By STAFF REPORTS
Federal officials continue sounding the alarm over potential cyber threats and vulnerabilities around the country’s water utility systems, with another round of warnings coming in recent weeks.
In late May, the U.S. Environmental Protection Agency warned that attacks against utilities are becoming more frequent and more severe, prompting the agency to urge systems to take protections to ensure drinking water is protected.
“In many cases, systems are not doing what they are supposed to be doing, which is to have completed a risk assessment of their vulnerabilities that includes cybersecurity and to make sure that plan is available and informing the way they do business,” said EPA Deputy Administrator Janet McCabe, according to the Associated Press.
According to news reports, roughly 70 percent of water utilities inspected by federal officials violated standards designed to protect systems from hackers, according to the EPA. Russian- and Iranian-affiliated groups have been targeting smaller communities to gain access and disrupt operations.
Utilities are often not taking basic cybersecurity actions, such as changing default passwords and cutting off system access to former employees, leading to increased vulnerabilities. As utilities modernize the software used to monitor and protect drinking water sources, practices must also modernize.
The Specifier reported in January that an Iranian-linked group called Cyber Av3ngers specifically targeted water utilities that were using Israel-made devices following war between Israel and Hamas.
News outlets late last year reported that fewer than 10 utilities were affected, with one in Pennsylvania identified as having been impacted.
The Associated Press also noted that a Russian-linked “hactivist” attempted to disrupt several Texas utilities’ operations, causing the system to overflow in small towns in the Texas Panhandle. Hale Center, population 2,000, and Muleshoe, population 5,000 water systems both were hit with attacks that caused water systems to overflow, according to the AP.
Marjorie Craig, Chair of the Florida Section of the American Water Works Association, told the Specifier in January that Florida’s water utilities have made cybersecurity planning a priority in recent years, and utilities vary in their reliance on operational technologies.
The Association in 2021 created a separate cybersecurity committee, the members of which share best practices, meet monthly to share relevant data, disseminate information about potential funding sources, and bring in experts to discuss legislation and trends on the topic.
Florida utility directors regularly seek out state and federal funding sources and encourage utilities of all sizes to seek out free training available through CyberFlorida, the U.S. Cybersecurity & Infrastructure Security Agency, and other resources.
EPA Administrator Michael Regan and White House National Security Advisor Jake Sullivan wrote a letter to state governors asking them to come up with a plan to combat cyberattacks on drinking water systems. “Drinking water and wastewater systems are an attractive target for cyberattacks because they are a lifeline critical infrastructure sector but often lack the resources and technical capacity to adopt rigorous cybersecurity practices,” they wrote. “We need your support to ensure that all water systems in your state comprehensively assess their current cybersecurity practices to identify any significant vulnerabilities, deploy practices and controls to reduce cybersecurity risks where needed, and exercise plans to prepare for, respond to, and recover from a cyber incident.”
