Security Experts:

Connect with us

Hi, what are you looking for?



EPA Mandates States Report on Cyber Threats to Water Systems

The Biden administration said it would require states to report on cybersecurity threats in their audits of public water systems, a day after it released a broader plan to protect critical infrastructure against cyberattacks.

Cyber threats to water supply

The Biden administration on Friday said it would require states to report on cybersecurity threats in their audits of public water systems, a day after it released a broader plan to protect critical infrastructure against cyberattacks.

The Environmental Protection Agency said public water systems are increasingly at risk from cyberattacks that amount to a threat to public health.

“Cyberattacks against critical infrastructure facilities, including drinking water systems, are increasing, and public water systems are vulnerable,” said EPA Assistant Administrator Radhika Fox. “Cyberattacks have the potential to contaminate drinking water.”

Fox said the EPA would assist states and water systems in building out cybersecurity programs, adding that states could begin using EPA’s guidance in their audits right away. The agency did not respond immediately to questions about enforcement deadlines.

EPA said it would help states and water systems with technical know-how. The announcement made no mention of new financial assistance.

Biden administration officials said recent surveys show that states are inconsistent in their efforts to protect drinking water systems from cyberattacks — mainly on the operational technology used for safe drinking water. The EPA also said many water systems do not have cybersecurity practices — and that voluntary measures have “yielded minimal progress.” Experts have said many municipalities lack the money and expertise.

In 2021, a hacker’s failed attempt to poison the water supply of a small Florida city near Tampa raised alarms about the vulnerability of the nation’s 151,000 public water systems. Local officials said the intruder used a remote access program to increase the sodium hydroxide — used to lower acidity, but a burn risk in high concentrations — to be added to the water by a factor of 100. A supervisor monitoring a plant console caught the activity and stopped it.

Some experts questioned whether EPA’s approach would be effective.

Learn More at SecurityWeek’s ICS Cyber Security Conference
The leading global conference series for Operations, Control Systems and OT/IT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.
ICS Cybersecurity Conference
October 23-26, 2023 | Atlanta

Mike Hamilton, former chief security officer for the city of Seattle, said performing such assessments would be hard to do at scale across water utilities, which vary greatly in size and resources across the country. And Tracy Mehan, executive director of government affairs at the American Water Works Association, said the plan puts states in a tough position by saying that such reporting should start immediately.

The American Water Works Association said training for states on cybersecurity risks was still ongoing.

EPA’s memo came a day after the White House released a wide-ranging cybersecurity plan to counter rising threats to government agencies, private industry, schools, hospitals and other key infrastructure that are often breached. That plan also included measures to hold software companies responsible when their products fail to meet certain standards.

Anne Neuberger, deputy national security advisor for Cyber and Emerging Technologies, said Friday that EPA’s memo for states would establish minimum cybersecurity measures for municipal water systems after the administration previously did so for pipelines and the rail sector.

“Americans deserve to have confidence in their water systems’ resilience to cyberattackers,” Neuberger said.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...


The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...


Cybersecurity firm Forescout shows how various ICS vulnerabilities can be chained for an exploit that allows hackers to cause damage to a bridge.


Otorio has released a free tool that organizations can use to detect and address issues related to DCOM authentication.


More than 1,300 ICS vulnerabilities were discovered in 2022, including nearly 1,000 that have a high or critical severity rating.

Cybersecurity Funding

Internet of Things (IoT) and Industrial IoT security provider Shield-IoT this week announced that it has closed a $7.4 million Series A funding round,...


Wago has patched critical vulnerabilities that can allow hackers to take complete control of its programmable logic controllers (PLCs).


Siemens and Schneider Electric address nearly 100 vulnerabilities across several of their products with their February 2023 Patch Tuesday advisories.