Cyberattacks on U.S. water utilities are becoming increasingly frequent and severe, prompting the Environmental Protection Agency (EPA) to issue an urgent enforcement alert. The agency reported that over 70% of inspected utilities have failed to meet standards designed to prevent cyber breaches, highlighting an urgent need for improved cybersecurity measures within this critical sector.
In response, the EPA is urging water systems to take immediate action to strengthen their cybersecurity defenses. Failures such as not changing default passwords and allowing former employees access to systems have been identified as significant vulnerabilities. The agency emphasized the importance of protecting information technology and process controls to prevent disruptions to water treatment, potential damage to infrastructure, and the alteration of chemical levels to hazardous amounts.
Why it matters: The safety and reliability of the nation’s drinking water supply are fundamental to public health and national security. Cyberattacks on water utilities threaten the availability and quality of drinking water but also highlight broader vulnerabilities in critical infrastructure that adversaries can exploit. Addressing these cybersecurity gaps is essential to ensuring the resilience of water systems against current and future threats.
- Increasing Frequency and Severity of Attacks: Cyberattacks on water utilities are becoming more common and damaging, with recent incidents linked to groups affiliated with Russia, Iran, and China. These attacks have disrupted operations and could potentially harm public health by tampering with water treatment processes.
- Impact on Smaller Communities: While large utilities often have more resources to defend against cyber threats, smaller water systems are particularly vulnerable. Recent attacks have targeted small towns, demonstrating that no community is immune.
- EPA’s Enforcement and Support Measures: The EPA is stepping up enforcement actions and providing guidance to help water utilities improve their cybersecurity. This includes training for utilities that lack the necessary expertise and urging states to develop comprehensive cybersecurity plans for water systems.
