EPA warns of increased cybersecurity scrutiny toward water systems

Cyberattacks against public drinking water systems have increased in recent years, posing a threat to public health and security, the EPA said. The Safe Drinking Water Act requires systems to be cyber secure.

But preliminary EPA inspections found more than 70 percent of systems checked were not secure. Some systems were using default passwords and single logins, which made them vulnerable to cybercriminals and threat actors, the agency said.

The EPA will increase its number of planned inspections to make sure systems are secure and that they have emergency response plans, it said in an enforcement alert Monday. The agency urged systems follow recommendations written by the EPA, the Cybersecurity and Infrastructure Security Agency, and the Federal Bureau of Investigation. The recommendations include conducting regular cybersecurity risk assessments, holding cybersecurity awareness training, and safeguarding any public-facing internet interfaces.

Not being in full compliance with the act might invite civil—or criminal–enforcement actions by the EPA, the agency said.

“EPA’s new enforcement alert is the latest step that the Biden-Harris administration is taking to ensure communities understand the urgency and severity of cyberattacks and water systems are ready to address these serious threats to our nation’s public health,” EPA Deputy Administrator Janet McCabe said in a press release.

The EPA’s increased scrutiny is part of a broader effort by the National Security Council (NSC) and Department of Homeland Security to strengthen the cybersecurity of the nation’s infrastructure. The NSC has asked states to identify their most vulnerable water systems and have strategies in place for mitigating those risks by late June. The agencies have said they want businesses and infrastructure entities to start reporting significant cyber incidents to them.