water utility systems across over 300 U.S. locations exposed to potential threats due to security lapses revealed by a federal investigation

water utility systems across over 300 U.S. locations exposed to potential threats due to security lapses revealed by a federal investigation

In a recent report, the Environmental Protection Agency's (EPA) Office of Inspector General (OIG) highlighted potential cybersecurity risks at water utilities across the United States. The report, based on passive scanning of only 1,062 drinking water systems, identified critical or high-risk vulnerabilities in 97 systems serving over 26 million people, as well as medium- to low-risk vulnerabilities in another 211 systems serving almost 83 million people.

Following the release of this report, the EPA and the Cybersecurity and Infrastructure Security Agency (CISA) have stepped up their efforts to address these vulnerabilities. The agencies are working together to implement multiple measures aimed at enhancing the cybersecurity posture of US drinking water infrastructure.

One of the key current measures is the provision of free cybersecurity assessments. The EPA offers water and wastewater utilities confidential evaluations through its Water Sector Cybersecurity Evaluation Program, while CISA provides automated vulnerability scanning tools to public water systems and public wastewater treatment plants.

In addition to these assessments, the EPA's Cybersecurity Helpdesk for the Water Sector offers direct consultation and technical support to water systems and primacy agencies to address cybersecurity questions and challenges. The EPA has also developed a cybersecurity checklist derived from CISA's Cybersecurity Performance Goals to help water and wastewater utilities implement robust operational technology (OT) and IT security practices.

The agencies are also integrating cybersecurity assessments and plans into regulatory and monitoring activities. For example, states like Massachusetts are incorporating cybersecurity assessments into sanitary surveys and capacity evaluations of public water systems as part of Emergency Response Planning. Cybersecurity is also being considered in Drinking Water State Revolving Fund (DWSRF) grant and loan evaluations.

To promote cyber hygiene best practices, the EPA and CISA conduct webinars and outreach efforts to promote awareness and provide training on evaluating threats and vulnerabilities in drinking water systems. They also co-develop incident response guides to aid in preparation and response to cyber incidents in water utilities.

The US Department of Agriculture (USDA) and the White House have also launched a program to help rural water utilities improve their cyber resilience, with the National Rural Water Association serving as a partner. This one-year program aims to boost cyber resilience by providing technical assistance, guidance, tools, training, and funding to rural water utilities.

The growing threat of cyberattacks on water systems has been a concern for some time. Over the past year, a growing number of utilities have faced attacks from criminal ransomware and state-linked threat groups, including adversaries linked to Russia, China, and Iran. CISA has repeatedly emphasized the risks water systems face from cyberattacks due to poor cyber hygiene and misconfiguration.

In response to these concerns, the EPA and CISA are actively taking steps to address cybersecurity vulnerabilities in US drinking water systems. The EPA spokesperson confirmed that the agency has been working closely with the sector to address cybersecurity concerns, and EPA Inspector General Sean O'Donnell urged the EPA to prioritize the resilience of water systems and take the issues highlighted in the report seriously.

Last month, American Water Works, the nation's largest regulated water utility, was targeted in a cyber intrusion and had to take certain systems offline. This incident underscores the need for continued vigilance and action to protect our nation's water systems from cyber threats.

In conclusion, the EPA and CISA are providing water utilities with technical assistance, guidance, tools, training, and funding to address cybersecurity concerns. These efforts reflect a comprehensive approach to enhancing the cybersecurity posture of US drinking water infrastructure, focusing on vulnerability assessments, technical assistance, integration in regulatory oversight, promotion of cyber hygiene, and collaborative preparedness and response resources.

1. The Environmental Protection Agency (EPA)'s Office of Inspector General (OIG) identified critical or high-risk cybersecurity vulnerabilities in 97 water systems across the United States, serving over 26 million people.
2. To combat these risks, the EPA and the Cybersecurity and Infrastructure Security Agency (CISA) are collaborating to implement various measures aimed at enhancing the cybersecurity posture of US drinking water infrastructure.
3. The EPA offers confidential cybersecurity assessments through its Water Sector Cybersecurity Evaluation Program, while CISA provides automated vulnerability scanning tools to public water systems and public wastewater treatment plants.
4. The White House and the US Department of Agriculture (USDA) have launched a program to help rural water utilities improve their cyber resilience, with the National Rural Water Association serving as a partner.
5. The growing threat of ransomware attacks on water systems has been a concern for some time, with a growing number of utilities facing attacks from criminal groups and state-linked threat actors, including those from Russia, China, and Iran.

Read also: