EPA Issues Alert After Finding Critical Vulnerabilities in Drinking Water Systems

 

The EPA has issued an enforcement alert, outlining the steps needed to comply with the Safe Drinking Water Act.

The US Environmental Protection Agency (EPA) on Monday issued an enforcement alert to outline the measures needed to protect drinking water systems against cyber threats.

Inspections conducted by the EPA since September 2023 found that more than 70% of water systems do not fully comply with the Safe Drinking Water Act. The inspections found that some systems have critical cyber vulnerabilities, including ones introduced by the use of default passwords and authentication systems that can be easily compromised.

The agency has outlined the steps drinking water system operators need to take to secure their assets.

The top recommendations include reducing the internet exposure of systems, conducting regular assessments, changing default passwords, making inventories of IT and OT assets, developing and exercising incident response and recovery plans, backing up systems, addressing vulnerabilities, and conducting awareness training.

“The agency will increase the number of planned inspections and, where appropriate, will take civil and criminal enforcement actions, including in response to a situation that may present an imminent and substantial endangerment,” the EPA said. “Inspections will ensure that water systems are meeting their requirements to regularly assess resilience vulnerabilities, including cybersecurity, and to develop emergency response plans.”

Following a series of potentially disruptive cyberattacks against the water sector in the United States, the government has been taking action to enhance the security of critical systems and respond to attacks. This includes publishing cybersecurity guidance and sanctioning state-sponsored threat actors believed to be behind attacks on water systems.

Recent incidents include ransomware attacks, Iran-linked hackers targeting industrial control systems (ICS), and Russia-linked hackers causing a water overflow in a small Texas town.

Pete Nicoletti, global CISO at cybersecurity firm Check Point, told SecurityWeek that his company has been seeing attacks against the water sector.

“This situation will lead to more compromises by attackers located in China, Russia, and Iran,” Nicoletti said. “Security executives need to immediately reach out to their trusted advisors to ensure they have an updated security program in place.”

“Strategies will include: scan and find all IoT devices and categorize those risks, IoT devices relegated to a dedicated segment, and access to those IoT devices extremely managed. Protect those IoT devices by limiting their access for management and updates to whitelisted sites and IP addresses. Protection devices need to be ruggedized to support field deployments and since hardwired networks are costly and difficult to deploy, those security devices must have cellular connectivity,” the expert added.

For utilities with limited resources, Nicoletti recommends outsourcing their security program and using managed security services.

Source: securityweek.com