water systems, the U.S. Environmental Protection Agency (EPA) on Monday issued an enforcement alert addressing urgent cybersecurity threats.
Water utilities frequently depend on computer software to manage treatment plants and distribution systems, which makes safeguarding both information technology and process control systems from cyber threats paramount. Recent disruptive cyber incidents by hostile nation states have affected water systems, including many smaller systems.
Monday’s alert reiterates the steps systems must take to comply with the Safe Drinking Water Act (SWDA). It is part of a broader initiative, led by the National Security Agency and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), aimed at protecting the nation’s infrastructure and cybersecurity.
More than 70% of water systems the EPA recently inspected failed to fully adhere to the requirements outlined in the SWDA. Some systems showed critical vulnerabilities, such as the use of default passwords and single logins susceptible to compromise. The EPA is continuing to work with state and federal security partners to identify vulnerabilities, informed by previous cyberattacks on water systems.
“Protecting our nation’s drinking water is a cornerstone of EPA’s mission, and we are committed to using every tool, including our enforcement authorities, to ensure that our nation’s drinking water is protected from cyberattacks,” EPA Deputy Administrator Janet McCabe said. “EPA’s new enforcement alert is the latest step … to ensure communities understand the urgency and severity of cyberattacks, and water systems are ready to address these serious threats.”
The EPA plans to increase the number of scheduled inspections and will take civil and criminal enforcement actions as needed, particularly in response to imminent and substantial endangerment. The EPA, CISA and the FBI advise system operators implement measures outlined in Top Actions for Securing Water Systems:
- Reduce exposure to public-facing internet: Use cyber hygiene services to reduce exposure of key assets to the public-facing internet. Operational technology (OT) devices such as controllers and remote terminal units are easy targets for cyberattacks when connected to the internet.
- Conduct regular cybersecurity assessments: Regularly assessing existing vulnerabilities within OT and IT systems allows systems to identify, assess and prioritize mitigating vulnerabilities.
- Change default passwords immediately: Require unique, strong and complex passwords for all water systems, including connected infrastructure.
- Conduct an inventory of OT/IT assets: Create an inventory of software and hardware assets to help understand needs to be protected. Focus initial efforts on internet-connected devices and devices where manual operations are not possible. Use monitoring to identify the devices communicating on networks.
- Develop and exercise cybersecurity incident response and recovery plans: Understand incident response actions, roles and responsibilities, as well as who to contact and how to report a cyber incident before one occurs to ensure readiness against potential targeting.
- Backup OT/IT systems: Regularly back up systems to ensure recovery to a known and safe state in the event of a compromise. Test backup procedures and isolate backups from network connections. Implement the NIST 3-2-1 rule: 3) Keep three copies: one primary and two backups; 2) Keep the backups on two different media types; 1) Store one copy offsite.
- Reduce exposure to vulnerabilities: Mitigate known vulnerabilities and keep all systems up to date with patches and security updates.
- Conduct cybersecurity awareness training: Require training annually, at a minimum, to help all employees understand the importance of cybersecurity and how to prevent and respond to cyberattacks.
EPA Administrator Michael S. Regan and National Security Advisor Jake Sullivan sent a letter to the nation’s governors in March stressing the urgency of the threats and the need for federal-state collaboration to develop comprehensive strategies for enhancing cyber-resilience.
“We need your support to ensure that all water systems in your state comprehensively assess their current cybersecurity practices,” Regan and Sullivan said in the letter.
The National Security Council has since urged each state to come up with strategies for mitigating vulnerabilities in their water and wastewater systems by late June.
The EPA offers free cybersecurity help for the water sector with subject matter experts and will continue conducting cyber assessments for small water systems through its Cybersecurity Evaluation program.