The latest threat to drinking water systems? Cyberattacks, EPA says

Muleshoe is a town of about 5,000 people located in north Texas. In January, it became the victim of a cyberattack by a hacking group with possible ties to the Russian government, CNN reported. The hackers’ target? The town’s drinking water system.

Few city infrastructures are more critical than drinking water systems—and many of those drinking water systems are critically vulnerable to cyberattacks, according to an enforcement alert issued May 20 by the Environmental Protection Agency, which stressed the significance of the looming threat for public water systems.

Muleshoe wasn’t an anomaly; the EPA said its enforcement alert was issued in response to an uptick in the frequency and severity of cyberattacks on water systems around the nation. The EPA also recently found that more than 70% of community drinking water systems it had inspected were not in compliance with the Safe Drinking Water Act, leaving them vulnerable to cyberattacks. In an interview with CNN, one water-sector cybersecurity expert referred to water utility systems as “low-hanging in fruit” for hackers.

Cybersecurity deficiencies in many of the nation’s public water systems include default passwords that have not been updated and single logins “that can be easily compromised,” according to the EPA.

In the case of Muleshoe, hackers broke into a remote login system that allowed operators to connect with a water tank. The hackers then caused the water tank to overflow for around 30–45 minutes before town officials shut down the compromised machine and switched to manual operations, CNN reported. Other small towns in Texas reported similar attempted cyberattacks, with Hale Center, Texas, City Manager Mike Cypert telling the Texas Tribune that there were 37,000 attempts in four days to log into their water system’s firewall. (The cyberattack was thwarted when the town shut down the system and went manual.)

The EPA said it will increase inspections on water systems and will take civil and criminal enforcement actions in instances where there is “an imminent and substantial endangerment.”

“Protecting our nation’s drinking water is a cornerstone of EPA’s mission, and we are committed to using every tool, including our enforcement authorities, to ensure that our nation’s drinking water is protected from cyberattacks,” EPA Deputy Administrator Janet McCabe said in a statement. “EPA’s new enforcement alert is the latest step that the Biden-Harris Administration is taking to ensure communities understand the urgency and severity of cyberattacks and water systems are ready to address these serious threats to our nation’s public health.”

To bolster cybersecurity, the EPA, along with the Federal Bureau of Investigations and National Security Council, recommended taking steps outlined in the Cybersecurity and Infrastructure Security Agency’s guide, “Top Actions for Securing Water Systems.” The measures include:

“Drinking water and wastewater systems are a lifeline for communities, but many systems have not adopted important cybersecurity practices to thwart potential cyberattacks,” EPA Administrator Michael S. Regan stated in a letter to U.S. governors in March. “EPA and the National Security Council take these threats very seriously and will continue to partner with state environmental, health, and homeland security leaders to address the pervasive and challenging risk of cyberattacks on water systems.”