The ‘Alarming Cybersecurity Vulnerabilities’ in our Water Supply

May 24, 2024

The Environmental Protection Agency (EPA) has issued an enforcement alert to the nation’s community water systems to take immediate actions to reduce cybersecurity weaknesses.

Attacks against water systems have become increasingly common, as bad actors look to disrupt key community assets and institutions.

“Based on actual incidents we know that a cyberattack on a vulnerable water system may allow an adversary to manipulate operational technology, which could cause significant adverse consequences for both the utility and drinking water consumers,” the enforcement alert notes. 

The agency is recommending water systems:

• Reduce exposure to public-facing internet
• Conduct regular cybersecurity assessments
• Change default passwords immediately
• Conduct an inventory of technology assets
• Develop and exercise cybersecurity incident response and recovery plans
• Backup systems
• Reduce exposure to vulnerabilities
• Conduct cybersecurity awareness training

As part of federal law, community water systems must complete Risk and Resilience Assessments, develop Emergency Response Plans, and certify their completion to the EPA. The federal agency said more than 70 percent of the systems inspected by EPA since September 2023 are in violation of basic requirements and precautions.

“When on site, EPA inspectors have identified alarming cybersecurity vulnerabilities at drinking water systems across the country and taken actions to address them,” the enforcement alert notes. “For example, some water systems failed to change default passwords, use single logins for all staff, or failed to curtail access by former employees.”

Additional information about the enforcement alert is available online.