The U.S. Environmental Protection Agency (EPA) has sent an enforcement warning about the serious cyber threats and holes in community drinking water systems.
The National Security Council and the Cybersecurity and Infrastructure Security Agency (CISA) of the Department of Homeland Security are leading a larger government-wide effort to make the country’s infrastructure and cybersecurity less vulnerable. This report is part of that effort.
ANYRUN malware sandbox’s 8th Birthday Special Offer: Grab 6 Months of Free Service
Increasing Frequency and Severity of Attacks
Janet McCabe, Deputy Administrator of the EPA, said this issue is very important: “Protecting our nation’s drinking water is a cornerstone of EPA’s mission, and we are committed to using every tool, including our enforcement authorities, to make sure that our nation’s drinking water is protected from cyberattacks.”
The alert shows that online threats to the country’s water systems are becoming more common and more dangerous, so strong action is needed right away.
Recent EPA checks have shown some scary facts: more than 70% of inspected water systems do not fully follow the rules set by the Safe Drinking Water Act.
Many of these systems have major security holes, such as unchangeable default passwords and easy-to-hack single logins.
The EPA and its state and federal security and intelligence partners are working hard to find and fix these holes to protect neighborhood drinking water.
Enhanced Inspection and Enforcement Activities
The EPA’s alert emphasizes the importance of continuing to inspect and enforce Section 1433 of the Safe Drinking Water Act.
The agency is planned to do more inspections and, if needed, take civil and criminal enforcement measures.
These checks will make sure that water systems regularly look for weaknesses in their robustness, such as cybersecurity risks, and make full plans for how to handle emergencies.
EPA, CISA, and the FBI strongly recommend that water system operators take the following steps to enhance cybersecurity:
- Reduce exposure to public-facing internet.
- Conduct regular cybersecurity assessments.
- Change default passwords immediately.
- Conduct an inventory of OT/IT assets.
- Develop and exercise cybersecurity incident response and recovery plans.
- Backup OT/IT systems.
- Reduce exposure to vulnerabilities.
- Conduct cybersecurity awareness training.
Recently, EPA Administrator Michael S. Regan and National Security Advisor Jake Sullivan talked to the governors of the United States about how serious these threats are and how important it is for government and state partners to work together.
The National Security Council has told all fifty states that they need to make an action plan by the end of June to fix the biggest hacking holes in their water and sewer systems.
Establishment of a Task Force
The EPA is setting up a task force with the Water Sector Coordinating Council and the Water Government Coordinating Council.
This Task Force will develop more short-term steps and plans to make water and sewer systems across the country less vulnerable to cyberattacks.
The EPA is committed to helping the water industry with cybersecurity by giving them direct access to experts in the field.
EPA and CISA will also provide water systems with advice, tools, training, resources, and technical help to help them perform important cybersecurity tasks.
As part of its Cybersecurity Evaluation program, the EPA will also check the security of small water systems.
Free Webinar on Live API Attack Simulation: Book Your Seat | Start protecting your APIs from hackers