A Cybersecurity Warning Caused the EPA to Issue a Nationwide Drinking Water Warning Over Concerns for National Security

By: Stephanie Bontorin | Published: May 21, 2024

The Environmental Protection Agency (EPA) issued an alert on Monday urging thousands of water utility systems to take action to protect drinking water from cyberattacks. The group hopes that by issuing the alert, water treatment plants and utility companies will be ahead of any disasters or attacks.

The alert comes at a time when cybersecurity attacks have been prevalent throughout multiple industries in the U.S.

Most Water Systems Fail To Meet Code

In a recent report, federal agencies found that more than 70% of the United States drinking water systems don’t fully comply with the Safe Drinking Water Act requirements.

An aerial view of a large water processing plant with circular water bins

Source: Ivan Bandura/Unsplash

The EPA added that many water utility companies lack critical cybersecurity protections. Customer data can easily be accessed by sophisticated hackers who intend to penetrate web pages and servers. Even more, hackers can infiltrate systems to stop the flow of drinking water, alter the usage of chemicals, and more. 

Recent Cyber Attacks Compromised a Third of All American’s Data

A recent cyberattack on a UnitedHealth Group subsidiary compromised the detailed billing information of almost a third of all U.S. residents. A group of hackers by the monicker “BlackCat” shut down the billing system that accounts for billions of dollars collected daily.

A hacker in a black hood sitting at a desk with a computer. He is also holding a smartphone and both screens have lots of writing in green and red.

Sora Shimazaki/Pexels

The company was able to reinstate its billing process when the company’s CEO wired the hackers $22 million as a ransom payment. The attack that took place in February is still under investigation, and the full scope of compromised data has yet to be determined.

Potential Impacts of Cyberattacks

The full implications of cyberattacks on water utility companies have yet to be fully known. But for now, the possibilities include interruptions to water treatment and storage and damage to pumps and valves. Chemicals used in water and sewage treatment facilities could also be altered to a dangerous level.

Employee of a cybersecurity firm holding a clipboard

Source: Freepik

The EPA warns that hackers could interrupt the computer processes that help many water facilities run. In a press release, EPA Deputy Administrator Janet McCabe said, “In many cases, systems are not doing what they are supposed to be doing, which is to have completed a risk assessment of their vulnerabilities that includes cybersecurity and to make sure that plan is available and informing the way they do business.”

Possible Culprits Identified

The press release details that China, Russia, and Iran have “disrupted some water systems with cyberattacks and may have embedded the capability to disable them in the future.”

A Russian flag waves in the wind against a blue sky

Source: Egor Filin/Unsplash

The constant manipulation by foreign governments has raised concerns about national security in the past. Recently, Russia has been accused of attempting to interfere with the 2024 U.S. Presidential election.

Recent Cyberattacks: a Warning of More To Come

In late 2023, an Iranian hacker group known as “Cyber Av3ngers” threatened a small Pennsylvania town’s water provider. A utility company in Texas faced similar threats when a Russian-linked “hacktivist” group attempted to disrupt regular operations.

Hacker on laptop in the dark

More cyberattacks were recorded when a group in China called “Volt Typhoon” compromised multiple infrastructure systems, including drinking water in the U.S. and worldwide. Experts warn that more attacks are expected as the world becomes increasingly accessible online.


The White House Warned of Water-Related Attacks in March

The EPA’s alert on Monday closely follows the White House’s warnings in March that potential attacks threatened the U.S.’s water systems.

Front view of the White House with its iconic white facade and columns. The lawn is lush green, adorned with colorful tulips and a fountain, under a clear blue sky

Source: Wikimedia Commons

The White House issued a letter to all 50 U.S. governors detailing detailed information. The letter noted that the Iranian Government Islamic Revolutionary Guard Corps (IRGC) has executed several “malicious cyberattacks” against drinking water systems and other infrastructure.


Water Systems are Attractive Targets for Hackers

Micheal S. Regan, an EPA administrator, and White House National Security Adviser Jake Sullivan wrote that “Drinking water and wastewater systems are an attractive target for cyberattacks because they are a lifeline critical infrastructure sector but often lack the resources and technical capacity to adopt rigorous cybersecurity practices.”

Michael S. Regan smiles while wearing a blue sweater vest and a blue dress shirt

Source: @no_okiedoke/X

Cutting off essential services to residents could pose an immediate danger. Hackers often look for the most vulnerable systems that they can exploit to accomplish their goals.


Better Training Needed for Water Utility Companies

To better protect essential infrastructure, more comprehensive training and systems updates will be needed by the wastewater companies.

A person washing their hands at a metal sink

Source: Kristine Wook/Unsplash

Better cyber security can only protect the American people and prevent covert attacks. Hackers often use weak spots in security systems to access detailed customer information or sensitive company processes.


The EPA Will Assist in Training Water Utility Companies

To gain better security, smaller water companies will have the free assistance of the EPA to upgrade their security measures. McCabe said water providers should avoid using default passwords and will need to update their risk assessment plan in case of an emergency.

Two water towers, one labeled "Stamford" and the other "Bulldogs," stand in a rural Texas setting,

Source: Wikimedia Commons

Water treatment plants also need functioning backup systems in case hackers can destroy them from the inside.


Cyberthreats Will Be Difficult To Deal with in the Expansive System

More than 50,000 community water providers operate throughout the U.S. Helping each of these small companies will be an expansive task. Many operate with minimal staff and tiny budgets without much room for costly cyber upgrades.

A line pumps water into a low lying lake next to another body of water

Source: @WaterUCIrvine/X

Most water providers in the country focus on meeting basic needs, providing clean water, and complying with basic regulations.


More Resources Are Needed To Resolve the Threat

Amy Hardberger, a water expert at Texas Tech University, said of the security overhaul, “Certainly, cybersecurity is part of that, but that’s never been their primary expertise. So, now you’re asking a water utility to develop this whole new sort of department.”

The exterior of a large university building with towers and turrets with a statue of a red figure on a red horse

Source: @TexasTech/X

Forcing small utility companies to overhaul their systems or create entirely new departments is a lot to ask. The government will need more resources to assist in protecting national security on a small scale.