WASHINGTON — Cyberattacks on water utilities across the country have gotten more frequent and severe, the Environmental Protection Agency warned Monday because it issued an enforcement alert urging water systems to take immediate motion to guard the nation's drinking water.
About 70% of utilities inspected by federal officials last yr violated standards designed to forestall breaches or other interference, the agency said. Officials even urged small water systems to enhance protection against hacking attacks. Recent cyberattacks by groups linked to Russia and Iran have targeted smaller communities.
The warning says some water systems have fundamental flaws, including failure to vary default passwords or block system access to former employees. Because water utilities often depend on computer software to operate treatment plants and distribution systems, protecting information technology and process controls is critical, the EPA said. Potential impacts of cyberattacks include disruptions to water treatment and storage; Damage to pumps and valves; and changing chemical concentrations to dangerous levels, the agency said.
“In many cases, systems are not doing what they are supposed to do, which is to conduct a risk assessment of their vulnerabilities, which includes cybersecurity and ensuring that a plan is available and provides information about the way they conduct their business,” said the EPA Acting Administrator Janet McCabe.
Attempts by private groups or individuals to penetrate a water utility's network and destroy or deface web sites are usually not recent. More recently, nonetheless, attackers haven’t only targeted web sites, but in addition the operations of utility firms.
The recent attacks are usually not only carried out by private firms. Some recent hacking attacks on water utilities are linked to geopolitical rivals and may lead to disruptions in the provision of fresh water to homes and businesses.
McCabe named China, Russia and Iran because the countries “actively seeking the opportunity to cripple U.S. critical infrastructure, including water and wastewater.”
Late last yr, an Iran-linked group called “Cyber Av3ngers” targeted several organizations, including a small Pennsylvania town’s water utility, forcing it to modify from a distant pump to manual operation. They were targeting a tool made in Israel that the energy supplier had used in the midst of Israel's war against Hamas.
Earlier this yr, a Russian-linked “hacktivist” attempted to disrupt the operations of several Texas utilities.
A China-linked cyber group called Volt Typhoon has compromised the knowledge technology of several critical infrastructure systems, including drinking water, within the United States and its territories, U.S. officials said. Cybersecurity experts consider the China-allied group is positioning itself for possible cyberattacks within the event of an armed conflict or increasing geopolitical tensions.
“By working behind the scenes with these hacktivist groups, these (nation states) now have plausible deniability and can let these groups carry out destructive attacks. “And that to me is a game changer,” said Dawn Cappelli, cybersecurity expert at industrial cybersecurity firm Dragos Inc .
The world's cyber powers are believed to have been infiltrating their competitors' critical infrastructure for years and planting malware that could be triggered to disrupt essential services.
The enforcement alert is intended to highlight the severity of the cyber threats and inform utilities that the EPA will continue its inspections and impose civil or criminal penalties if they find serious problems.
“We want to make sure we let people know that we have a lot of problems here,” McCabe said.
The EPA did not say how many cyber incidents there have been in recent years, and the number of attacks known to be successful so far is small. The agency has issued nearly 100 enforcement actions related to risk assessments and emergency response since 2020, but said that was just a small snapshot of the threats facing water systems.
Preventing attacks on water utilities is part of the Biden administration's broader efforts to combat threats to critical infrastructure. In February, President Joe Biden signed an executive order to protect U.S. ports. Health systems have been under attack. The White House has also urged utilities to strengthen their defenses. EPA Administrator Michael Regan and White House National Security Advisor Jake Sullivan have asked states to develop a plan to combat cyberattacks on drinking water systems.
“Drinking water and wastewater systems are an attractive target for cyberattacks because they are a vital sector of critical infrastructure, but often lack the resources and technical capacity to implement rigorous cybersecurity practices,” Regan and Sullivan wrote in a March 18 letter to all 50 US governors.
Some of the fixes are straightforward, McCabe said. For example, water utilities should not use default passwords. You must develop a risk assessment plan that addresses cybersecurity and put backup systems in place. The EPA says they will provide free training to water providers who need help. Larger utilities typically have more resources and the expertise to defend against attacks.
“In a perfect world … we would love everyone to have a basic level of cybersecurity and give you the chance to certify that they’ve it,” said Alan Roberson, executive director of the Association of State Drinking Water Administrators. “But that's a good distance off.”
Some obstacles are fundamental. The water sector is very fragmented. There are roughly 50,000 municipal water suppliers, most of which serve small towns. Modest staffing levels and meager budgets in lots of places make it difficult enough to take care of what's essential – providing clean water and maintaining with the newest regulations.
“Certainly cybersecurity is part of it, but that was never their main competency. Now you’re asking a water utility to develop an entirely new department to deal with cyber threats,” said Amy Hardberger, a water expert at Texas Tech University.
But Missouri, Arkansas and Iowa, together with the American Water Works Association and one other water industry group, challenged the orders in court, saying the EPA lacks authority under the Safe Drinking Water Act. After a legal setback, the EPA withdrew its requirements but urged states to take voluntary motion anyway.
The Safe Drinking Water Act requires certain water providers to develop plans for specific threats and certify that they’ve done so. But his power is restricted.
“There is simply no authority for (cybersecurity) in the law,” Roberson said.
Kevin Morley, federal relations manager for the American Water Works Association, said some water utilities have components which can be connected to the web – a typical but significant vulnerability. Overhauling these systems is usually a large and expensive task. And without significant federal funding, water systems struggle to search out resources.
The industry group has released guidelines for utilities and is looking for the creation of a brand new organization of cybersecurity and water experts to work with the EPA to develop and implement recent policies.
“Let’s bring everyone along in a sensible way,” Morley said, adding that small and enormous utilities have different needs and resources.
image credit : www.mercurynews.com