The United States is taking steps to better protect public drinking water and sewer systems from cyberattacks that could cut off service or contaminate supplies.
The Environmental Protection Agency on Friday issued a new memorandum, ordering all public water systems to meet a series of basic cybersecurity requirements while also making cybersecurity audits a part of regular scheduled safety inspections.
“We know Americans rely on these critical services, and we know that Americans expect that they are resilient to cyberattacks,” White House Deputy National Security Adviser Anne Neuberger told reporters, ahead of the memorandum’s release.
“There have been cyberattacks against water systems in the United States and in countries around the world, so this is an incredibly timely action,” she added.
The rollout of the new cybersecurity requirements for public water systems comes just a day after the White House unveiled what it described as a new, aggressive National Cyber Strategy that seeks to shift much of the responsibility for cybersecurity from individuals and consumers to tech and software companies, in part through more stringent federal regulation.
“We need to change the underlining rules of the game to get ourselves the advantage,” Acting National Cyber Director Kemba Walden told an audience in Washington Thursday. “I want cybersecurity to be an unfair fight.”
According to the U.S. Cybersecurity and Infrastructure Security Agency (CISA), there are approximately 153,000 public drinking water systems in the U.S. which provide water to more than 80% of the U.S. population.
Another 16,000 publicly owned systems provide wastewater treatment services to about 75% of the U.S. population.
But despite the heavy reliance on these systems, U.S. officials warn cybersecurity has been weak, with some surveys finding that only about 20% of publicly owned water systems have implemented basic cybersecurity measures, leaving the water sector “at risk” to cyberattacks.
“This is not hypothetical,” EPA Assistant Administrator Radhika Fox told reporters.
“This is happening right now,” she said. “We have seen these types of attacks from California to Florida, Kansas, Maine and Nevada.”
Data provided by CISA shows that between 2019 and early 2021, there have been at least five cyberattacks on U.S. public water systems.
Four of the attacks involved the use of ransomware and in one of those incidents, a wastewater treatment center was forced to switch to operate manually until control of the computer system was restored.
In the fifth case, a former employee tried unsuccessfully to contaminate the water supply, using his still active credentials to access the system.
In yet another incident, in February 2021, hackers accessed a water system serving about 15,000 people near Tampa, Florida, and sought to add a dangerous amount of lye to the water supply, though officials say the attempt was detected and stopped before anyone could have been hurt.
U.S. national security and intelligence officials have also warned repeatedly that key sectors, including water, could come under cyberattack from U.S. adversaries.
“We have to be concerned about the possibility of Russian action, Russian aggression against Western infrastructure, Western facilities,” White House National Security Adviser Jake Sullivan said in September 2022, following the sabotage of one of the Nord Stream pipelines.
In its 2022 Worldwide Threat Assessment, the U.S. intelligence community further warned China could seek to exploit cybersecurity gaps plaguing U.S. critical infrastructure.
“China almost certainly is capable of launching cyberattacks that would disrupt critical infrastructure services within the United States, including against oil and gas pipelines and rail systems,” the report said.
The U.S. Department of Homeland Security implemented heightened cybersecurity requirements for rail and air transportation in October 2021. New cybersecurity requirements for pipeline owners and operators were introduced last July.