Skip to main content
close search
site logo
Dive Brief

EPA to ramp up enforcement as most water utilities lack cyber safeguards

The agency may consider taking civil and criminal penalties against utilities following months of attacks against drinking and wastewater facilities.

Published May 21, 2024
David Jones's headshot
Reporter
Water rushing out of a pipeline and onto a wheat field.
A water pipeline in a wheat field. lnzyx for iStock via Getty Images

Dive Brief:

  • The Environmental Protection Agency warned that the majority of water utilities in the U.S. it inspected are at risk of compromise by malicious hackers due to using default passwords that have not been updated or single logins, the agency in an alert released Monday.
  • The EPA said more than 70% of water utilities inspected since September 2023 are out of compliance with requirements under the Safe Drinking Water Act by, for example, using single logins for multiple employees or failing to cut off access to former employees. 
  • The EPA said it has taken more than 100 enforcement actions against community water systems since 2020 and will ramp up future inspections. The EPA may take criminal enforcement actions in cases of imminent or substantial danger.

Dive Insight:

The alert follows months of heightened threat activity against U.S. and U.K. water and wastewater treatment facilities by state-affiliated threat groups linked to Iran, China and Russia as well as criminal ransomware activity. 

The EPA said certain utilities failed to assess the resilience of their systems or lacked resources to improve cybersecurity resilience. 

“Protecting our nation’s drinking water is a cornerstone of EPA’s mission, and we are committed to using every tool, including our enforcement authorities, to ensure that our nation’s drinking water is protected from cyberattacks,” said EPA Deputy Administrator Janet McCabe, in the announcement about the planned inspections

Officials from the Water-ISAC said Monday the alert was more related to ongoing activities by several state-linked groups, including Volt Typhoon, linked to China, the Cyber Army of Russia Reborn and Cyber Av3ngers, a hacktivist group linked to the Islamic Revolutionary Guard Corps in Iran.

In March, White House and EPA officials spoke in an urgent meeting with state environmental and health officials, seeking updated plans on how to defend their water utilities against attack. Federal officials asked state agency leaders to get back to them by May with an update on their levels of preparedness. 

EPA officials said the plan is part of a larger federal effort that includes the Cybersecurity and Infrastructure Security Agency and the National Security Agency to protect critical infrastructure against heightened threats. 

CISA officials noted the resource deficiencies during the RSA Conference earlier this month. Of the 150,000 water utilities across the country, 95% don’t have a cybersecurity professional on staff, said Brandon Wales, executive director at CISA. 

In many cases, the water utilities have found themselves unable through lack of resources to complete some of the basic best practice cyber hygiene activities and sooner or later this will reach a breaking point,” said Chris Walcutt, CSO of DirectDefense. Walcutt spoke about the resource issue facing water utilities during the RSA Conference and works with the American Water Works Association on addressing some of these issues.

Senior Reporter Matt Kapko contributed to this story.

 

Editors' picks

Company Announcements

View all | Post a press release
DigiCert Unveils 2025 Security Predictions
From DigiCert
November 21, 2024
Nile Adds Industry’s First Campus Zero Trust Delivered As a Service
From Nile
November 21, 2024
TrustNet Named 2024’s Best Compliance Advisory and Audit Firm at CDM’s Annual Top InfoSec Inno…
From TrustNet
November 06, 2024
Fathom5’s ARIA Technology Joins NSIN Propel Maritime Digital Defense Accelerator
From Fathom5
November 18, 2024
Editors' picks
Latest in Strategy
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell