Due to an increase in the number and intensity of attempted assaults, mostly by hackers from China, Russia, and Iran, the EPA requested that water utilities take immediate precautions to guard against cyberattacks on drinking water sources.
According to EPA authorities, inspections over the past eight months have revealed that 70% of public water utilities were in breach of fundamental guidelines designed to prevent violations.
Deputy Administrator Janet McCabe of the EPA stated, “In many cases, digital systems have not had a risk assessment of their possible vulnerabilities, including cybersecurity, and to ensure that plan is available and guiding the way they conduct business.”
According to regulators, there are several basic criteria that water suppliers may follow to ensure their safety. These include altering the system’s default login password, mandating that personnel use unique login credentials, and ensuring that previous employees have no access to the system.
However, the risk of damage from a cyberattack is even higher: according to EPA authorities, hackers can manipulate chemical levels to dangerous levels, damage pumps, and valves, and interfere with the treatment and storage of municipal water systems by gaining access to a water system.
The necessity for further enforcement measures has increased due to the rise in cyberattacks on water infrastructure in the United States by state-sponsored entities and criminal organizations.
Since 2021, these intrusions have included at least three incidents in which state-sponsored Chinese hackers targeted vital infrastructure and drinking water, an attack on a small Pennsylvania water provider associated with an Iranian hacker group, and an attack on three water systems done by a well-known Russian hacker group.
The EPA recently announced the formation of a Water Cybersecurity Task Force, which will assist water utilities in identifying potential risks and developing countermeasures.
The White House National Security Advisor Jake Sullivan and EPA Administrator Michael Regan requested that states submit a plan in March to safeguard their public water systems against hackers.
The enforcement notice, according to officials on Monday, highlights the gravity of the cyberthreats and the EPA’s readiness to impose civil or criminal penalties on water systems that neglect to maintain basic online safety.
“We would like to make sure that people are aware that there are a lot of issues here,” McCabe stated.