Public utilities should take urgent measures to avoid criminal prosecution.
The US Federal Environmental Protection Agency (EPA) is stepping up oversight of critical water infrastructure due to the growing threat of cyber attacks. Yesterday, the agency issued a warning calling on municipal services to immediately take measures to protect against cyber threats. In the near future, it is planned to increase the number of inspections, and if necessary, penalties and even criminal penalties will be applied to violators.
"The number and scale of cyber attacks on public utilities is growing across the country," the agency said in a warning. "Possible consequences include disruption of the processes of purification, distribution and storage of drinking water for settlements, failure of pumps and shut-off valves, as well as the possibility of increasing the concentration of chemical reagents to dangerous levels."
More than 70% of the facilities inspected since September 2023 do not meet the requirements of the Law on Safe Water Supply. The main violations include the use of standard passwords, non-disabling access for former employees, and other shortcomings in the field of information security. Over the past three years, the agency has issued more than 100 fines on these counts.
"According to reports, foreign countries have already committed cyber attacks that disrupted the operation of water supply systems, and may have laid the groundwork for their complete shutdown in the future," the organization warns. An example is the activity of the Chinese hacker group Volt Typhoon. According to a February warning from the US Department of Homeland Security, these hackers managed to break into IT systems at a number of life-support facilities.
In January of this year, hacktivists allegedly linked to the Sandworm group caused a reservoir to overflow at a water facility in Texas. Although consumer water supply was not affected in this incident. And last year, one of the facilities in Pennsylvania had to go to manual control after a hacker attack carried out by a group affiliated with the Islamic Revolutionary Guard Corps of Iran.
The EPA calls on water authorities to follow recommendations for ensuring cybersecurity and hygiene of information systems. Recommendations include regular training of employees on issues, backup of production and information systems, as well as strict measures to prevent accidental or intentional connection to public networks.
Earlier this year, EPA Chief Michael Regan and National Security Adviser Jake Sullivan sent a letter to state governors pointing out the high risks of cyber attacks in this area of life support. This was the reason for the March meeting, following which the National Security Council instructed each state to develop a specific action plan to eliminate the identified vulnerabilities by the end of June.
The US Federal Environmental Protection Agency (EPA) is stepping up oversight of critical water infrastructure due to the growing threat of cyber attacks. Yesterday, the agency issued a warning calling on municipal services to immediately take measures to protect against cyber threats. In the near future, it is planned to increase the number of inspections, and if necessary, penalties and even criminal penalties will be applied to violators.
"The number and scale of cyber attacks on public utilities is growing across the country," the agency said in a warning. "Possible consequences include disruption of the processes of purification, distribution and storage of drinking water for settlements, failure of pumps and shut-off valves, as well as the possibility of increasing the concentration of chemical reagents to dangerous levels."
More than 70% of the facilities inspected since September 2023 do not meet the requirements of the Law on Safe Water Supply. The main violations include the use of standard passwords, non-disabling access for former employees, and other shortcomings in the field of information security. Over the past three years, the agency has issued more than 100 fines on these counts.
"According to reports, foreign countries have already committed cyber attacks that disrupted the operation of water supply systems, and may have laid the groundwork for their complete shutdown in the future," the organization warns. An example is the activity of the Chinese hacker group Volt Typhoon. According to a February warning from the US Department of Homeland Security, these hackers managed to break into IT systems at a number of life-support facilities.
In January of this year, hacktivists allegedly linked to the Sandworm group caused a reservoir to overflow at a water facility in Texas. Although consumer water supply was not affected in this incident. And last year, one of the facilities in Pennsylvania had to go to manual control after a hacker attack carried out by a group affiliated with the Islamic Revolutionary Guard Corps of Iran.
The EPA calls on water authorities to follow recommendations for ensuring cybersecurity and hygiene of information systems. Recommendations include regular training of employees on issues, backup of production and information systems, as well as strict measures to prevent accidental or intentional connection to public networks.
Earlier this year, EPA Chief Michael Regan and National Security Adviser Jake Sullivan sent a letter to state governors pointing out the high risks of cyber attacks in this area of life support. This was the reason for the March meeting, following which the National Security Council instructed each state to develop a specific action plan to eliminate the identified vulnerabilities by the end of June.
