EPA Puts Teeth Into Water Sector Cyber Efforts

  /     /     /  
Publicated : 23/11/2024   Category : security


EPA Puts Teeth Into Water Sector Cyber Efforts


The agency plans to get more serious about enforcement as Iran and Russia step up the volume of cyberattacks on water systems nationwide.



Nearly 70% of the United States community drinking water systems fails to comply with the Safe Drinking Water Act, according to the Environmental Protection Agency (EPA) — including the cybersecurity standards that it lays out. New EPA enforcement plans aim to turn that around.
According to an
EPA alert
out this week, Russia and Iran in particular have stepped up cyberattacks on the nations water systems, to a point where additional action is critical. The agency pointed to a rash of critical cybersecurity vulnerabilities of concern, including default passwords that have not been updated and single logins that can easily be compromised.
The stakes are notably high. Possible impacts include disrupting the treatment, distribution, and storage of water for the community, damaging pumps and valves, and altering the levels of chemicals to hazardous amounts, the agency said.
In response, the EPA said it would increase the number of planned inspections to ensure that water systems are regularly assessing their cybersecurity resilience and developing emergency response plans. As part of the initiative, the EPA released its Top Actions for Securing Water Systems outline, which includes the following steps:
Reduce exposure to public-facing Internet
Conduct regular cybersecurity assessments
Change default passwords immediately
Conduct an inventory of OT/IT assets
Develop and exercise cybersecurity incident response and recovery plans
Backup OT/IT systems
Reduce exposure to vulnerabilities and conduct cybersecurity awareness training
The agency also said that its establishing a task force to identify additional near-term actions and strategies to reduce cyber-risk for water and wastewater systems nationwide; and, where appropriate, it also said it will take civil and criminal enforcement actions if systems dont get their acts together.
The alert is just the latest in a
series of alarms on water cyber safety sounded by the feds
in recent months, in response to attacks like
one last November
on the Municipal Water Authority of Aliquippa in Pennsylvania by an Iranian state-sponsored group called CyberAv3ngers. In its alert, the EPA didnt offer specifics of recent attacks, but noted that foreign governments have disrupted some water systems with cyberattacks and may have
embedded the capability to disable them
in the future.
The government, despite
anti-regulation pushback from water industry groups
, has also made moves like proposing $7.5 million in
new cybersecurity funding for rural water systems
.
Chris Warner, OT security strategist at GuidePoint Security, says that part of the persistent problem is that sector-specific cybersecurity expertise is hard to come by.
The challenge in the security of our water and wastewater facilities is a shortage of qualified OT security personnel, and IT security’s challenges in understanding the control systems that operate water systems pose significant challenges, he explains. To address these issues, forming cross-functional teams, collaborating with Critical Infrastructure Sector Liaisons, and building strong relationships with local law enforcement are crucial.
To address that specific need, the EPA said that its working with CISA to offer guidance, tools, training, resources, and technical assistance to help water systems harden their cyber postures. CISA in January also released an extensive,
27-page water sector-specific guide for cybersecurity
best practices.
Warner notes that its imperative that the feds continue to shine a spotlight and take an active role in water and wastewater cybersecurity.
These measures can enhance coordination, improve response times, and provide a comprehensive approach to securing water systems, he says. Without such mandates and collaborative efforts, the risk of attacks on critical infrastructure, including water and wastewater systems, increases significantly.

Last News

▸ Beware EMV may not fully protect against skilled thieves. ◂
Discovered: 23/12/2024
Category: security

▸ Hack Your Hotel Room ◂
Discovered: 23/12/2024
Category: security

▸ Website hacks happened during World Cup final. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
EPA Puts Teeth Into Water Sector Cyber Efforts