The U.S. Environmental Protection Agency (EPA) is sounding the alarm over critical cybersecurity vulnerabilities impacting community water systems across the United States. In a new Enforcement Alert, the agency is calling on water utilities to immediately enhance their digital defenses to protect public health and safety.
Leveraging authorities under the Safe Drinking Water Act (SDWA), the EPA is directing community water systems (CWSs) to take specific actions to ensure compliance with cybersecurity requirements and better secure their industrial control systems from escalating cyber threats.
"Due to cybersecurity threats that could impact a CWS's ability to ensure the continued safety of drinking water, there is an imminent need for decisive action," the Enforcement Alert states. It cites cyber incidents such as the 2021 Oldsmar water treatment facility hack as examples of real-world risks.
According to a May 20, 2024, press release: "Protecting our nation's drinking water is a cornerstone of EPA's mission, and we are committed to using every tool, including our enforcement authorities, to ensure that our nation's drinking water is protected from cyberattacks," said EPA Deputy Administrator Janet McCabe. "EPA's new enforcement alert is the latest step that the Biden-Harris Administration is taking to ensure communities understand the urgency and severity of cyberattacks and water systems are ready to address these serious threats to our nation's public health."
The alert outlines a series of measures the EPA expects CWSs to implement to uphold their SDWA Section 1433 obligations, which require maintaining an adequate operational contingency plan to ensure continued operation during emergencies like cyberattacks. Key actions include:
Risk assessments & response planning
Network safeguards & monitoring
Incident response preparedness
Employee training
According to the EPA, this list represents the minimum cybersecurity readiness measures needed to adequately comply with SDWA rules and protect public water systems from cyber threats. Failure of CWSs to make a good faith effort in implementing these safeguards could result in formal enforcement action.
"Community water systems that are unable to demonstrate resilience to continue safe and reliable operations during a cyberattack will be considered in violation of SDWA requirements," said Merab Natroshvili, Director of the EPA's Cyber Enforcement Division.
Kip Boyle, vCISO, Cyber Risk Opportunities LLC, said he worries the EPA's actions do not go far enough.
"From my reading, the EPA's alert is reasonable, although it's also lagging badly as compared to the cyberattackers' capabilities and actions," Boyle said. "What's missing is accountability at each water system. Who, at each system, will perform the 'key actions?' Are those actions being added to the job descriptions in role appropriate ways? If not, I'm concerned that these actions will not be fully implemented and operated over time."
While the alert focuses on actions for community water utilities, the EPA states these cybersecurity needs "are no less critical" for other public water system types that should heed the recommendations as well.
The alert also highlights cybersecurity services available through the EPA, along with other federal resources from agencies like CISA, the WaterISAC, and the MS-ISAC to support water sector cyber defense efforts.
Steven Aiello, Field CISO, AHEAD, said lack of funding may be an inhibitor for better securing critical infrastructure like water treatment facilities.
"I applaud the EPA for recognizing the criticality of water treatment, storage, and distribution facilities. Section 1433 is a starting point; however, critical infrastructure systems are usually dated, and operational technologies like chemical monitoring solutions present a significant risk," Aiello said. "To be effective, organizations will need additional funding and resources to identify vulnerabilities within their aging infrastructure. Without the additional resources, meeting the spirit of the EPA's mandate will be difficult, if not impossible. The EPA may want to offer something similar to a program dedicated to improving hospital cybersecurity."
"Allocating funds for specific assets, such as those that are internet facing, would be an excellent way to start mitigating risks in these environments," Aiello added.
As cyber threats loom large over critical infrastructure sectors, the EPA is using its regulatory authorities to compel enhanced security for vulnerable water treatment systems. This comprehensive new enforcement guidance reflects the agency's growing scrutiny of cyber resilience.
Below are additional comments from cybersecurity vendor experts.
Ken Dunham, Cyber Threat Director at Qualys Threat Research Unit:
"U.S. water systems are at risk with various forms of governance and authority behind state, local, federal, and commercial entities responsible for management of facilities, where some have largely ignored security practices. This is in sharp contrast to adversaries that are organized and managed by a government, rather than commercial and government cooperatives," Dunham said. "This results in a cyber information warfare comparative where adversaries are attempting to compromise each, with one attempting to gain more of a foothold and have more command and control over the other than what is lost within their own infrastructure. How this dangerous game plays out in convention alwar, should things escalate, is where real risk is revealed, yet to be unveiled."
"Water shortages are significant, especially based upon geolocation, time of year, and supply chain realities. Take, for example, middle of the summer, southern states, with no drinking water or supplies to the home. It's obvious a rush to stores for drinking water follows, with various forms of fallout and/or mayhem," Dunham continued. "If wastewater is manipulated to create sickness and pollution in local waterways, you then introduce large-scale sickness and impact in major areas. Very quickly, entire regions can be tossed into dangerous life-threatening situations where critical infrastructure is threatened and lives are at risk just by not having drinkable water, shortages of care facilities for the scale of support needed, possible power outages, and more, dependent upon the scale and swath of critical infrastructure attacks imposed by adversaries at the time of attack."
Chad Graham, CIRT Manager at Critical Start:
"The drivers behind the attacks on U.S. water systems are multifaceted, encompassing state-sponsored agendas and financial motivations. State-sponsored actors may target these infrastructures to disrupt essential services or as a form of geopolitical leverage. Simultaneously, ransomware operators attack these facilities for monetary gain, exploiting vulnerabilities to extort large sums," Graham said. "In comparison to other critical infrastructures, such as financial services and energy, the U.S. water systems often lag behind. This is partly due to these sectors having historically received less focus and investment in cybersecurity, making them potentially more vulnerable to attacks."
"The severe implications of a successful cyberattack on water systems cannot be overstated," Graham added. "An attack of this nature has the potential to disrupt the supply of clean and safe drinking water or impair wastewater treatment processes, posing significant public health and environmental risks. The disruption of these essential services could lead to immediate public health crises and long-term environmental damage."
Qualys' Dunham added:
"Operators of these facilities must meet compliance as well as foster a culture of security and best practices to lower risk. They should also adopt a mindset and awareness of critical infrastructure and the importance of protecting operations and assets, respectively. Involve trusted third parties for roadmap planning, audits, and additional support to ensure robust security planning and integrity in SecOps."
"Critical lymph structure preventative measures must include cyber threat intelligence and disaster preparedness planning. Disaster recovery (DR) planning must include purple training, where it is demonstrated that bad actor tactics, techniques, and procedures (TTPs) are defended against," Dunham continued. "This would include critical areas that are often overlooked and all too common in the areas of recovery, such as ensuring that backups are not only being made, but actually performed by teams using tools as if a recovery was necessary on a monthly basis. It is critical in a complex, hybrid world that every step and stage of recovery, isolation, and response is performed, considering all the angles of an attack by an adversary with different scenarios in mind to be properly prepared for quick incident identification and recovery."
Critical Start's Graham added:
"To defend against these multi-faceted threats, water facilities should implement rigorous cybersecurity measures. This involves segregating their networks through network segmentation, as well as the principle of least privilege, ensuring that users have only the access necessary for their roles. Additionally, it is crucial for facilities to regularly update all devices and systems while also changing default credentials to prevent unauthorized access."
On February 23, 2024, CISA released its updated Top Cyber Actions for Securing Water Systems.
More from the May 20th release:
"EPA is committed to providing cybersecurity technical assistance to the water sector, allowing direct access to subject matter experts who can assist systems better understand cybersecurity concepts. Additionally, EPA and CISA will continue to offer guidance, tools, training, resources, and technical assistance to help water systems execute these essential tasks. EPA will also continue to conduct cyber assessments for small water systems under our Cybersecurity Evaluation program."