Water management authorities to intensify security measures due to the majority of water utilities lacking cybersecurity precautions.

Water management authorities to intensify security measures due to the majority of water utilities lacking cybersecurity precautions.

The Environmental Protection Agency (EPA) has issued a stark warning about the cybersecurity risks facing U.S. water utilities, highlighting the growing threat from sophisticated and well-resourced adversaries targeting critical water infrastructure.

In an urgent meeting in March, White House and EPA officials spoke with state environmental and health officials, seeking updated plans on how to defend water utilities against attack. The planned inspections are part of EPA's mission to protect the nation's drinking water from cyberattacks.

The EPA's concerns are not unfounded. Certain water utilities have failed to assess the resilience of their systems or lacked resources to improve cybersecurity resilience. This has left them vulnerable to disruption and contamination risks, as demonstrated by the Oldsmar, Florida incident where an attempt was made to alter water chemistry.

Nation-state and advanced cyber groups, such as Iranian-linked groups like CyberAv3ngers, have shown the capability and willingness to exploit vulnerabilities in industrial control systems of water utilities. They employ tactics including brute-force login attacks, credential harvesting, multi-factor authentication (MFA) bombing, and exploitation of outdated software and insecure remote access.

Water utilities are also increasingly targeted by ransomware and extortion groups, who disrupt service or seize control of critical operational technology in pursuit of ransom payments. These attacks often leverage legacy systems and insufficient IT resources.

The evolving threat landscape is compounded by geopolitical tensions, AI-powered phishing, deepfake-based social engineering, and the broad reach of cyber operations unconstrained by physical borders or treaties.

In response, the EPA and related bodies are promoting stronger, coordinated cybersecurity measures. This includes the adoption of enforcable cybersecurity requirements for public water systems serving over 3,300 people, annual cybersecurity vulnerability analyses, incident response plans, reporting and training mandates.

Over $9 million in grants have been allocated to mid-size and large water systems for improving cybersecurity resilience and sustainability, guided by recommendations from the EPA’s Water Sector Cybersecurity Task Force. This investment involves leadership training, technical assistance, operator certification integration, and coordination with state CIOs.

The EPA has taken over 100 enforcement actions against community water systems since 2020 and plans to increase future inspections. The primary concern for CISOs is determining whether their organizations are potential targets for cyber threats.

The EPA's alert follows months of heightened threat activity against U.S. and U.K. water and wastewater treatment facilities. This activity has been linked to state-affiliated threat groups from Iran, China, and Russia, as well as criminal ransomware activity.

In light of these threats, a holistic, collaborative approach involving government agencies, industry associations, and utilities is being emphasised to normalise cybersecurity practices and improve defensive posture across the sector. The plan includes a larger federal effort involving the Cybersecurity and Infrastructure Security Agency and the National Security Agency to protect critical infrastructure against heightened threats.

As the role of Chief Information Security Officers (CISOs) evolves, they are tasked with helping corporate stakeholders better understand the risk calculus of their technology stacks. This understanding is crucial in determining whether they are potential targets and in implementing necessary measures to protect against these threats.

1. The Environmental Protection Agency (EPA) has underlined the growing threat of ransomware and advanced cyber groups targeting critical water infrastructure in the U.S.
2. The EPA has emphasized the need for enforcable cybersecurity requirements for public water systems, including annual vulnerability analyses, incident response plans, reporting, and training mandates.
3. To improve cybersecurity resilience and sustainability, the EPA has allocated over $9 million in grants to mid-size and large water systems, providing leadership training, technical assistance, and operator certification integration.
4. In light of the increasing cyber threats against water utilities, a collaborative approach involving government agencies, industry associations, and utilities aims to normalize cybersecurity practices and improve defensive posture across the sector.

Read also: