The Environmental Protection Agency earlier this week issued an enforcement alert, explaining cybersecurity threats and vulnerabilities to community drinking water systems (CWSs) and actions needed by these systems in order to comply with the Safe Drinking Water Act (SDWA).

The alert is part of a government-wide effort – led by the National Security Council and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency – to reduce the nation’s infrastructure and cybersecurity vulnerabilities. EPA issued the alert because threats to, and attacks on, the nation’s water system “have increased in frequency and severity to a point where additional action is critical.”

“Because water utilities often rely on computer software to operate their treatment plants and distribution systems, protecting information technology and process control systems from cyberattacks is vital,” the EPA said.

Section 1433 of the SDWA requires all CWSs serving more than 3,300 people to conduct Risk and Resilience Assessments (RRAs), develop Emergency Response Plans (ERPs) and certify their completion to the EPA. Additionally, systems must review their RRA and ERP every five years, revise them if necessary, and certify completion of these steps as well to EPA. These assessments and plans help water systems to evaluate and reduce risks from both physical and cyber threats. EPA has a range of enforcement options available, including emergency powers (SDWA Section 1431, 42 U.S.C. § 300i) and criminal sanctions (pursuant to 18 U.S.C. Section 1001 for knowingly and willfully providing false certifications).

Based on actual incidents, EPA states that a cyberattack on a vulnerable water system may allow an adversary to manipulate operational technology, which could cause significant adverse consequences for both the utility and drinking water consumers. Possible impacts include disrupting the treatment, distribution, and storage of water for the community, damaging pumps and valves, and altering the levels of chemicals to hazardous amounts. EPA noted that recently there have been “disruptive cyberattacks from adversarial nation states [that] have impacted water systems of all sizes, including many small systems.” 

The EPA also reported that recent EPA inspections since September 2023 have revealed that “the majority of water systems inspected – over 70 percent – do not fully comply with requirements in the SDWA and that some of those systems have critical cybersecurity vulnerabilities,” such as default passwords that have not been updated and single logins that can easily be compromised. EPA has also found instances of inadequate RRAs and/or ERPs. 

EPA states that it will increase the number of planned inspections pursuant to SDWA section 1433 and will take civil and criminal enforcement actions if appropriate, including in response to a situation “that may present an imminent and substantial endangerment.” EPA believes the inspections will ensure that water systems are meeting their requirements to regularly assess resilience vulnerabilities, including cybersecurity, and to develop emergency response plans. 

In addition, EPA, CISA, and the FBI strongly recommend that system operators take steps outlined in Top Actions for Securing Water Systems: 

• Reduce exposure to public-facing internet.
• Conduct regular cybersecurity assessments.
• Change default passwords immediately.
• Conduct an inventory of OT/IT assets.
• Develop and exercise cybersecurity incident response and recovery plans.
• Backup OT/IT systems.
• Reduce exposure to vulnerabilities.
• Conduct cybersecurity awareness training.

Water utilities can find other helpful information on cyber risks and available resources from EPA’s Cybersecurity for the Water Sector web page, its Cybersecurity Assessments webpage, and the joint EPA and CISA Water and Wastewater Cybersecurity website.