EPA: “Alarming” gaps in cybersecurity for water providers

Public water providers in the Delaware River watershed and across the United States are being urged to ramp up their cybersecurity as critical infrastructure faces increasing threats from cyberattacks.

The U.S. Environmental Protection Agency last week issued an enforcement alert that said that more than 70 percent of public water systems inspected since September 2023 violated Safe Drinking Water Act requirements, with many showing “alarming” gaps in cybersecurity.

Buzz about cybersecurity has grown in the water and wastewater sectors over the past few years amid increasing cyberattacks on utilities.

If successful, a cyberattack could have extreme health and financial consequences on water customers.

Once a hacker gets into a water system, they could potentially turn pumps and motors on and off, alter chemical levels in drinking water to dangerous levels, and even plant software “bombs” that could disrupt the water system later.

The EPA said that most of the alarming cybersecurity vulnerabilities found included default passwords that hadn’t been changed, as well as single-factor log-ins for all staff and continued system access to former employees.

Cyberattackers come in many forms — from disgruntled former employees to nation-states, including China, Iran, North Korea and Russia. They have all been reported as using cyberattacks for political and social gain, according to the Cybersecurity and Infrastructure Security Agency. 

Ransomware — a malware designed to lock software users out of their computer systems until a ransom is paid — is the biggest tool hackers use to threaten critical infrastructure and businesses right now, said Kevin Morley, the manager of federal relations for the American Water Works Association.

Delaware River watershed

No publicly available reports of cyberattacks on water systems in the Delaware River watershed could be located. However, no centralized reporting system for cyberattacks currently exists for the water sector.

While water utilities in the watershed may have so far been spared, other agencies have not, including, for example, the Camden County Police Department in New Jersey, the Kent County government in Delaware, and hospitals in Delaware County and the Delaware County government in Pennsylvania.

More than 10 water utilities in the watershed that Delaware Currents contacted would not respond to questions about cybersecurity, with one saying it’d rather not weigh in given the “sensitive” nature of the questions. The Philadelphia Water Department said by phone that it would respond to emailed questions but then never did.

The federal Infrastructure Investment and Jobs Act in 2021 established the State and Local Cybersecurity Improvement Act, a $1 billion cybersecurity fund for states and tribes awarded over four years.

Two years into the program, more than $50 million has been allocated to the four Delaware River watershed states: Delaware has received $6.7 million; Pennsylvania, more than $15.6 million; New Jersey, $10.2 million; and New York, $17.3 million.

However, much of that funding has yet to be dispersed to water utilities. States have to form cybersecurity plans and committees to determine how the money will be distributed, and states like New York are just getting started. 

New Jersey is the only watershed state to start a dedicated state cybersecurity grant program for the water sector, the Safe Drinking Water Cybersecurity Grant Program.

The calls for increased cybersecurity come as U.S. water utilities face a crush of new federal regulations regarding the treatment of “forever chemicals” PFAS/PFOA, lead pipe replacement deadlines and higher costs for essential treatment.

Higher security through low tech

Morley said workforce constraints add another challenge to bulking up cybersecurity in the water sector, not to mention the growing “digital divide” between outdated legacy systems that run smaller plants.

Some water plants have been “stranded” on old technology platforms that are no longer supported, he said.

“Addressing this digital divide in a timely and thoughtful manner will require resources that, to date, have not been made available to the water sector,” Morley said. “The irony here is that, while there is much focus on the water sector as a national security priority, there has been a de minimis budgetary effort to support this need.”

The wastewater treatment plant in the village of Delhi in New York, which serves up to 6,000 people, runs on a computer system from 2002, according to the village’s wastewater operator, Nick Guth.

The system largely stays offline “to protect the system,” he said, though software is regularly updated. While some larger water systems allow employees to access their system remotely, Delhi employees can only access it if they’re physically at the plant.

That can mean making late-night visits to the plant when an alarm goes off, Guth said. But at a small facility, there’s a “huge advantage in security by staying offline,” he said.

Some larger facilities don’t have the option to stay low-tech.

“Many smaller systems are still largely manual operations with limited automation or connectivity, which makes them quite resilient from a cyber threat perspective,” Morley said. “However, certain water quality requirements demand complex treatment systems that necessitate automation, which can make them vulnerable to cyber threats, and manual control may not be an option or cannot be sustained for a significant period of time.”

The city of Newark, Del., has two water treatment plants serving about 40,000 customers.

The plants have both onsite and remote control, monitoring and alarm capabilities, according to Tim Filasky, director of the city’s Public Works and Water Resources Department.

He said the city’s IT division, which supports all of Newark’s critical infrastructure, “constantly monitors” the operating system, which is guarded with multi-factor authentication. Water department employees were required to complete a cybersecurity awareness training this year. 

Filasky said the city has invested $1 million in critical infrastructure operational technology and user training since 2022. Still, he said, funding for upgrades is “always a challenge.”

Pushback against federal regulations

As of now, there are no federal regulations on cybersecurity in the water sector.

The EPA released a rule in March 2023 requiring water utilities to evaluate their cybersecurity when performing routine sanitary surveys but the agency withdrew the rule in October after the attorneys general of three states — Arkansas, Iowa and Missouri — raised legal issues about the mandate.

The National Rural Water Association and the American Water Works Association joined the lawsuit, which claimed that the EPA’s rule imposed a financial burden on states and rural public water systems.

But in a separate approach, the White House released a National Cybersecurity Strategy in March 2023.

A proposed CISA rule would require certain critical infrastructure entities to report a cyber incident within 72 hours. The Cyber Incident Reporting for Critical Infrastructure Act of 2022 required CISA to implement these rules. If implemented as proposed, CISA estimates the rule would cost around $2.6 billion over 11 years.

The agency is holding a public comment period on the proposed rules.