The U.S. Environmental Protection Agency (EPA) has issued an enforcement alert and will increase the number of planned inspections and, where appropriate, will take civil and criminal enforcement actions against providers of the nation's drinking water.The EPA noted that recent EPA inspections revealed that more than 70% of water systems it inspected do not fully comply with requirements in the Safe Drinking Water Act and that some of those systems have critical cybersecurity vulnerabilities. A common issue are default passwords that have not been updated and single logins that can easily be compromised.The EPA's move to step up inspections and compliance is in response to an increase in the frequency and severity of threats to, and attacks on, the nation’s water system. The agency said the threats have increased to such a degree that this additional action is critical.Edward Wu, founder and CEO of Dropzone AI, a company that specializes in AI-powered SOC technology for MSSPs, said that water providers would do well to leverage MSSPs to help them comply with the EPA's cybersecurity requirements.“Even though many smaller municipalities lack the funding to implement their own dedicated cybersecurity, they can leverage the power of MSSPs, which share the cost across multiple customers, to add monitoring and security management,” Wu said. “Many of these MSSPs use AI-powered SOC agents to increase efficiency and reduce costs, allowing them to service small yet critical organizations better.”Howard Goodman, technical director at Skybox Security — a company that partners with MSSPs to deliver continuous exposure management for the hybrid attack surface environments — stressed the importance of going beyond traditional patch management with respect to guarding water systems from attack.“Fostering a unified security framework necessitates comprehensive network modeling, which can offer a holistic view of both OT (operational technology) and IT environments,” Goodman said. “This approach helps in identifying and mitigating potential security gaps. Organizational silos must be dismantled to eliminate security blind spots. A collaborative culture is essential for effective cybersecurity.”For more information about how the EPA protects U.S. waterways, visit the SDWA compliance monitoring web page and learn about the National Enforcement and Compliance Initiatives for FY 2024-2027.
Resources, Training, Guidance
The EPA, along with CISA, offer guidance, tools, training, resources, and technical assistance to help water systems execute their essential tasks. The EPA will also continue to conduct cyber assessments for small water systems under our Cybersecurity Evaluation program.The EPA, CISA, and the FBI strongly recommend system operators take steps outlined in Top Actions for Securing Water Systems:- Reduce exposure to public-facing internet.
- Conduct regular cybersecurity assessments.
- Change default passwords immediately.
- Conduct an inventory of OT/IT assets.
- Develop and exercise cybersecurity incident response and recovery plans.
- Backup OT/IT systems.
- Reduce exposure to vulnerabilities.
- Conduct cybersecurity awareness training.




