Current:Home > InvestEPA warns of increasing cyberattacks on water systems, urges utilities to take immediate steps-DB Wealth Institute B2 Reviews & Ratings
EPA warns of increasing cyberattacks on water systems, urges utilities to take immediate steps
lotradecoin featureset View Date:2024-12-25 22:53:56
WASHINGTON (AP) — Cyberattacks against water utilities across the country are becoming more frequent and more severe, the Environmental Protection Agency warned Monday as it issued an enforcement alert urging water systems to take immediate actions to protect the nation’s drinking water.
About 70% of utilities inspected by federal officials over the last year violated standards meant to prevent cyberthreats, the agency said. Officials urged even small water systems to improve protections against cyberattacks, noting that recent assaults from adversarial nation states like Russia and Iran have impacted water systems of all sizes.
Some water systems are falling short in basic ways, the alert said, including failure to change default passwords or cut off system access to former employees. Because water utilities often rely on computer software to operate treatment plants and distribution systems, protecting information technology and process controls is crucial, the EPA said. Possible impacts of cyberattacks include interruptions to water treatment and storage; damage to pumps and valves; and alteration of chemical levels to hazardous amounts, the agency said.
“In many cases, systems are not doing what they are supposed to be doing, which is to have completed a risk assessment of their vulnerabilities that includes cybersecurity and to make sure that plan is available and informing the way they do business,” said EPA Deputy Administrator Janet McCabe.
Attempts by private groups or individuals to get into a water provider’s network and take down or deface websites aren’t new. More recently, however, attackers haven’t just gone after websites, they’ve targeted utilities’ operations instead.
Recent attacks are not just by private entities — many have government backing in a bid to derail the supply of safe water to homes and businesses. McCabe named China, Russia and Iran as the countries that are “actively seeking the capability to disable U.S. critical infrastructure, including water and wastewater.”
Late last year, an Iranian-linked group called “Cyber Av3ngers” targeted multiple organizations including a small Pennsylvania town’s water provider, forcing it to switch from a remote pump to manual operations. They were going after an Israeli-made device used by the utility in the wake of Israel’s war against Hamas.
Earlier this year, a Russian-linked “hactivist” tried to disrupt operations at several Texas utilities.
A cyber group linked to China and known as Volt Typhoon has compromised information technology of multiple critical infrastructure systems, including drinking water, in the United States and its territories, U.S. officials said.
“By working behind the scenes with these hacktivist groups, now these (nation states) have plausible deniability and they can let these groups carry out destructive attacks. And that to me is a game-changer,” said Dawn Cappelli, a cybersecurity expert with the risk management firm Dragos Inc.
The enforcement alert is meant to emphasize the seriousness of cyberthreats and inform utilities the EPA will continue its inspections and pursue civil or criminal penalties if they find serious problems.
“We want to make sure that we get the word out to people that ‘Hey, we are finding a lot of problems here,’ ” McCabe said.
Preventing attacks against water providers is part of the Biden administration’s broader effort to combat threats against critical infrastructure. In February, President Biden signed an executive order to protect U.S. ports. Health care systems have been attacked. The White House has pushed electric utilities to increase their defenses, too. EPA Administrator Michael Regan and White House National Security Advisor Jake Sullivan have asked states to come up with a plan to combat cyberattacks on drinking water systems.
“Drinking water and wastewater systems are an attractive target for cyberattacks because they are a lifeline critical infrastructure sector but often lack the resources and technical capacity to adopt rigorous cybersecurity practices,’' Regan and Sullivan wrote in a March 18 letter to all 50 U.S. governors.
Some of the fixes are straightforward, McCabe said. Water providers, for example, shouldn’t use default passwords. They need to develop a risk assessment plan that addresses cybersecurity and set up backup systems. The EPA says they will train water utilities that need help for free.
“In an ideal world ... we would like everybody to have a baseline level of cybersecurity and be able to confirm that they have that,” said Alan Roberson, executive director of the Association of State Drinking Water Administrators. “But that’s a long ways away.”
Some barriers are foundational. The water sector is highly fragmented. There are roughly 50,000 community water providers, most of which serve small towns. Modest staffing and anemic budgets in many places make it hard enough to maintain the basics — providing clean water and keeping up with the latest regulations.
“Certainly, cybersecurity is part of that, but that’s never been their primary expertise. So, now you’re asking a water utility to develop this whole new sort of department” to handle cyberthreats, said Amy Hardberger, a water expert at Texas Tech University.
The EPA has faced setbacks. States periodically review the performance of water providers. In March 2023, the EPA instructed states to add cybersecurity evaluations to those reviews. If they found problems, the state was supposed to force improvements.
But Missouri, Arkansas and Iowa, joined by the American Water Works Association and another water industry group, challenged the instructions in court on the grounds that EPA didn’t have the authority under the Safe Drinking Water Act. After a court setback, the EPA withdrew its requirements but urged states to take voluntary actions anyway.
The Safe Drinking Water Act requires certain water providers to develop plans for some threats and certify they’ve done so. But its power is limited.
“There’s just no authority for (cybersecurity) in the law,” said Roberson.
Kevin Morley, manager of federal relations with the American Water Works Association, said some water utilities have components that are connected to the internet — a common, but significant vulnerability. Overhauling those systems can be a significant and costly job. And without substantial federal funding, water systems struggle to find resources.
The industry group has published guidance for utilities and advocates for establishing a new organization of cybersecurity and water experts that would develop new policies and enforce them, in partnership with the EPA.
“Let’s bring everybody along in a reasonable manner,” Morley said, adding that small and large utilities have different needs and resources.
___
Phillis reported from St. Louis.
___
The Associated Press receives support from the Walton Family Foundation for coverage of water and environmental policy. The AP is solely responsible for all content. For all of AP’s environmental coverage, visit https://apnews.com/hub/climate-and-environment
veryGood! (999)
Related
- Meta kills off misinformation tracking tool CrowdTangle despite pleas from researchers, journalists
- Judge rules Alabama can move forward, become first state to perform nitrogen gas execution
- Germany’s Scholz condemns alleged plot by far-right groups to deport millions if they take power
- Rams QB Matthew Stafford eyes wild-card playoff return to Detroit after blockbuster trade
- Infamous LA officer’s gun found in $1 million watch robbery case
- Third arrest made in killing of pregnant Texas teen Savanah Soto and boyfriend Matthew Guerra
- These Best Dressed Stars at the Emmys Deserve a Standing Ovation for Their Award-Worthy Style
- FACT FOCUS: Discovery of a tunnel at a Chabad synagogue spurs false claims and conspiracy theories
- State, local officials failed 12-year-old Pennsylvania girl who died after abuse, lawsuits say
- 27 Rental Friendly Décor Hacks That Will Help You Get Your Deposit Back
Ranking
- Millions of kids are still skipping school. Could the answer be recess — and a little cash?
- CNN anchor Sara Sidner reveals stage 3 breast cancer diagnosis: I am still madly in love with this life
- Taxes after divorce can get . . . messy. Here are seven tax tips for the newly unmarried
- Georgia Senate nominates former senator as fifth member of election board
- The president of Columbia University has resigned, effective immediately
- Taxes after divorce can get . . . messy. Here are seven tax tips for the newly unmarried
- $100 million gift from Lilly Endowment aims to shore up HBCU endowments
- Nick Saban retiring as Alabama football coach
Recommendation
-
Horoscopes Today, August 14, 2024
-
Video shows Virginia police save driver from fiery wreck after fleeing officers
-
1000-Lb Sisters' Tammy Slaton Becomes Concerned About Husband Caleb Willingham After Date Night
-
Online sports betting arrives in Vermont
-
Detroit judge orders sleepy teenage girl on field trip to be handcuffed, threatens jail
-
'Mommy look at me!': Deaf 3-year-old lights up watching 'Barbie with ASL'
-
DeSantis and Haley jockey for second without Trump and other takeaways from Iowa GOP debate
-
Double Big Mac comes to McDonald's this month: Here's what's on the limited-time menu item