Critical Infrastructure Security, MSSP, Vulnerability Management

EPA Steps Up Cybersecurity Inspections on Water Suppliers

Credit: Adobe Stock Images

The U.S. Environmental Protection Agency (EPA) has issued an enforcement alert and will increase the number of planned inspections and, where appropriate, will take civil and criminal enforcement actions against providers of the nation's drinking water.

The EPA noted that recent EPA inspections revealed that more than 70% of water systems it inspected do not fully comply with requirements in the Safe Drinking Water Act and that some of those systems have critical cybersecurity vulnerabilities. A common issue are default passwords that have not been updated and single logins that can easily be compromised.

The EPA's move to step up inspections and compliance is in response to an increase in the frequency and severity of threats to, and attacks on, the nation’s water system. The agency said the threats have increased to such a degree that this additional action is critical.

Edward Wu, founder and CEO of Dropzone AI, a company that specializes in AI-powered SOC technology for MSSPs, said that water providers would do well to leverage MSSPs to help them comply with the EPA's cybersecurity requirements.

“Even though many smaller municipalities lack the funding to implement their own dedicated cybersecurity, they can leverage the power of MSSPs, which share the cost across multiple customers, to add monitoring and security management,” Wu said. “Many of these MSSPs use AI-powered SOC agents to increase efficiency and reduce costs, allowing them to service small yet critical organizations better.”

Howard Goodman, technical director at Skybox Security — a company that partners with MSSPs to deliver continuous exposure management for the hybrid attack surface environments — stressed the importance of going beyond traditional patch management with respect to guarding water systems from attack.

“Fostering a unified security framework necessitates comprehensive network modeling, which can offer a holistic view of both OT (operational technology) and IT environments,” Goodman said. “This approach helps in identifying and mitigating potential security gaps. Organizational silos must be dismantled to eliminate security blind spots. A collaborative culture is essential for effective cybersecurity.”

Resources, Training, Guidance

The EPA, along with CISA, offer guidance, tools, training, resources, and technical assistance to help water systems execute their essential tasks. The EPA will also continue to conduct cyber assessments for small water systems under our Cybersecurity Evaluation program.

The EPA, CISA, and the FBI strongly recommend system operators take steps outlined in Top Actions for Securing Water Systems:

  • Reduce exposure to public-facing internet.
  • Conduct regular cybersecurity assessments.
  • Change default passwords immediately.
  • Conduct an inventory of OT/IT assets.
  • Develop and exercise cybersecurity incident response and recovery plans.
  • Backup OT/IT systems.
  • Reduce exposure to vulnerabilities.
  • Conduct cybersecurity awareness training.

For more information about how the EPA protects U.S. waterways, visit the SDWA compliance monitoring web page and learn about the National Enforcement and Compliance Initiatives for FY 2024-2027.

EPA Identifies Water Systems Cybersecurity Flaws

The National Security Council and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) are leading the effort to reduce the nation’s infrastructure and cybersecurity vulnerabilities.

EPA Deputy Administrator Janet McCabe stressed the agency’s commitment to using every means to ensure that drinking water is protected from cyberattacks.

“EPA’s new enforcement alert is the latest step that the Biden-Harris Administration is taking to ensure communities understand the urgency and severity of cyberattacks and water systems are ready to address these serious threats to our nation’s public health,” McCabe said.

For a recent MSSP Alert article examining water supply cybersecurity, Token CEO John Gunn said that potential attacks on water are no less “ticking time bombs.”

Gunn offered a realistic scenario: “Imagine China invades Taiwan and we support our ally, or another scenario that leads to a broader conflict. China could then activate their earlier compromises and potentially cut off water, power, and other critical services for tens of millions of American citizens.”

Jim Masters

Jim Masters is Managing Editor of MSSP Alert, and holds a B.A. degree in Journalism from Northern Illinois University. His career has spanned governmental and investigative reporting for daily newspapers in the Northwest Indiana Region and 16 years in a global internal communications role for a Fortune 500 professional services company. Additionally, he is co-owner of the Lake County Corn Dogs minor league baseball franchise, located in Crown Point, Indiana. In his spare time, he enjoys writing and recording his own music, oil painting, biking, volleyball, golf and cheering on the Corn Dogs.