A recent U.S. Environmental Protection Agency survey found that over 70% of water systems have critical cybersecurity vulnerabilities. This means they are susceptible to cyberattacks that could disrupt water treatment and sanitation.
And more recently, on May 20, the EPA issued an enforcement alert outlining the urgent cybersecurity threats and vulnerabilities to community drinking water systems and the steps these systems need to take to comply with the Safe Drinking Water Act. The alert is part of a government-wide effort — led by the National Security Council and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency — to reduce the nation’s infrastructure and cybersecurity vulnerabilities.
The Safe Drinking Water Act Section 1433 requires community water systems serving more than 3,300 people to conduct Risk and Resilience Assessments, develop Emergency Response Plans, and certify their completion to the EPA. These assessments and plans must be reviewed every five years, revised if necessary, and completion certified to the EPA again.
The EPA says in the alert that it is conducting inspections to assess CWS compliance with this section, and that the agency will increase inspections focusing on cybersecurity. If vulnerabilities are found that could endanger public health, enforcement actions may be taken under SDWA Section 1431.
The EPA issued the alert because threats to, and attacks on, the nation’s water system have increased in frequency and severity to a point where additional action is critical, according to the agency.
The EPA, Cybersecurity and Infrastructure Security Agency, and Federal Bureau of Investigation strongly recommend that water system operators take the following steps:
• Reduce exposure to public-facing internet;
• Conduct regular cybersecurity assessments;
• Change default passwords immediately;
• Conduct an inventory of OT/IT assets;
• Develop and exercise cybersecurity incident response and recovery plans;
• Backup OT/IT systems;
• Reduce exposure to vulnerabilities; and
• Conduct cybersecurity awareness training.
EPA Administrator Michael S. Regan and National Security Advisor Jake Sullivan also recently sent a letter to the nation’s governors on the urgency of the threats and the importance of collaboration across federal and state partners to develop comprehensive strategies to close gaps in cyber-resilience. Following the meeting, the National Security Council encouraged each state to prepare an action plan presenting the state’s strategy to mitigate the most significant cybersecurity vulnerabilities in the states’ water and wastewater systems by late June.
The EPA is also moving forward with the Water Sector Coordinating Council and Water Government Coordinating Council to establish a task force to identify additional near-term actions and strategies to reduce the risk of water and wastewater systems nationwide to cyberattacks.
Additionally, the EPA and CISA will continue to offer guidance, tools, training, resources and technical assistance to help water systems execute these essential tasks. The EPA will also continue to conduct cyber assessments for small water systems under its Cybersecurity Evaluation Program.
For more information, view the EPA's enforcement alert here and the Water and Wastewater Systems Sector Cybersecurity page here.
