June 2024

EPA Issues Warning to Utilities About Cyber Attacks

The U.S. Environmental Protection Agency (EPA) is urging municipalities across
the United States to take additional security precautions in the wake of recent
cybersecurity attacks.
The attacks were seemingly committed by hackers from foreign nations and
targeted small communities in Texas and Pennsylvania. This, in combination with
an EPA inspection of drinking water systems across the U.S., revealed
cybersecurity weaknesses and prompted their warning to utilities, including some
in Michigan.
Some of the actions EPA recommends drinking water systems take to strengthen
their security include:
 Reducing exposure to public-facing internet
 Conducting regular cybersecurity assessments
 Changing default passwords immediately
 Conducting an inventory of operational technology/information technology
(OT/IT) assets
 Developing and exercising cybersecurity incident response and recovery
 Backup OT/IT systems
 Reducing exposure to vulnerabilities
 Conducting cybersecurity awareness training
Along with steps laid out by EPA, there are many other critical questions that
community leaders need to ask themselves when it comes to evaluating how
vulnerable their water systems might be to a cyber attack.
Some security system failures identified by EPA in its inspections of utilities
included default passwords that had not been updated for some time, in addition
to single logins that could be easily compromised.
While attacks in some states were resolved quickly (despite one in Texas causing a
water system to overflow) a worst-case scenario could mean total contamination
of a water system, and EPA believes this is not the last time the U.S. will face this
kind of threat.

The EPA said it’s offering technical assistance, training, and educational resources
to any communities that might need them as they navigate potential security
system updates.
Along with discovering cybersecurity weaknesses, EPA inspections also revealed
that more than 70 percent of water systems studied do not meet the clean water
standards outlined in the Safe Drinking Water Act.
For that reason, it’s increasing planned inspections.