EPA To Require States To Report Public Water System Cyber Threats 

On Friday the White House said it would require states to report on cyber threats noted in their audit reports of public water systems. This comes a day after they released their new cybersecurity strategy:

The Environmental Protection Agency said public water systems are increasingly at risk from cyberattacks that amount to a threat to public health. 

“Cyberattacks against critical infrastructure facilities, including drinking water systems, are increasing, and public water systems are vulnerable,” said EPA Assistant Administrator Radhika Fox. “Cyberattacks have the potential to contaminate drinking water.” 

Fox said the EPA would assist states and water systems in building out cybersecurity programs, adding that states could begin using EPA’s guidance in their audits right away. The agency did not respond immediately to questions about enforcement deadlines.

Public water systems could be easy targets for hackers and with minimal security attention/funding might act as a front door to ransomware attacks not unlike the recent attack on Oakland, CA.

Jan Lovmand, CTO of BullWall had this to say:

   “Often forgotten in the battle to prevent cyber attacks, physical municipal infrastructure such as public water supplies can provide an open attack surface for hackers, as evidenced by 2021 attack on a Florida water supply. The EPA Assistant Administrator, Radhika Fox, noted that a threat to public water systems is also a threat to public health, as cyber-attacks have the potential to contaminate drinking water and said that it is essential to address the cybersecurity of these systems as a top priority to protect public health.

   “The cyber risk to public water systems is not just due to their connectivity to government networks, as it could be just as easy to shut down a city by controlling their water supply as any other aspect of their infrastructure. Municipalities that do not prioritize cybersecurity and do not have robust protections in place are at higher risk of falling victim to these types of attacks.

   “The White House is proposing that states report on cyber threats noted in their audit reports of public water systems and the EPA is offering guidance to states to assist them in building out their water supply cybersecurity programs. However, given the critical importance of these systems to public health and safety, municipalities had best prioritize cybersecurity investments now, to prevent cyber-attacks and safeguard their water supplies.”

David Brunsdon, Threat Intelligence, Security Engineer at Hyas follows up with this comment:

   “Water systems utilize a significant amount of automation and are monitored simultaneously by the control systems, and human operators. Like in Florida, 2021, threat actors could misuse the system to introduce chemicals to the water. A more sophisticated attack would be covert and would obfuscate the changes from both the plant operators and automated monitoring systems.

   “Municipal governments and water treatment plants are vulnerable to well-funded nation-state actors, and so protecting water systems should be considered a national security concern.”

This is a good move by the EPA and I hope this leads to an improvement in terms of the security of these facilities. Because really bad things could happen if these facilities don’t up their game.

Leave a Reply

%d bloggers like this: