Skip Navigation

US says cyberattacks against water supplies are rising, and utilities need to do more to stop them

apnews.com US says cyberattacks against water supplies are rising, and utilities need to do more to stop them

The Environmental Protection Agency warns that cyberattacks against water utilities around the U.S. are becoming more frequent and more severe.

Cyberattacks against water utilities across the country are becoming more frequent and more severe, the Environmental Protection Agency warned Monday as it issued an enforcement alert urging water systems to take immediate actions to protect the nation’s drinking water.

About 70% of utilities inspected by federal officials over the last year violated standards meant to prevent breaches or other intrusions, the agency said. Officials urged even small water systems to improve protections against hacks. Recent cyberattacks by groups affiliated with Russia and Iran have targeted smaller communities.

Some water systems are falling short in basic ways, the alert said, including failure to change default passwords or cut off system access to former employees. Because water utilities often rely on computer software to operate treatment plants and distribution systems, protecting information technology and process controls is crucial, the EPA said. Possible impacts of cyberattacks include interruptions to water treatment and storage; damage to pumps and valves; and alteration of chemical levels to hazardous amounts, the agency said.

McCabe named China, Russia and Iran as the countries that are “actively seeking the capability to disable U.S. critical infrastructure, including water and wastewater.”

33
33 comments
  • We could do that... or we could raise rates again for the third time this month and record another year of record profits. After much consideration, we'll do the latter, but you better be ready to bail us out if we get hacked.

    25
  • Why are any of them not air gapped?

    24
    • I've worked on SCADA systems for water automation in a municipal water supply. The meters, valve positions, and sensors can have a tunnel back to the main office and generally aren't accessible unless someone physically breaks into something. With a proper remote solution it's pretty secure (as secure as anything, anyway) to access and manage things from anywhere cutting down water waste and time when problems occur.

      The issue, as usual, is people. I can't tell the story, but I can say that managers and higher ups at municipal water departments will override decisions to make things more accessible without proper protections because they refuse to understand the concept of even the most basic security. Not every water department, obviously, but I can absolutely point to several that will demand easy access with no VPN because they want to use their fucking home computer, and when you won't provide it they'll hire someone else who will.

      19
    • I can pay my bill online. That means there is a connection between the systems. They need to add up all the water everyone in my neighborhood uses compared to how much they pumped into my neighborhood - if there is a difference there is a leak someplace. While each link only needs to be connected to the next, eventually there is a system that is connected to the internet, and so the whole cannot be air gaped. Not to mention the internet is a really easy place to connect everything to.

      Also, it is really nice if you work at the utility to be able to control the pumps and valved scattered all over the city without having to physically go to each one. Or better yet automatic control - which is only possible if all the systems are connected - see above about one of those systems leading to my bill and so must be connected.

      Air gap is useful for a few military systems. Everything else (including most military systems) are better off networked. However we do need to protect the network better.

      -5
  • So my "prepper" neighbor is on to something...

    14
    • I can't tell you what I do, but if you saw the stupid shit my firm sees, you'd be a prepper too.

      10
      • This sounds like the sort of thing I've heard preppers tell me for the almost 50 years I've been around.

        And I'll repeat what I usually say: If society collapses to that point, I don't want to survive the aftermath. I have no Mad Max fantasies.

        20
      • What does your firm do and what do you see?

        1
  • The EPA has faced setbacks. States periodically review the performance of water providers. In March 2023, the EPA instructed states to add cybersecurity evaluations to those reviews. If they found problems, the state was supposed to force improvements.

    But Missouri, Arkansas and Iowa, joined by the American Water Works Association and another water industry group, challenged the instructions in court on the grounds that EPA didn’t have the authority under the Safe Drinking Water Act. After a court setback, the EPA withdrew its requirements but urged states to take voluntary actions anyway.

    The Safe Drinking Water Act requires certain water providers to develop plans for some threats and certify they’ve done so. But its power is limited.

    "I don't need a safety on a gun! Safety is for sissies! ......[incident]..... Gah, I just blew my fucking foot off! Why didn't anybody WARN me of the danger, this is all the goverment's fault!"

    6
  • Congress needs to enact something with teeth so the government can enforce netsec on important commercial infrastructure.

    They also need to be forced to be transparent about breaches (at least to the go).

    6
You've viewed 33 comments.