Enforcement Alert: Drinking Water Systems to Address Cybersecurity Vulnerabilities
EPA Increases Enforcement Activities to Ensure Drinking Water Systems Address Cybersecurity Threats
This Enforcement Alert provides community water systems (CWSs) with information on immediate steps they can take to ensure compliance with the Safe Drinking Water Act (SDWA) Section 1433 and to reduce cybersecurity vulnerabilities.
Cyberattacks against CWSs are increasing in frequency and severity across the country. Based on actual incidents we know that a cyberattack on a vulnerable water system may allow an adversary to manipulate operational technology, which could cause significant adverse consequences for both the utility and drinking water consumers. Possible impacts include disrupting the treatment, distribution, and storage of water for the community, damaging pumps and valves, and altering the levels of chemicals to hazardous amounts.
Implementing basic cyber hygiene practices can help your utility prevent, detect, respond to, and recover from cyber incidents. Because water utilities often rely on computer software to operate their treatment plants and distribution systems, protecting information technology and process control systems from cyberattacks is vital. Small water systems are not immune from cyberattacks. Recently, disruptive cyberattacks from adversarial nation states have impacted water systems of all sizes, including many small systems. As a result of these increased threats, the U.S. Environmental Protection Agency (EPA) is increasing its enforcement activity to protect our nation’s drinking water.
Section 1433 of the SDWA requires all CWSs serving more than 3,300 people to conduct Risk and Resilience Assessments (RRAs), develop Emergency Response Plans (ERPs) and certify their completion to EPA. Additionally, systems must review their RRA and ERP every five years, revise them if necessary, and certify completion of these steps to EPA. These assessments and plans help water systems to evaluate and reduce risks from both physical and cyber threats.
The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), National Security Agency, EPA, and other federal entities have issued numerous advisories for cyberattacks against information networks and process control systems at water and wastewater systems by malicious cyber actors, including the Iranian Government Islamic Revolutionary Guard Corps (IRGC)-affiliated cyber actors, Pro-Russia Hacktivists and the People’s Republic of China (PRC) state-sponsored cyber actors (known as Volt Typhoon, Vanguard Panda and other names). These malicious cyber actors have disrupted some water systems with cyberattacks and may have embedded the capability to disable them in the future.
Utilities can find helpful information on cyber risks and available resources to assist CWSs from EPA's Cybersecurity for the Water Sector web page and the joint EPA and CISA Water and Wastewater Cybersecurity website.
EPA Inspections Identify Alarming Vulnerabilities
Over 70% of the systems inspected by EPA since September 2023 are in violation of basic SDWA Section 1433 requirements including missing specific sections of the RRA and ERP. When on site, EPA inspectors have identified alarming cybersecurity vulnerabilities at drinking water systems across the country and taken actions to address them. For example, some water systems failed to change default passwords, use single logins for all staff, or failed to curtail access by former employees. EPA also has found instances of inadequate RRAs and/or ERPs because analysts did not, for example, include an assessment of the resilience of systems or strategies and resources to improve the resilience of the cybersecurity of those system. These failures involve potential violations of Section 1433 and miss an opportunity to safeguard operations through the RRAs and ERPs.
As part of EPA’s multi-year drinking water National Enforcement and Compliance Initiative, Increasing Compliance with Drinking Water Standards, inspectors are assessing CWS compliance with SDWA Section 1433. Given the vulnerabilities and attacks on systems, EPA also will increase the number of CWS inspections that focus on cybersecurity. Where vulnerabilities are identified and may present an imminent and substantial endangerment to public health, enforcement actions may be appropriate under SDWA Section 1431 to mitigate those risks.
EPA is Increasing Inspections and Enforcement
EPA has taken over 100 SDWA enforcement actions nationally against CWSs for violations of Section 1433 since 2020, which was the first deadline for systems to develop and update their RRAs and ERPs. These enforcement actions have been based on various findings, including failure to certify, and not addressing the statutorily required elements in the RRAs and ERPs, which include looking at cyber threats. As EPA steps up inspections, the Agency intends to use enforcement authorities to address problems quickly, that it observes in the field such as failure to prepare adequate RRAs and ERPs (SDWA, Section 1433). EPA has a range of enforcement options available, including emergency powers (SDWA Section 1431, 42 U.S.C. § 300i) and criminal sanctions (pursuant to 18 U.S.C. Section 1001 for knowingly and willfully providing false certifications).
There are many resources available to assist utilities with making these essential changes. Visit EPA’s Office of Water website for information and resources for water and wastewater systems related to cybersecurity.
Helpful Resources and Information
- EPA Cybersecurity for the Water Sector
- EPA and CISA’s Water and Wastewater Toolkit
- Cybersecurity assessment for drinking water and wastewater systems
Disclaimer: This Enforcement Alert addresses select provisions of the Safe Drinking Water Act using plain language. Nothing in this Enforcement Alert is meant to replace or revise any applicable permit, any EPA regulatory provision, or any other part of the Code of Federal Regulations, the Federal Register, or the Safe Drinking Water Act.