The US Environmental Protection Agency (EPA) has issued an enforcement alert to address cyber threats facing drinking water systems. Recent inspections conducted by the EPA have uncovered critical vulnerabilities in more than 70% of water systems, including issues with default passwords and easily compromised authentication systems. In response, the EPA has outlined a series of recommendations for system operators to enhance security, such as reducing internet exposure, conducting regular assessments, and changing default passwords.
The EPA warns that failure to comply with cybersecurity measures may result in increased inspections and enforcement actions, including civil and criminal penalties. The agency emphasizes the importance of regularly assessing resilience vulnerabilities and developing emergency response plans to mitigate potential threats. Recent incidents, including ransomware attacks and foreign state-sponsored cyber threats, highlight the urgent need for water systems to bolster their cybersecurity defenses.
Pete Nicoletti, a global CISO at Check Point, emphasizes the significance of the situation, noting an increase in attacks against the water sector. He suggests strategies such as categorizing IoT device risks, limiting access to management and updates, and ruggedizing protection devices for field deployments. For utilities with limited resources, outsourcing security programs and using managed security services are recommended as proactive measures to address cybersecurity challenges effectively.