In the U.S., the government is requiring states to research and report on the cyber capabilities of drinking water utilities. This is part of the White House’s larger effort to protect the country’s critical infrastructure from nation-state cyber attacks and similarly dangerous threats.

The new requirements were implemented by the Environmental Protection Agency (EPA), after finding that many public water systems (PWSs) do not have cyber security programs in place.

Critical infrastructure cyber threats

The absence of cyber security programs among critical infrastructure groups is a serious issue. According to assistant administrator for water at the EPA, Radhika Fox, U.S. infrastructure is broadly under “growing” attack.

Public water systems “…are frequent targets of malicious cyber activity, which has the same or even greater potential to compromise the treatment and distribution of safe drinking water as a physical attack.”

Securing water systems

In turn, the EPA advocates that cyber security reviews must be completed in tandem with operational technology reviews. If cyber security assessments are scheduled in parallel with other types of assessments, they’re more likely to be carried out, and they’re more likely to help resolve cyber security issues.

The national patchwork of water systems

Because of wildly divergent operational models for water systems across the United States, implementing cyber security standards is a challenge.

The fragmented nature of water utility coverage combined with low budgets and limited technology expertise means that many systems are not only outdated, but they’re under-protected or not cyber protected at all.

Re-prioritizing cyber security

A 2021 report issued by the Water Sector Coordinating Council, a strategy group for the water systems sector, stated that cyber security represents a key priority in the industry, from training and education to assessments and tools.

Past water system security threats

Several years ago, a former employee of the Post Rock Rural Water District in Ellsworth, Kansas, was indicted on federal charges of tampering with the water system through remote access.

As you may recall, in 2021, CyberTalk reported on an individual who had accessed the water system in Oldsmar, Florida. This individual attempted to poison the water by increasing sodium hydroxide levels. An employee managed to stop the incident before it could cause harm, but it could have resulted in a tremendous public health issue.

The U.S. Environmental Protection Agency is now renewing efforts to widely expand public water system protections.

“Americans deserve to have confidence in their water systems’ resilience to cyber attackers,” said Anne Neuberger, deputy national security advisor for cyber and emerging technologies.

Moving the water system forward

As public water groups reevaluate cyber security protections, those that are found to have ‘significant deficiencies’ must ensure that the deficiencies are addressed, says the EPA.

Media outlets say that some organizations have more leeway than others, depending on the programs that they already have in place.

The EPA has offered some organizations technical assistance, training, and financial support for renewed cyber security efforts.

For more critical infrastructure and cyber security information, please see CyberTalk.org’s past coverage. Lastly, to receive more cutting-edge cyber security news, best practices and analyses, please sign up for the CyberTalk.org newsletter.