The Environmental Protection Agency is ramping up its inspections of critical water infrastructure after warning of “alarming vulnerabilities” to cyberattacks.
The EPA is cracking down on cybersecurity threats
After finding ‘alarming’ vulnerabilities to cyberattack, the EPA is stepping up inspections of drinking water systems.
After finding ‘alarming’ vulnerabilities to cyberattack, the EPA is stepping up inspections of drinking water systems.
Illustration by Carlo Cadenas / The Verge
is a senior science reporter covering energy and the environment with more than a decade of experience. She is also the host of Hell or High Water: When Disaster Hits Home, a podcast from Vox Media and Audible Originals.
The agency issued an enforcement alert yesterday warning utilities to take quick action to mitigate threats to the nation’s drinking water. The EPA plans to increase inspections and says it will take civil and criminal enforcement actions as needed.
“Cyberattacks against [community water systems] are increasing in frequency and severity across the country,” the alert says. “Possible impacts include disrupting the treatment, distribution, and storage of water for the community, damaging pumps and valves, and altering the levels of chemicals to hazardous amounts.”
“Cyberattacks against [community water systems] are increasing in frequency and severity across the country.”
More than 70 percent of water systems inspected since September 2023 failed to comply with mandates under the Safe Drinking Water Act (SDWA) that are meant to reduce the risk of physical and cyberattacks, the EPA said. That includes failing to take basic steps like changing default passwords or cutting off former employees’ access to facilities. Since 2020, the EPA has taken more than 100 enforcement actions for violations of that section of the SDWA.
“Foreign governments have disrupted some water systems with cyberattacks and may have embedded the capability to disable them in the future,” the enforcement alert says. One example it cites is Volt Typhoon, a People’s Republic of China state-sponsored cyber group that has “compromised the IT environments of multiple critical infrastructure organizations,” according to a Department of Homeland Security advisory issued in February.
Hacktivists in Russia likely linked to the Sandworm group that attacked Ukraine’s power grid caused an overflow at a water facility in Texas in January, CyberScoop reports, although the incident didn’t disrupt service to customers. Last year, a Pennsylvania water facility was forced to rely on manual operations after an attack by hackers linked to the Iranian Islamic Revolutionary Guard Corps.
The EPA’s enforcement alert asks utilities to follow recommendations for maintaining cyber hygiene, including conducting awareness training for employees, backing up OT / IT systems, and avoiding public-facing internet.
It follows a letter EPA administrator Michael Regan and national security advisor Jake Sullivan sent to state governors earlier this year warning them of cyber risks to the nation’s drinking and wastewater systems. It led to a March convening where the National Security Council asked each state to come up with an action plan to address those vulnerabilities by late June.
Follow topics and authors from this story to see more like this in your personalized homepage feed and to receive email updates.
Most Popular
Most Popular
- European retailers yank popular headphones after study reports trace amounts of hormone-disrupting chemicals
- Gemini’s task automation is here and it’s wild
- PC makers are not ready for the MacBook Neo
- Meta is reportedly laying off up to 20 percent of its staff
- MacBook Air M5 review: a small update for the ‘just right’ Mac
