Cyber-attacks on drinking water systems are occurring more frequently and represent a significant threat to the U.S. They represent a challenge to our nation because the U.S. water system is made up of 150,000 individual systems, and 93% serve fewer than 3,000 people. Most of these water systems are run by municipalities, with little funding to hire experts in cyber security, and many are using old computer systems that are difficult and expensive to upgrade to current standards.
A year ago, I wrote about the EPA’s challenge in protecting drinking water systems from cyber threats. The problem has only increased since that time:
- A water system in Pennsylvania reported a cyber-attack by a pro-Iranian group that took over computer screens with pro-Iranian messages (November 2023). The workers took the equipment offline and could continue supplying drinking water to the community. The pro-Iranian group has pledged to attack any entities with ties to Israel (the water system used software with components from an Israeli-owned company).
- A day after the Pennsylvania attack, a water utility in north Texas serving over 2 million people experienced a cyber-attack that affected their computer network, but their water system was unaffected
Government-wide Approach
The Cybersecurity and Infrastructure Agency (CSIA) is the government agency in charge of securing critical infrastructure against cyber threats. The Infrastructure Security Division coordinates and collaborates across the government and private sector and has programs dealing specifically with water and wastewater systems. One program consists of free assessments to water utilities to identify and address cybersecurity weaknesses.
CSIA does important work coordinating cybersecurity issues across the government. Still, it cannot substitute for the work done by the different federal agencies, many of which are vastly underfunded, to protect our critical infrastructure. For 2025, the EPA is requesting an additional $24 million to support infrastructure resilience, part of which is dedicated to cybersecurity. The budget also proposes a $25 million competitive grant program for water utilities to improve cybersecurity.
EPA’s Approach
The EPA’s authority over drinking water comes from the Safe Drinking Water Act (SDWA), enacted in 1974 and amended and reauthorized in 1986 and 1996. In 2018, America’s Water Infrastructure Act was signed into law, amending the SDWA to require community water systems of over 3,300 people to develop or update risk and resilience assessments and emergency response plans that assess cyber and physical risks to water systems.
EPA’s initial proactive approach was to expand an existing requirement under the SDWA: that all water systems periodically conduct on-site sanitary surveys. These surveys are used to identify unsanitary conditions impacting the quality of drinking water and now include a cybersecurity review.
Several states and organizations representing water suppliers objected to this approach. In April 2023, the States of Missouri, Arkansas, Iowa, the American Water Works Association (AWWA), and the National Rural Water Association sued the EPA over the cybersecurity memorandum, saying it was an “unfunded mandate” involving significant costs without additional funding.
In an unusual occurrence, the EPA withdrew its cybersecurity memorandum after the litigation was filed. The Agency did not provide an alternative plan to address cybersecurity, stating at that time, “The Agency will continue to explore opportunities to lower cybersecurity risk for public water systems.”
The EPA appears to have shifted to a more reactive enforcement approach to drive change across the nation’s 150,000 drinking water systems, as demonstrated by its May 20th enforcement alert:
“Over 70% of the systems inspected by EPA since September 2023 are in violation of basic SDWA 1433 requirements, with problems including failure to change default passwords, single logins for all staff, or failing to curtail access by former employees."
The enforcement alert contains no new regulations or initiatives but increases the number of water system inspections focusing on failure to complete or update risk and resilience assessments and emergency response plans and threatens enforcement actions against those water systems.
Federal Legislation
In April 2024, legislation was introduced in the House of Representatives that authorizes an independent, non-federal entity, the Water Risk and Resilience Organization (WRRO), to lead and develop cybersecurity requirements for drinking water and wastewater systems. The WRRO would work closely with the EPA and is inspired by a similar public-private approach currently in place for the U.S. electric sector.
This legislation was based on an approach laid out by the American Water Works Association (AWWA), the largest association representing water utilities in the U.S. The approach consists of a private-public partnership that leverages the technical knowledge of water systems, cybersecurity experts, and regulators to implement a risk management strategy for drinking water. The WRRO would develop, conduct reviews, and enforce “cyber risk and resilience requirements” for all water systems that serve more than 3,300 people, with the EPA providing oversight and approval of the requirements. Fines could be imposed on water systems that fail to meet the requirements.
The past year has demonstrated that cyber threats against drinking water systems are growing. We should not wait until the nation undergoes a crippling attack against its water systems to act. The EPA does not even consider protecting drinking water infrastructure as one of its top five priorities for 2024 and beyond. [1]
The enforcement approach now advocated by the EPA is inadequate. With so many small water systems scattered across the country, industry expertise is needed to address the unique needs of each water system, with technical assistance and education provided by experts in the field. The WRRO legislation offers this comprehensive approach, and it should be approved soon. Waiting is not an option.
[1] The EPA’s top 5 priorities: 1) Reducing PFA exposure, 2) Tackling climate change, 3) Enhancing drinking water compliance standards, 4) Reducing catastrophic chemical risks, 5) Cleaning up coal ash contamination
