More than 70% of surveyed water systems failed to meet EPA cyber standards

The East Bay Municipal Utility District Wastewater Treatment Plant in Oakland, California. The EPA is warning water systems nationwide about cybersecurity risks.

The East Bay Municipal Utility District Wastewater Treatment Plant in Oakland, California. The EPA is warning water systems nationwide about cybersecurity risks. Justin Sullivan/Getty Images

The agency says it will take certain enforcement actions in cases where there is imminent danger from a cyberthreat against water infrastructure.

Over 70% of water systems surveyed since last September failed to meet certain security standards set by the Environmental Protection Agency, exposing them to cyberattacks that can cripple wastewater and water sanitation systems around the country, the EPA said Monday.

Some facilities have “critical” vulnerabilities spotted in recent EPA inspections, including default passwords that were used to log into platforms and other operational technology during first-time setup but were never updated with new credentials.

The figure was part of an enforcement alert issued by the agency urging water system owners and operators to shore up their networks’ security by taking inventory of their operational assets, conducting cybersecurity awareness training and transitioning certain systems off the internet, among other things.

EPA will also be increasing water infrastructure inspections and, in certain cases “will take civil and criminal enforcement actions, including in response to a situation that may present an imminent and substantial endangerment,” an agency press release said.

Community water systems serving more than 3,300 people are required to conduct a series of safety assessments and revise their response plans every five years, as part of Section 1433 of the Safe Water Drinking Act. “These failures involve potential violations of 1433 and miss an opportunity to safeguard operations” through the risk and resilience assessments, the agency said of the 70% fail rate.

The alert was motivated by several incidents over the past year involving nation-state hackers and affiliate cybercrime groups burrowing into water systems, displaying messages on front-facing water treatment readouts or sabotaging other functionalities.

The U.S. water landscape is a complex regulatory environment, with legal authorities and management often backed by state and local governments. Unlike federal institutions, many rural water operators don’t have the necessary access to funding or resources needed to improve their digital defenses.

The EPA has tried to push hardened security mandates onto water operators, but the agency in October rescinded a memorandum that would have directed providers to evaluate the cyber defenses of their water systems when conducting sanitation surveys. The measure, which the agency said was permissible under the Safe Water Drinking Act, faced legal pushback from GOP-led states and trade groups.

Multiple nation-state adversaries have been able to breach water infrastructure around the country. China has been deploying its extensive and pervasive Volt Typhoon hacking collective, burrowing into vast critical infrastructure segments and positioning along compromised internet routing equipment to stage further attacks, national security officials have previously said.

In November, IRGC-backed cyber operatives broke into industrial water treatment controls and targeted programmable logic controllers made by Israeli firm Unitronics. Most recently, Russia-linked hackers were confirmed to have breached a slew of rural U.S. water systems, at times posing physical safety threats.

The EPA and National Security Council in March urged states to stay alert for cyber threats targeting the water sector. “Drinking water and wastewater systems are an attractive target for cyberattacks because they are a lifeline critical infrastructure sector but often lack the resources and technical capacity to adopt rigorous cybersecurity practices,” their missive said.

A FERC official also recently testified that dam systems are at risk of cyberattacks, and said that new dam cybersecurity guidance can be reasonably developed within the next nine months.