The EPA is cracking down on cybersecurity threats

The Environmental Protection Agency is stepping up its inspections of critical water infrastructure after warning of “alarming vulnerabilities” to cyberattacks.

The agency issued an enforcement alert yesterday warning utilities to take swift action to mitigate threats to the country’s drinking water. The EPA plans to increase inspections and says it will take civil and criminal enforcement action as necessary.

“Cyber ​​attacks against [community water systems] are increasing in frequency and severity across the country,” the alert it says. “Possible impacts include disrupting water treatment, distribution and storage for the community, damaging pumps and valves, and altering chemical levels to dangerous amounts.”

More than 70 percent of water systems inspected since September 2023 did not comply with Safe Drinking Water Act (SDWA) mandates that aim to reduce the risk of physical and cyberattacks, the EPA said. This includes failing to take basic steps such as changing default passwords or cutting off former employees’ access to facilities. Since 2020, EPA has taken more than 100 enforcement actions for violations of this section of the SDWA.

“Foreign governments have disrupted some water systems with cyberattacks and may have built in the ability to disable them in the future,” the report said. application alert says. An example cited is the Volt Typhoon, a state-sponsored cyber group of the People’s Republic of China that “compromised the IT environments of multiple critical infrastructure organizations,” according to a Department of Homeland Security statement issued in February.

The EPA’s enforcement alert asks utilities to follow recommendations to maintain cyber hygiene, including conducting awareness training for employees, backing up OT/IT systems, and avoiding public-facing Internet.

Follow one Letter EPA Administrator Michael Regan and National Security Advisor Jake Sullivan sent messages to state governors earlier this year, warning them about cyber risks to the nation’s drinking water and wastewater systems. This led to a meeting in March where the National Security Council asked each state to submit an action plan to address these vulnerabilities by the end of June.