EPA Warns Of Cyberattacks On Nation’s Drinking Water Systems
On Monday, the Environmental Protection Agency issued an enforcement alert warning of cyberattacks on community drinking water systems across the nation.
The EPA stated that its inspections found that over 70% of water systems did not “fully comply with requirements in the Safe Drinking Water Act and that some of those systems have critical cybersecurity vulnerabilities.” The EPA noted that default passwords have not been updated and single logins being used leave the systems vulnerable. It also suggested system operators reduce exposure to public-facing internet, conduct regular cybersecurity assessments, change default passwords immediately, and conduct an inventory of OT/IT assets, among other tasks.
“In many cases, systems are not doing what they are supposed to be doing, which is to have completed a risk assessment of their vulnerabilities that includes cybersecurity and to make sure that plan is available and informing the way they do business,” said EPA Deputy Administrator Janet McCabe, the Associated Press reported.
McCabe said China, Russia and Iran are “actively seeking the capability to disable U.S. critical infrastructure, including water and wastewater.”
In May 2023, Microsoft reported that state-backed Chinese hackers called Volt Typhoon were targeting infrastructure systems in the United States. Those attempts included drinking water, AP noted. In November 2023, The Municipal Water Authority of Aliquippa said one of their booster stations had been hacked by a cyber-group calling itself Cyber Av3ngers that was backed by Iran.
Last month, a Russian hacktivist group hacked into a Texas town’s water system. “There were 37,000 attempts in four days to log into our firewall,” said Mike Cypert, city manager of Hale Center.
“By working behind the scenes with these hacktivist groups, now these (nation states) have plausible deniability and they can let these groups carry out destructive attacks. And that to me is a game-changer,” Dawn Cappelli, a cybersecurity expert, stated.
“In an ideal world … we would like everybody to have a baseline level of cybersecurity and be able to confirm that they have that,” Alan Roberson, executive director of the Association of State Drinking Water Administrators, said. “But that’s a long ways away.”
No comments