The U.S. Environmental Protection Agency (EPA) didn’t take steps to protect the nation’s water supply against cyberattacks, according to a watchdog report released today by the EPA Office of Inspector General. Though there were some incidents that occurred in 2015 and 2016, EPA failed to consistently identify cybersecurity risks across its portfolio of drinking-water infrastructure projects.,
The “a review of cybersecurity incidents in the water sector” is a report that was done by the Environmental Protection Agency. The report states that the EPA’s cybersecurity oversight of the water sector falls short.
According to cyber and water sector specialists, U.S. water facilities are grappling with obvious cybersecurity issues and get minimal help from federal authorities.
Many water systems are small and operated by local governments, with little resources to invest in cybersecurity technologies and personnel. According to Mark Montgomery, senior director of the Center on Cyber and Technology Innovation, part of The Foundation for Defense of Democracies, a Washington think tank, federal funding and security standards for the sector are needed to protect drinking water and wastewater operators from a rising number of ransomware attacks.
Subscribe to our newsletter
Cybersecurity WSJ Pro
WSJ’s worldwide team of reporters and editors provide cybersecurity news, analysis, and insights.
In a study set to be released on Thursday, the foundation recommends for a $45 million boost in the Environmental Protection Agency’s cybersecurity and disaster management budget.
According to Mr. Montgomery, who is also the executive director of the federal Cyberspace Solarium Commission, the EPA, which controls the water sector, has to recruit more cybersecurity professionals, as well as enhance training and money for utilities.
The EPA’s office for homeland security, which offers cybersecurity training and tools, received $11.3 million in fiscal year 2021 and sought $15.4 million in fiscal year 2022. According to the paper, there are about 52,000 drinking water and 16,000 wastewater systems in the United States.
“Water is especially fragile among infrastructures,” Mr. Montgomery added.
The Cybersecurity and Infrastructure Security Agency, as well as other government agencies, warned last month that continuing hacking of water facilities threatens their capacity to “supply clean, drinkable water to, and properly manage the wastewater of, their communities.” Since the beginning of 2019, CISA has identified five assaults against water utilities, four of which were ransomware.
“We have tools to help water and wastewater utilities in planning for, recognizing, reacting to, and recovering from cyber-attacks,” an EPA spokeswoman said in an email. The EPA collaborates extensively with the water sector as well as other federal, state, municipal, tribal and territorial, and business sector partners.”
For the water industry, the EPA has not developed any legally mandated cybersecurity requirements. Risk assessments and emergency response plans must be completed by operators who serve more than 3,300 people.
This year, the Biden administration enacted additional regulations for other critical infrastructure sectors, such as mandating pipeline companies to notify the Transportation Security Administration if they are attacked or hacked. Certain train operators are required to take security measures such as reporting cyberattacks to the Department of Homeland Security, according to a security requirement issued last month.
Mike Gallagher is a member of the House of Representatives (R., Wis.)
Photo credit: Getty Images/Anna Moneymaker
“This is a major risk, and the EPA isn’t doing nearly enough to address it.” Rep. Mike Gallagher (R., Wis.), a co-chair of the Cyberspace Solarium Commission, stated, “It’s not resourced or structured to engage and help the water industry.” Legislation to give targeted money to the EPA and CISA to assist water facilities may be required, but there is unlikely to be a need for a statute providing the EPA more authority, he noted.
According to Mr. Gallagher, the EPA was already designated as the sector risk-management agency supervising water infrastructure in the 2021 National Defense Authorization Act, which Congress enacted in January. As a result of its new status, the agency now has additional obligations, including offering technical support to water operators to help them discover vulnerabilities and respond to security issues.
In response to previous attacks, the EPA’s inspector general’s office initiated an assessment of the agency’s cybersecurity management of the water sector in July. It is too early to predict when the audit will be completed, according to a representative for the inspector general’s office.
According to Superintendent Jim Leighton, a ransomware assault on Limestone Water and Sewage in Limestone, Maine, during the July 4 weekend damaged an office computer and most alarms for the district’s sewer system. He indicated the alarms had been turned off for roughly a month. The facility was running on an out-of-date version of Microsoft Windows.
Limestone Water and Sewage serves roughly 400 people, and its sewer department has an annual budget of about $150,000, the majority of which is spent on power to operate equipment, according to him. The facility paid roughly $6,000 for a new computer, software update, and servicing after the assault, but did not pay the requested ransom, he claimed.
Mr. Leighton believes that grants for small utilities to purchase equipment following a cyber event would be beneficial. “That’s a colossal outlay.”
Levels of sodium hydroxide were remotely adjusted during a hack of a water-treatment facility in Oldsmar, Fla., in February. After seeing the alteration, a plant operator reversed it and contacted his supervisor, according to Pinellas County Sheriff Bob Gualtieri.
Attacking a water facility, according to Paul Stockton, former assistant secretary of defense for homeland security, could have a terrible ripple effect on other important sectors. “Adversaries may target the water sector as a possible assault target in order to cause cascade failures across numerous infrastructure sectors and risk health and safety,” he added.
Ransomware assaults are becoming more common, victim losses are soaring, and hackers’ objectives are changing. Dustin Volz of the Wall Street Journal outlines why these assaults are on the increase and what the US can do to combat them. Laura Kammermann is the illustrator behind this image.
The Foundation for Defending Democracies also advocates for the creation of a cooperative regulatory structure run by the government and the water business, similar to how the energy sector establishes best practices.
According to Michael Arceneaux, managing director of the Water Information Sharing and Analysis Center, a nonprofit organization that helps water facilities exchange information about cyber threats, small water facilities are particularly vulnerable to cyberattacks because many don’t have the budget to hire a chief information security officer or even a technology director.
“To assist them, Congress has to write a very hefty check,” he added.
Catherine Stupp can be reached at [email protected]
Dow Jones & Company, Inc. All Rights Reserved. Copyright 2021 Dow Jones & Company, Inc. 87990cbe856818d5eddac44c7b1cdeb8
The “EPA’s Cybersecurity Oversight of Water Sector Falls Short, Report Says” is a report that was released by the EPA. The report states that EPA’s cybersecurity oversight of water sector falls short. Reference: epa cybersecurity workshop.
- cybersecurity attack on the water utility’s scada system
- cybersecurity advisory for public water suppliers
- cyber security water utilities
- attacks on water infrastructure
- water sector cybersecurity risk management guidance