EPA Intensifies Inspections as Cybersecurity Threats Jeopardize Public Drinking Water Systems

The Environmental Protection Agency (EPA) is ramping up its inspections of public drinking water systems after discovering that a majority of those reviewed were susceptible to cyberattacks and related threats.

According to the EPA, cyberattacks on public drinking water systems have surged in recent years, posing significant risks to public health and security. The Safe Drinking Water Act mandates that these systems must be cyber secure.

However, preliminary EPA inspections revealed that over 70 percent of the systems checked were not secure. The agency noted that some systems were using default passwords and single logins, making them easy targets for cybercriminals and threat actors.

In response, the EPA announced it will increase the number of planned inspections to ensure these systems are secure and have adequate emergency response plans. In an enforcement alert issued Monday, the agency urged water systems to follow recommendations from the EPA, the Cybersecurity and Infrastructure Security Agency, and the Federal Bureau of Investigation. These recommendations include conducting regular cybersecurity risk assessments, providing cybersecurity awareness training, and protecting any public-facing internet interfaces.

The EPA warned that non-compliance with the Safe Drinking Water Act could result in civil or criminal enforcement actions.

“EPA’s new enforcement alert is the latest step that the Biden-Harris administration is taking to ensure communities understand the urgency and severity of cyberattacks and water systems are ready to address these serious threats to our nation’s public health,” said EPA Deputy Administrator Janet McCabe in a press release.

This increased scrutiny by the EPA is part of a larger effort by the National Security Council (NSC) and the Department of Homeland Security to enhance the cybersecurity of the nation’s infrastructure. The NSC has directed states to identify their most vulnerable water systems and develop strategies to mitigate these risks by late June. Additionally, the agencies have called on businesses and infrastructure entities to start reporting significant cyber incidents to them.

By fLEXI tEAM