No Idle Threat: Cyber Attacks and the U.S. Water Supply

By Walter Pincus

Pulitzer Prize Winning Journalist Walter Pincus is a contributing senior national security columnist for The Cipher Brief. He spent forty years at The Washington Post, writing on topics that ranged from nuclear weapons to politics. He is the author of Blown to Hell: America's Deadly Betrayal of the Marshall Islanders. Pincus won an Emmy in 1981 and was the recipient of the Arthur Ross Award from the American Academy for Diplomacy in 2010.  He was also a team member for a Pulitzer Prize in 2002 and the George Polk Award in 1978.  

OPINION — “The water sector faces increasing cybersecurity-related risk. While national reporting requirements for cyber incidents are being developed, known incidents have disrupted water sector operations. Nations (including Iran and China), cybercriminals, and others have targeted [U.S.] water systems. For example, foreign hackers targeted multiple water systems in late 2023. Cyber attacks threaten public health, the environment, and other critical infrastructure sectors.”

That’s from a Government Accountability Office (GAO) report released August 1, entitled “Environmental Protection Agency (EPA) Urgently Needs a Strategy to Address Cybersecurity Risks to Water and Wastewater Systems.”

This does not involve an idle threat.

As The Cipher Brief has reported, in March National Security Advisor Jake Sullivan and EPA Administrator Director Michael Regan wrote to the governors of all 50 states to warn that “disabling cyber attacks are striking water and wastewater systems throughout the United States,” and requesting their “partnership on important actions to secure water systems against the increasing risks from and consequences of these attacks.”

They used as an example, the People’s Republic of China (PRC) state-sponsored cyber group known as Volt Typhoon, which they said “has compromised information technology of multiple critical infrastructure systems, including drinking water, in the United States and its territories.”

The recent GAO report noted that Volt Typhoon had hacked into computer systems in the water sector as part of a broader plan to preposition itself to carry out cyber attacks in the event of a major crisis or conflict with the U.S. that would disrupt water supplies and wastewater management.

The FBI says it has ended the Volt Typhoon particular threat, but I believe this is a situation that should have greater public attention because, as the GAO report said, “Although there is not yet comprehensive data on cyber incidents affecting the water sector or consequences of these incidents, future incidents could have serious consequences.”

Public health could be involved because, the GAO pointed out, “Drinking water contamination or wastewater degradation can be harmful to human, animal and environmental health…[and] result in the need for individuals to access alternate water supplies or localities to issue public notices to boil water.”

It could also result in panic and a loss of public trust because “as a critical element for life, disruptions to the water supply may threaten a community’s stability,” the GAO report said, adding, “Many other critical infrastructure rely on water and wastewater for their operations,” citing hospitals and schools as just two examples.

Who’s in charge?

One may ask: Why is the EPA in charge of the water sector’s cybersecurity?

In 2013, during the Obama administration, Presidential Policy Directive 21 established national policy on critical infrastructure security and resilience, and it named the EPA as the agency in charge of the water and wastewater sectors.

In 2018, amendments to the America’s Water Infrastructure Act required community water systems serving more than 3,300 people to prepare or revise risk assessments that included cybersecurity, and certify to the EPA that this work had been completed.

However, as the GAO found, the EPA has for several reasons fallen behind in developing a national cyber security strategy for the water and wastewater sector.

EPA officials told the GAO “they have assessed threats, vulnerabilities, and consequences, but have not integrated this work in a comprehensive assessment. Without a risk assessment and strategy to guide its efforts, EPA has limited assurance its efforts address the highest risks.”

One reason for the delay is the number of separate water and wastewater systems that exist in the U.S. — over 153,000 public drinking water systems and 16,500 public wastewater systems — and each is governed by multiple federal, state, and local authorities responsible for public health, environmental protection, and security measures.

Then there are questions as to whether the EPA has the legal authority to collect information about — and establish requirements for — cybersecurity in these systems. In early 2023, when the EPA attempted to require cybersecurity assessments, the agency faced legal challenges and withdrew the requirement.

“EPA has considered threats, vulnerabilities, and consequences independently through various efforts, such as the voluntary vulnerability assessments it conducts for water and wastewater systems, but it has not integrated this information into a comprehensive sector-wide risk assessment,” the GAO report said.

EPA officials told the GAO last month that “they have evaluated their authorities and would release the evaluation in 2025 with their risk assessment and strategy.”

The GAO report found that “a number of factors have made water and wastewater systems more vulnerable to cyber attacks. These include increased connections between operational technologies and internet-enabled devices, increased automation and remote access capabilities, and operational and IT systems that are not properly separated by firewalls or other protections.”

The GAO also said that adding remote access capabilities to treatment or pump operations allows operators to respond remotely to alarms or make adjustments to water processes — actions that previously had to be done manually. In addition, vendors and other third-party contractors also rely on remote access to perform system maintenance and conduct updates to water systems.

In light of these increased cybersecurity threats and vulnerabilities, the EPA stated in a May 2024 enforcement alert that it planned to increase its inspection and enforcement activity at drinking water systems after finding over 70 percent of the systems it had inspected since September 2023 were in violation of basic requirements.

Among cybersecurity vulnerabilities EPA inspectors found were water systems that had failed to change default passwords, used single logins for all staff, or failed to curtail access by former employees.

More recently, the GAO said water systems “reported that it was even more difficult to hire and retain staff with specialized cybersecurity experience and skills. While the largest and most technologically advanced water and wastewater systems may employ cybersecurity professionals…small- and medium-sized systems generally do not because they reported being uncertain they needed such staff or were unable to provide competitive pay to recruit and retain staff. Water and wastewater systems therefore rely on operators with little or no cybersecurity expertise, or they outsource security to potentially expensive external contractors, according to officials we interviewed.”

In addition, the GAO found “that water and wastewater systems tended to use older operational and IT systems that can be difficult to update as they age.” One official told the GAO that “some of the older technologies, such as legacy control systems, are still reliable but not easy to change. Therefore, some operators prefer not to install updates that could disrupt their legacy technologies’ performance and cause interruptions to operations.”

Water systems typically prioritize upgrades to comply with federal requirements under the Clean Water Act, which can include identifying and replacing lead pipes and preparing to manage contaminants. Systems must also contend with the costs of routine maintenance on aging systems and budget funds for emergency repairs.

Some officials at water systems told the GAO “that it can be difficult or impossible to expand their budgets for cybersecurity because their income is derived from rate-paying customers who may face financial hardship when rates increase. Declining populations may also make rate increases untenable for some systems.”

All this adds up to an explanation for why the EPA is struggling to meet its cybersecurity goals.

In August 2023, the EPA announced its Fiscal Year 2024-2027 National Enforcement and Compliance Initiative (NECI), which listed the top six most serious national priorities for its Office of Enforcement and Compliance Assurance. Cybersecurity was not one of them.

EPA officials told the GAO that the NECI has an objective to achieve 100 percent compliance with the risk assessment and emergency response plans under a section of the 2018 Safe Water and Drinking Act, which requires that “each community water system serving a population of greater than 3,300 persons shall conduct an assessment of the risks to, and resilience of, its system. Such an assessment…shall include an assessment of the risk to the system from malevolent acts and natural hazards…”

However, the GAO reported, “EPA has not identified cybersecurity goals or objectives; how its activities help achieve those objectives; or the priorities, milestones, and performance measures needed to gauge results.”

Goals are fine. Meeting them is something else.

The Cipher Brief is committed to publishing a range of perspectives on national security issues submitted by deeply experienced national security professionals. 

Opinions expressed are those of the author and do not represent the views or opinions of The Cipher Brief.

Have a perspective to share based on your experience in the national security field?  Send it to [email protected] for publication consideration.

Read more expert-driven national security insights, perspective and analysis in The Cipher Brief

Categorized as:Fine Print

Search

Close