Back in February, we covered the CISA, NSA, and FBI’s warning to ramp up U.S. ports and water systems cybersecurity. Now the call is resurging, particularly around water and wastewater systems. This time, the EPA is circulating an alert that demands operators boost protections in the face of escalating threats.
A New Alarm is Sounded for Water Facility Operators
The EPA issued a recent alert raising concerns around the rising prominence of cyberattacks from Russia and Iran on water systems. In the alert, the agency highlighted that close to 70% of the United States’ community drinking water systems do not meet the standards set by the Safe Drinking Water Act, which includes cybersecurity requirements for such facilities. Vulnerabilities that remain unaddressed include simple problems such as passwords and single logins ripe for compromise, in addition to other cyber hygiene practices such as removing access for former employees.
We know that state-sponsored hackers have already been able to access water systems throughout the country. For instance, an Iranian-linked group, Cyber Av3ngers, previously infiltrated a water authority infrastructure in Aliquippa, Pennsylvania. And earlier this year, a Russian group conducted a cyberattack on a water system in Muleshoe, Texas. Therefore, the EPA has emphasized that it is critical to not only fix the vulnerabilities mentioned above, but take further steps to secure information technology and process control systems.
Some steps the agency has recommended include conducting regular assessments and cyber awareness training as well as reducing exposure to public-facing internet. Experts have also noted that identifying, scanning, and properly managing all IoT devices will be an important process in setting up strong defenses.
Shielding OT in Operations
Of course in these actions, it is also essential to ensure that you are strengthening both IT and OT networks to fend off threat actors. On top of the other recommendations, the EPA has outlined in its “Top Actions for Securing Water Systems” that operators inventory all OT/IT assets and backup such OT/IT systems.
On top of water systems, a focus on OT is picking up traction elsewhere. As reported by MeriTalk, “Sixty-eight percent of Federal operational technology (OT) administrators and managers reported experiencing an OT cyber-incident in the past year, but only half felt confident they could detect or mitigate a threat today.” As such, they are ready to invest more time and resources. MeriTalk also summarized that 90% of Federal OT leaders have experienced an increase in their agency’s prioritization of OT cybersecurity in the past two years. Nonetheless, they still face some challenges such as network visibility and exposure management.
Sources:
- “EPA Puts Teeth Into Water Sector Cyber Efforts” – Tara Seals, Dark Reading
https://www.darkreading.com/ics-ot-security/epa-water-sector-cyber-efforts - “EPA urges water utilities to protect nation’s drinking water amid heightened cyberattacks” – That Nguyen, USA Today
https://www.usatoday.com/story/news/nation/2024/05/21/epa-cyberattacks-community-water-systems/73778706007/ - “EPA Issues Alert After Finding Critical Vulnerabilities in Drinking Water Systems” – Eduard Kovacs, Security Week
https://www.securityweek.com/epa-issues-alert-after-finding-critical-vulnerabilities-in-drinking-water-systems/ - “Majority of Fed Cyber Experts Prioritizing OT, but Gaps Remain” – MeriTalk
https://www.meritalk.com/articles/majority-of-fed-cyber-experts-prioritizing-ot-but-gaps-remain/
