EPA Puts Teeth Into Water Sector Cyber Efforts
May 21, 2024 – Published on Dark Reading
Nearly 70% of the United States’ community drinking water systems fails to comply with the Safe Drinking Water Act, according to the Environmental Protection Agency (EPA) — including the cybersecurity standards that it lays out. New EPA enforcement plans aim to turn that around.
According to an EPA alert out this week, Russia and Iran in particular have stepped up cyberattacks on the nation’s water systems, “to a point where additional action is critical.” The agency pointed to a rash of critical cybersecurity vulnerabilities of concern, including default passwords that have not been updated and single logins that can easily be compromised.
The alert is just the latest in a series of alarms on water cyber safety sounded by the feds in recent months, in response to attacks like one last November on the Municipal Water Authority of Aliquippa in Pennsylvania by an Iranian state-sponsored group called CyberAv3ngers. In its alert, the EPA didn’t offer specifics of recent attacks, but noted that “foreign governments have disrupted some water systems with cyberattacks and may have embedded the capability to disable them in the future.”
The government, despite anti-regulation pushback from water industry groups, has also made moves like proposing $7.5 million in new cybersecurity funding for rural water systems.
Chris Warner, OT security strategist at GuidePoint Security, says that part of the persistent problem is that sector-specific cybersecurity expertise is hard to come by.
“The challenge in the security of our water and wastewater facilities is a shortage of qualified OT security personnel, and IT security’s challenges in understanding the control systems that operate water systems pose significant challenges,” he explains. “To address these issues, forming cross-functional teams, collaborating with Critical Infrastructure Sector Liaisons, and building strong relationships with local law enforcement are crucial.”
Read More HERE.