Authorities Issue Nationwide Warning on Drinking Water

By: Georgia | Last updated: May 24, 2024

The Environmental Protection Agency (EPA) has issued an enforcement alert urging immediate action from water utilities to safeguard America’s drinking water from cyber threats.

The alert follows findings that 70% of inspected U.S. water systems fail to meet the Safe Drinking Water Act’s cybersecurity requirements. Vulnerabilities include outdated default passwords and easily compromised single logins.

Potential Consequences of Cyber Attacks

The EPA warns that cyberattacks on water systems can disrupt treatment and storage, damage pumps and valves, and alter chemical levels to hazardous amounts. 

A blue water tower labeled "FlintStrong" stands against a cloudy sky

Source: Wikimedia Commons

This poses a significant risk to public health and safety, illustrating the critical need for robust cybersecurity measures within our national water infrastructure.


Urgent Call for Compliance

EPA Deputy Administrator Janet McCabe shared more details in a press release.

Official portrait of EPA Deputy Administrator Janet McCabe, featuring her with a slight smile, wearing a red blazer against an American flag backdrop

Source: Wikimedia Commons

She said, “In many cases, systems are not doing what they are supposed to be doing, which is to have completed a risk assessment of their vulnerabilities that includes cybersecurity and to make sure that plan is available and informing the way they do business.” 

International Cyber Threats

The EPA’s alert also highlighted that nations such as China, Russia, and Iran have previously disrupted some U.S. water systems through cyberattacks and may possess the capability to disable them in the future. 

Aerial view of a large coastal industrial facility with multiple buildings and storage tanks, surrounded by the ocean on three sides and connected by a narrow land strip

Source: Wikimedia Commons

This international dimension illustrates the global nature of cybersecurity threats facing critical U.S. infrastructure.

Specific Attacks on Local Systems

The Iranian-linked group “Cyber Av3ngers” targeted a water provider in a small Pennsylvania town last year, demonstrating the vulnerability even at local levels. 

Two water towers, one labeled "Stamford" and the other "Bulldogs," stand in a rural Texas setting,

Source: Wikimedia Commons

This year, a Russian-linked “hacktivist” group attempted to disrupt several Texas utilities, indicating a persistent threat to the U.S. water supply.

China's Involvement in Cyber Espionage

A cyber group linked to China, known as “Volt Typhoon,” has compromised the information technology systems of multiple infrastructure sectors, including U.S. drinking water systems, according to the EPA’s enforcement alert

A water treatment facility with large concrete structures and water basins, surrounded by greenery and residential areas

Source: Wikimedia Commons

This action is part of a broader strategy by foreign nations to infiltrate American critical infrastructure.


The Role of Hacktivist Groups

Cybersecurity expert Dawn Cappelli from Dragos Inc., explained the role of hacktivist groups in these attacks.

Macro image of a computer screen displaying colorful programming code, with parts of the text out of focus

Source: Markus Spiske/Unsplash

“By working behind the scenes with these hacktivist groups, now these (nation states) have plausible deniability and they can let these groups carry out destructive attacks. And that to me is a game-changer.” 


Earlier Warnings and Continued Risks

A previous alert in March, sent by the White House and the EPA to all 50 U.S. governors, already noted the threats.

Daytime view of the White House with its iconic white facade and green lawn in the foreground

Source: Wikimedia Commons

These were particularly from actors affiliated with the Iranian Government Islamic Revolutionary Guard Corps (IRGC), who have conducted several malicious cyberattacks against U.S. infrastructure, including drinking water systems.


EPA's Supportive Measures for Utilities

The EPA has committed to training water utilities for free to help address these critical cybersecurity issues. 

Two smiling EPA officials holding up signed agreement folders in a ceremonial setting, with the EPA and American flags in the background

Source: EPA/X

Janet McCabe emphasized the importance of water providers avoiding the use of default passwords and developing a comprehensive risk assessment plan that addresses cybersecurity.


The Challenge of Cybersecurity in the Water Sector

The approximately 50,000 community water providers in the U.S. face a significant challenge

A tall, cylindrical water tower with a wide base stands beside a busy roadside, with industrial equipment around and a partly cloudy sky above

Source: Wikimedia Commons

Many have small staffs and minimal budgets, which makes meeting basic needs and complying with regulations a priority over developing sophisticated cybersecurity capabilities.


Expert Views on Cybersecurity Needs

“Certainly, cybersecurity is part of that, but that’s never been their primary expertise,” Amy Hardberger, a water expert at Texas Tech University, explained.

Two dark monitors displaying multi-colored programming code in a dimly lit office environment

Source: Mohammad Rahmani/Unsplash

She highlighted the significant challenges faced by water utilities, which are now being asked to develop entirely new departments dedicated to managing cyber threats. 


Funding and Support for Water Systems

Kevin Morley of the American Water Works Association told AP that updating utility systems is often arduous and expensive. 

A large water tower painted with the word "Yuma" stands in a suburban park surrounded by trees and recreational facilities under a clear sky

Source: Wikimedia Commons

He argued that substantial federal funding is necessary to develop the resources needed for water systems, both small and large, to combat these evolving cyber threats effectively.


The Financial Impact of Cybersecurity Upgrades

Upgrading cybersecurity for water utilities involves significant costs, from purchasing new software to training personnel. Small community water systems, often operating on tight budgets, face particular challenges in allocating funds for these upgrades.

A row of $100 bills representing a significant amount of money.

Source: Engin Akyurt/Unsplash

Potential funding sources include federal grants and state assistance programs, but securing these funds can be competitive and time-consuming. Investing in cybersecurity, however, is crucial to protect public health and safety.


Technological Innovations in Water Security

Emerging technologies are revolutionizing water system security. AI-driven threat detection can identify and respond to cyber threats in real-time, significantly reducing the risk of successful attacks.

A man is pictured checking samples at a water treatment facility

Source: Freepik

Blockchain technology ensures secure data transactions, preventing unauthorized access and tampering. Additionally, IoT devices enable continuous monitoring of water infrastructure, providing early warning signs of potential breaches and allowing for swift corrective action.


Case Studies of Successful Cybersecurity Implementations

Several water utilities have successfully implemented robust cybersecurity measures.

A businessman using a laptop which shows icons for cyber security

Source: Freepik

For example, a utility in California partnered with cybersecurity firms to conduct comprehensive risk assessments, leading to the development of a fortified defense strategy.


Legislative Efforts to Strengthen Water System Cybersecurity

Recent legislative efforts aim to bolster the cybersecurity of water infrastructure. The proposed Water System Cybersecurity Act of 2024 mandates regular vulnerability assessments and the implementation of advanced security protocols.

Joe biden's hands are photographed as he holds a pen at his desk.

Source: The White House

Additionally, it provides funding for smaller utilities to upgrade their cybersecurity measures. These legislative initiatives convey the government’s commitment to safeguarding critical infrastructure against escalating cyber threats.


The Role of Public Awareness and Education

Public awareness and education are vital in safeguarding water systems. Informing communities about cybersecurity threats can enhance vigilance and cooperation with local utilities.

A child wearing an orange toque drinking out of a glass of water

Source: Johnny McClung/Unsplash

Educational campaigns can teach individuals how to recognize and report suspicious activities. By fostering a well-informed public, utilities can build a collective defense against cyber threats, ensuring a more resilient and secure water supply.


Collaboration Between Public and Private Sectors

Collaboration between public and private sectors is essential for enhancing water system cybersecurity. Public utilities can benefit from the technical expertise and resources of private cybersecurity firms.

Inside a cybersecurity monitoring room where a person sits in front of multiple computer screens displaying security breach alerts.

Source: DC Studio /freepik

Joint initiatives, such as threat intelligence sharing and coordinated response efforts, can bridge resource gaps and improve overall security.


Psychological and Social Impacts of Cyber Threats

The fear of compromised water safety can erode public trust in local utilities. Addressing these concerns requires transparent communication and reassurance from authorities about the measures being taken to protect water supplies.

Two men wearing hard hats and PPE stand on the bridge of a water treatment plant

Source: Hugh Hastings/Getty Images

Community engagement and regular updates can help restore confidence and foster a sense of security.


International Cooperation and Global Standards

International cooperation is crucial in combating cyber threats, such as those to water infrastructure. Establishing global cybersecurity standards and frameworks ensures consistent protection measures across countries.

A man and a woman shake hands over a wooden table after a business meeting

Source: Freepik

Collaborative efforts, such as information sharing and joint cyber defense exercises, can enhance global readiness against attacks.


Innovative Training Programs for Water Utilities

Comprehensive training should cover identifying vulnerabilities, implementing security protocols, and responding to cyber incidents. Simulation-based training can also provide hands-on experience in handling real-world scenarios.

People sit at desks with computers and raise their hands during a classroom session

Source: dschap/pixabay

Continuous education and skill development ensure that utility staff are well-prepared to defend against evolving cyber threats.


The Importance of Cyber Hygiene Practices

Maintaining strong cyber hygiene practices is fundamental to protecting water systems. Regularly updating software, using strong and unique passwords, and implementing multi-factor authentication are basic yet effective measures.

An engineer is pictured looking at data on his laptop

Source: Freepik

Ensuring that all staff are trained in cybersecurity best practices also reduces the risk of human error. Consistent adherence to these practices creates a robust defense against potential cyber threats.


Addressing the Digital Divide in Cybersecurity

The digital divide in cybersecurity capabilities among water utilities poses a significant challenge. Smaller utilities often lack the resources and expertise to implement advanced security measures.

A person hacking into a cybersecurity system. There is an iPad in front of a computer. Both screens are on with lots of writing in various colors.

Source: Pressfoto/Freepik

Bridging this divide requires targeted support, such as providing access to cybersecurity experts and affordable technology solutions. Ensuring equal access to cybersecurity resources is essential for protecting all communities, regardless of size or budget.


Future Trends in Water System Cybersecurity

As technology evolves, continuous innovation and adaptation will be necessary to stay ahead of emerging cyber threats.

A person scooping water with green cup

Source: Jens Johnsson/Pexels

Proactive investment in research and development will drive the future of water system security.