EPA Cracks Down on US Water System Cybersecurity Violations
The Environmental Protection Agency is intensifying its cybersecurity monitoring of U.S. drinking water systems following recent inspections that revealed a significant number of inspected systems have inadequate cybersecurity measures in place.
According to Bank Info Security, EPA inspectors have identified “alarming cybersecurity vulnerabilities” at drinking water systems nationwide, according to a recently published alert that highlights use of default passwords and single logins for all staff.
The Safe Drinking Water Act includes an entire component – titled Section 1433 – mandating certain security, risk management and public notification requirements for community and non-community water systems. But more than 70% of systems inspected since September 2023 are in violation of those basic requirements, according to the EPA, which include conducting risk and resilience assessments, developing emergency response plans and establishing procedures to notify the public and law enforcement in the event of a physical or cyber incident.
The EPA is warning owners and operators of U.S. drinking water systems that the agency “intends to use enforcement authorities to address problems quickly,” such as the failure to prepare emergency response plans or to conduct risk and resilience assessments as required by the Safe Drinking Water Act.
The agency also encouraged U.S. drinking water systems owners and operators to immediately change their passwords, reduce their systems’ exposure to public-facing internet, conduct regular cybersecurity assessments and backup both their operational and information technology systems, among other key recommendations.