EPA says it will step up enforcement to address ‘critical’ vulnerabilities within water sector

The U.S. Environmental Protection Agency on Monday urged water utilities to take action to improve their digital defenses, following a spate of recent cyberattacks.

The agency’s “enforcement alert” said that recent inspections of water systems found that more than 70 percent fail to meet basic cybersecurity standards, including some with “critical” vulnerabilities, such as relying on default passwords that haven’t been updated and single logins that “can easily be compromised.” 

The notice comes after a Russian hacktivist group claimed credit for digital assaults on water sites in Texas and Indiana. Late last year, Iran-linked Cyber Av3ngers group took responsibility for striking a water authority in Pennsylvania.

“Given the vulnerabilities and attacks on systems, EPA also will increase the number” of inspections of community water systems that “focus on cybersecurity,” the agency warned.

Earlier this year, the EPA — along with the FBI and Cybersecurity and Infrastructure Security Agency (CISA) — released a manual for the water industry with more information about cyber incident response.

The EPA is also working to establish a Water Sector Cybersecurity Task Force that could identify strategies to reduce the risk of cyberattacks against water systems.

The Office of the National Cyber Director earlier this month issued its second implementation plan that included more than 30 new initiatives for the federal government to address cyber threats to the nation, including promoting the adoption of best practices in the water sector.