Cybersecurity threats have become a significant concern for water utilities across the United States. The U.S. Environmental Protection Agency (EPA) recently issued an urgent alert, emphasizing the increasing frequency and severity of cyberattacks on community water systems. As these attacks pose a serious threat to the nation’s public drinking water supplies, the EPA has called on water utilities to take immediate steps to mitigate cybersecurity vulnerabilities.
EPA’s Enforcement Alert: A Wake-Up Call
The EPA’s latest enforcement alert highlights “urgent cybersecurity threats and vulnerabilities” facing community drinking water systems. The agency reported that over 70% of water systems inspected since last September violated standards outlined in the Safe Drinking Water Act. This act was established to protect public health by regulating public drinking water supplies. The inspections revealed alarming cybersecurity weaknesses, including:
- Failure to change default passwords
- Lack of access revocation for former employees
- Use of single logins for all staff, increasing the risk of compromised credentials
While many of these issues are basic cyber hygiene practices, their neglect can lead to significant consequences for water utilities and consumers. The EPA stressed that potential cyberattacks could severely disrupt water services and pose risks to public health.
The Case for Enhanced Cybersecurity Measures
The EPA’s alert is not just a call to action for large water systems but also for smaller ones. Recent cyberattacks by organizations affiliated with Russia and Iran have targeted utilities in Pennsylvania and Texas, demonstrating that water systems of all sizes are vulnerable. Small water systems, in particular, are urged to strengthen their cybersecurity defenses.
Protecting our nation’s drinking water is a cornerstone of EPA’s mission, and we are committed to using every tool, including our enforcement authorities, to ensure that our nation’s drinking water is protected from cyberattacks,” said EPA Deputy Administrator Janet McCabe. This statement underscores the importance of immediate and robust action to safeguard water infrastructure.
EPA’s Cybersecurity Case Study: A Model for Success
- Leadership and Management: The utility hired a full-time IT Manager to oversee both IT and operational technology (OT) systems, bringing focus and momentum to cybersecurity efforts.
- Utilization of Resources: The IT Manager leveraged several free resources and technical assistance programs, including:
- EPA’s cybersecurity assessment and technical assistance program
- Tabletop exercises by regional DHS Cybersecurity and Infrastructure Security Agency (CISA) representatives
- Nationwide Cybersecurity Review (NCSR) self-assessment based on the National Institute of Standards and Technology (NIST) Cybersecurity Framework
- Guidance, tools, and free services from the Multi-State Information Sharing and Analysis Center (MS-ISAC)
- American Water Works Association (AWWA) water sector cybersecurity resources
- Local water sector associations/organizations
- A cyber audit by the state auditor’s office
- Cybersecurity Enhancements:
- Implemented virtual local area networks (VLANs) to segment OT and IT networks
- Established offsite backups of critical data
- Deployed a Managed Detection and Response (MDR) service
- Employed active vulnerability detection for software updates and patches
- Completed a thorough asset inventory to identify and replace legacy equipment
- Upgraded servers and improved device security
- Ongoing Efforts: The IT Manager continues to develop IT and OT standards, covering topics like hardware retirement, incident response procedures, password control, and malware detection.
Lessons Learned
This case study highlights several key lessons for water utilities aiming to improve cybersecurity:
- Utilize available free resources to implement cybersecurity practices.
- Adopt a stepwise, systematic approach to avoid frustration.
- Invest in staff cybersecurity awareness training to build a cybersecurity culture within the utility.
Onsite Logic: Your Partner in Cybersecurity
At Onsite Logic as one of the members of the Kansas Rural Water Association, we recognize the critical need for robust cybersecurity measures to protect our nation’s drinking water. Like the medium-sized utility in the case study, our cybersecurity program offers the same comprehensive benefits of hiring a full-time IT Manager, but at a fraction of the cost. We provide the expertise, resources, and ongoing support to safeguard your water utility from cyber threats without significant expense.
Our comprehensive services include:
- Regular security audits and compliance checks
- Implementation of strong password policies and multi-factor authentication
- Continuous monitoring and threat detection
- Segmentation of IT and OT networks
- Offsite backups and disaster recovery plans
By partnering with Onsite Logic, you gain access to a team of cybersecurity experts who can provide tailored solutions to your needs. Together, we can ensure the safety and security of our community’s water systems. Contact Onsite Logic today to learn how we can help you fortify your cybersecurity defenses and protect public health.
