Chinese, Iranian and Russian gangs are attacking US drinking water and authorities are alarmed

About 70% of utilities inspected by federal officials last year violated standards designed to prevent breaches or other interference, the agency said. Officials even urged small water systems to improve protection against hacking attacks. Recent cyberattacks by groups linked to Russia and Iran have targeted smaller communities.

Some water systems have fundamental flaws, the warning says. For example, standard passwords are not changed or former employees are denied system access. Because water utilities often rely on computer software to operate wastewater treatment plants and distribution systems, protecting information technology and process controls is critical, the EPA said. According to the agency, potential impacts of cyberattacks include disruptions to water treatment and storage, damage to pumps and valves, and changes in chemical levels to dangerous levels.

“In many cases, systems are not doing what they are supposed to do, which is to conduct a risk assessment of their vulnerabilities, which includes cybersecurity, and ensure that a plan is in place and informs the way they do business,” said EPA Deputy Administrator Janet McCabe.

Attempts by private groups or individuals to penetrate a water utility’s network and destroy or deface websites are not new. More recently, however, attackers have not only targeted websites, but also the operations of utility companies.

Recent attacks are not just being carried out by private companies. Some recent hacking attacks on water utilities are linked to geopolitical rivals and could lead to disruptions in the supply of clean water to homes and businesses.

The EPA did not say how many cyber incidents have occurred in recent years, and only a small number of successful attacks known to date are known.

McCabe named China, Russia and Iran as the countries “actively seeking the opportunity to cripple U.S. critical infrastructure, including water and wastewater.”

Late last year, an Iran-linked group called “Cyber ​​Av3ngers” targeted several organizations, including a small Pennsylvania town’s water utility, forcing it to switch from a remote pump to manual operation. They were targeting a device made in Israel that the energy supplier had used in the course of Israel’s war against Hamas.

Earlier this year, a Russian-linked “hacktivist” attempted to disrupt the operations of several Texas utilities.

A China-linked cyber group called Volt Typhoon has compromised the information technology of several critical infrastructure systems, including drinking water, in the United States and its territories, U.S. officials said. Cybersecurity experts believe the China-allied group is positioning itself for possible cyberattacks in the event of an armed conflict or increasing geopolitical tensions.

“By working behind the scenes with these hacktivist groups, these (nation states) now have plausible deniability and can let these groups carry out destructive attacks. “And that to me is a game changer,” said Dawn Cappelli, cybersecurity expert at industrial cybersecurity firm Dragos Inc .

The world’s cyber powers are believed to have been infiltrating their competitors’ critical infrastructure for years and planting malware that could be triggered to disrupt essential services.

The enforcement alert is intended to highlight the severity of the cyber threats and inform utilities that the EPA will continue its inspections and impose civil or criminal penalties if they find serious problems.

“We want to make sure we tell people, ‘Hey, we have a lot of problems here,'” McCabe said.

Preventing attacks on water utilities is part of the Biden administration’s broader efforts to combat threats to critical infrastructure. In February, President Joe Biden signed an executive order to protect U.S. ports. Health systems have been under attack. The White House has also urged utilities to strengthen their defenses. EPA Administrator Michael Regan and White House National Security Advisor Jake Sullivan have asked states to develop a plan to combat cyberattacks on drinking water systems.

“Drinking water and wastewater systems are an attractive target for cyberattacks because they are a vital sector of critical infrastructure, but often lack the resources and technical capacity to implement rigorous cybersecurity practices,” Regan and Sullivan wrote in a March 18 letter to all 50 US governors.

Some of the solutions are straightforward, McCabe said. For example, water utilities should not use default passwords. You would need to develop a risk assessment plan that takes cybersecurity into account and put backup systems in place. The EPA says it will provide free training to water providers who need help. Larger utilities typically have more resources and the know-how to defend against attacks.

“In an ideal world … we want everyone to have a basic level of cybersecurity and be able to certify that they have it,” said Alan Roberson, executive director of the Association of State Drinking Water Administrators. “But that’s still a long way off.”

Some obstacles are fundamental. The water sector is highly fragmented. There are around 50,000 municipal water suppliers, most of which serve small towns. Modest staffing levels and meager budgets in many places make it difficult enough to maintain what’s essential – providing clean water and keeping up with the latest regulations.

“Certainly cybersecurity is part of it, but that was never their main competency. Now you’re asking a water utility to develop an entirely new department to deal with cyber threats,” said Amy Hardberger, a water expert at Texas Tech University.

The EPA suffered setbacks. States regularly monitor the performance of water utilities. In March 2023, EPA directed states to add cybersecurity assessments to these reviews. If they found problems, the state should force improvements.

But Missouri, Arkansas and Iowa, along with the American Water Works Association and another water industry group, challenged the orders in court, saying the EPA lacks authority under the Safe Drinking Water Act. After a legal setback, the EPA withdrew its requirements but urged states to take voluntary action anyway.

The Safe Drinking Water Act requires certain water providers to develop plans for specific threats and certify that they have done so. But his power is limited.

“There is simply no authority for (cybersecurity) in the law,” Roberson said.

Kevin Morley, federal relations manager for the American Water Works Association, said some water utilities have components that are connected to the internet – a common but significant vulnerability. Overhauling these systems can be a large and costly task. And without significant federal funding, water systems struggle to find resources.

The industry group has released guidance for utilities and advocates for the creation of a new organization of cybersecurity and water experts to work with the EPA to develop and enforce new guidelines.

“Let’s bring everyone along in a sensible way,” Morley said, adding that small and large utilities have different needs and resources.