Cyberattacks against water supplies are rising

The federal government says utilities need to do more to protect drinking water

A device in Aliquippa, Pennsylvania, was hacked by an Iranian group in 2023. (Municipal Water Authority of Aliquippa via AP)

WASHINGTON, D.C. — Cyberattacks against water utilities across the country are becoming more frequent and more severe, the Environmental Protection Agency warned Monday as it issued an enforcement alert urging water systems to take immediate actions to protect the nation’s drinking water.

About 70% of utilities inspected by federal officials over the last year violated standards meant to prevent breaches or other intrusions, the agency said. Officials urged water systems to improve protections against hacks. Recent cyberattacks by groups affiliated with Russia and Iran have targeted smaller communities.

Some water systems are falling short in basic ways, the alert said, including failure to change default passwords or cut off system access to former employees. Because water utilities often rely on computer software to operate treatment plants and distribution systems, protecting information technology and process controls is crucial, the EPA said. Possible impacts of cyberattacks include interruptions to water treatment and storage; damage to pumps and valves; and alteration of chemical levels to hazardous amounts, the agency said.

“In many cases, systems are not doing what they are supposed to be doing, which is to have completed a risk assessment of their vulnerabilities that includes cybersecurity and to make sure that plan is available and informing the way they do business,” said EPA Deputy Administrator Janet McCabe.

Attempts by private groups or individuals to get into a water provider’s network and take down or deface websites aren’t new. More recently, however, attackers have targeted utilities’ operations instead.

Recent attacks are not just by private entities. Some recent hacks of water utilities are linked to geopolitical rivals and could lead to the disruption of the supply of safe water to homes and businesses.

McCabe named China, Russia and Iran as the countries that are “actively seeking the capability to disable U.S. critical infrastructure, including water and wastewater.”

Late last year, an Iranian-linked group called “Cyber Av3ngers” targeted multiple organizations including a small Pennsylvania town’s water provider, forcing it to switch from a remote pump to manual operations. They were going after an Israeli-made device used by the utility in the wake of Israel’s war against Hamas.

Earlier this year, a Russian-linked “hacktivist” tried to disrupt operations at several Texas utilities.

A cyber group linked to China and known as Volt Typhoon has compromised information technology of multiple critical infrastructure systems, including drinking water, U.S. officials said. Cybersecurity experts believe the China-aligned group is positioning itself for potential cyberattacks in the event of armed conflict.

“By working behind the scenes with these hacktivist groups, now these (nation states) have plausible deniability.” said Dawn Cappelli, a cybersecurity expert with the industrial cybersecurity firm Dragos Inc.

The world’s cyberpowers are believed to have worked for years planting malware that could be triggered to disrupt basic services.

“We want to make sure that we get the word out to people that ‘Hey, we are finding a lot of problems here,’” McCabe said.

EPA did not say how many cyber incidents have occurred in recent years, and the number of attacks known to be successful so far is few.