The U.S. Environmental Protection Agency (USEPA) issued an enforcement alert outlining the urgent cybersecurity threats and vulnerabilities to community drinking water systems and the steps these systems need to take to comply with the Safe Drinking Water Act (SDWA). USEPA said it is issuing the alert because threats to, and attacks on, the nation’s water system infrastructure have increased in frequency and severity to a point where additional action is critical.
Recent USEPA inspections revealed over 70% of water systems inspected do not fully comply with requirements in the SDWA and that some of those systems have critical cybersecurity vulnerabilities, such as default passwords that have not been updated and single logins that can easily be compromised.
USEPA plans to increase the number of planned inspections and take civil or criminal enforcement actions as needed if a situation presents imminent and substantial endangerment. Inspections are intended to ensure water systems meet the requirements to regularly assess resilience vulnerabilities, including cybersecurity, and to develop emergency response plans. USEPA, along with the Cybersecurity and Infrastructure Security Agency, and the FBI recommend system operators take the following steps, as outlined in Top Actions for Securing Water Systems:
- Reduce exposure to public-facing internet.
- Conduct regular cybersecurity assessments.
- Change default passwords routinely.
- Conduct an inventory of OT/IT assets.
- Develop and exercise cybersecurity incident response and recovery plans.
- Backup OT/IT systems.
- Reduce exposure to vulnerabilities.
- Conduct cybersecurity awareness training.
USEPA has several cybersecurity tools and resources available to public water systems. In addition, resident experts at AE2S developed cybersecurity best practices for control systems that water utilities may find useful. Jason Schuler, AE2S Senior Information Technology (IT) Technician / Cybersecurity Specialist, and Mike Chorne, AE2S I&C Senior Specialist, provide information about the most common types of attacks and how you can keep your water system safe. If you have questions, please contact your AE2S Client Manager.