Connect with us

Hi, what are you looking for?



EPA Issues Alert After Finding Critical Vulnerabilities in Drinking Water Systems

The EPA has issued an enforcement alert, outlining the steps needed to comply with the Safe Drinking Water Act.

Water utility cybersecurity

The US Environmental Protection Agency (EPA) on Monday issued an enforcement alert to outline the measures needed to protect drinking water systems against cyber threats. 

Inspections conducted by the EPA since September 2023 found that more than 70% of water systems do not fully comply with the Safe Drinking Water Act. The inspections found that some systems have critical cyber vulnerabilities, including ones introduced by the use of default passwords and authentication systems that can be easily compromised. 

The agency has outlined the steps drinking water system operators need to take to secure their assets

The top recommendations include reducing the internet exposure of systems, conducting regular assessments, changing default passwords, making inventories of IT and OT assets, developing and exercising incident response and recovery plans, backing up systems, addressing vulnerabilities, and conducting awareness training. 

“The agency will increase the number of planned inspections and, where appropriate, will take civil and criminal enforcement actions, including in response to a situation that may present an imminent and substantial endangerment,” the EPA said. “Inspections will ensure that water systems are meeting their requirements to regularly assess resilience vulnerabilities, including cybersecurity, and to develop emergency response plans.”

Following a series of potentially disruptive cyberattacks against the water sector in the United States, the government has been taking action to enhance the security of critical systems and respond to attacks. This includes publishing cybersecurity guidance and sanctioning state-sponsored threat actors believed to be behind attacks on water systems. 

Recent incidents include ransomware attacks, Iran-linked hackers targeting industrial control systems (ICS), and Russia-linked hackers causing a water overflow in a small Texas town.

Pete Nicoletti, global CISO at cybersecurity firm Check Point, told SecurityWeek that his company has been seeing attacks against the water sector. 

Advertisement. Scroll to continue reading.

“This situation will lead to more compromises by attackers located in China, Russia, and Iran,” Nicoletti said. “Security executives need to immediately reach out to their trusted advisors to ensure they have an updated security program in place.”

“Strategies will include: scan and find all IoT devices and categorize those risks, IoT devices relegated to a dedicated segment, and access to those IoT devices extremely managed.  Protect those IoT devices by limiting their access for management and updates to whitelisted sites and IP addresses. Protection devices need to be ruggedized to support field deployments and since hardwired networks are costly and difficult to deploy, those security devices must have cellular connectivity,” the expert added.

For utilities with limited resources, Nicoletti recommends outsourcing their security program and using managed security services.

Related: US Government Issues Guidance on Securing Water Systems

Related: States and Congress Wrestle With Cybersecurity After Iran Attacks Small Town Water Utilities

Related: Cyberattack on Irish Utility Cuts Off Water Supply for Two Days

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


The AI Risk Summit brings together security and risk management executives, AI researchers, policy makers, software developers and influential business and government stakeholders.


People on the Move

Gabriel Agboruche has been named Executive Director of OT and Cybersecurity at Jacobs.

Data security startup Reco adds Merritt Baer as CISO

Chris Pashley has been named CISO at Advanced Research Projects Agency for Health (ARPA-H).

More People On The Move

Expert Insights