The U.S. Environmental Protection Agency (EPA) is requiring states to assess the cybersecurity safety of their public water systems (PWS) because many have not adopted best practices and are believed to be at risk of cyberattack.
EPA Describes Risks to Water Systems
Efforts to improve cybersecurity through voluntary measures have yielded minimal progress to protect the nation’s vitally important drinking water systems. While some PWSs have taken important steps to improve their cybersecurity, many are at risk by individuals, criminal gangs, or a sophisticated state or state-sponsored actors, the EPA said.
EPA Assistant Administrator for Water Radhika Fox explained the current imperative:
“Cyberattacks against critical infrastructure facilities, including drinking water systems, are increasing, and public water systems are vulnerable. Cyberattacks have the potential to contaminate drinking water, which threatens public health. EPA is taking action to protect our public water systems by issuing this memorandum requiring states to audit the cybersecurity practices of local water systems."
Managed security service providers (MSSPs) engaged in public drinking water critical infrastructure facilities could find a new source of opportunity through the EPA’s regulatory action.
Florida Water System Attack Repelled
Two years ago, a quick-thinking employee thwarted a chilling attempt by unknown hackers to poison a Florida town’s water treatment plant. The attack may have involved hackers leveraging TeamViewer remote control software to target PCs that run Microsoft’s antiquated Windows 7 operating system.
In an alert about the water treatment facility attack, the Cybersecurity Infrastructure and Security Agency (CISA) mentioned both of those software packages without specifically stating they were used in the attack.
The cyber crew reportedly gained remote access to the city of Oldsmar’s (near Tampa) water supply and tried to contaminate it with high levels of sodium hydrochloride (lye), a highly caustic chemical. Lye is water soluble and is commonly used to purify drinking water to reduce the levels of toxic metals. However, in large amounts it can cause chemical burns.
There have been other events where software patches that included security upgrades weren’t made, the EPA said.
The EPA’s memorandum conveys that states must include cybersecurity when they conduct periodic audits of water systems (called “sanitary surveys”) and highlights different approaches for states to fulfill this responsibility. The agency is providing technical support and resources to help states and water systems implement cyber protections to lock down water systems.
