The Environmental Protection Agency (EPA) has urgently called for water utilities across the United States to bolster their cybersecurity measures. This action follows an alarming report revealing that 70% of the nation's water systems inspected fail to meet the Safe Drinking Water Act's standards, largely due to outdated cybersecurity practices. Critical vulnerabilities identified include the use of default passwords and single-user logins, which could easily be compromised.

The EPA's enforcement alert underscores the potential dangers of cyberattacks on water systems, including disruptions to water treatment and storage facilities, damage to infrastructure like pumps and valves, and dangerous alterations of chemical levels. According to EPA Deputy Administrator Janet McCabe, many systems lack adequate risk assessments of their vulnerabilities, including cybersecurity threats, which are crucial for informing operational and security strategies.

The agency's announcement also highlighted past cybersecurity incidents involving foreign interference. Groups from China, Russia, and Iran have previously executed cyberattacks on U.S. water systems, with some attempts aimed at embedding capabilities to disable these systems in the future. Notable incidents include attacks by Iranian-linked "Cyber Av3ngers," which targeted a small water provider in Pennsylvania, and Russian-affiliated hackers who attempted to disrupt several utilities in Texas. Additionally, a Chinese-linked group, "Volt Typhoon," has been reported to compromise critical infrastructure, intensifying the need for robust cybersecurity measures.

In response to these threats, the EPA has initiated several measures to support water utilities. The agency plans to offer free training to help utilities enhance their cybersecurity frameworks and address the identified gaps in their current systems. Moreover, the EPA is pushing for utilities to move away from default settings, urging the development of comprehensive risk assessment plans that include cybersecurity considerations.

The complexity of overhauling utility systems to withstand cyber threats is significant, particularly for the approximately 50,000 community water providers across the U.S. Many of these utilities operate with limited staff and budgets, focusing primarily on meeting basic operational requirements like clean water provision and regulatory compliance. Amy Hardberger, a water expert at Texas Tech University, noted that these utilities are now required to develop capabilities in areas outside their primary expertise, such as cybersecurity, which could strain their limited resources.

Kevin Morley, manager of federal relations with the American Water Works Association, emphasized that updating these systems is both arduous and expensive. He advocated for substantial federal funding to develop the necessary resources to combat and mitigate cyberattacks effectively. Morley stressed the importance of accommodating the unique needs and capacities of both small and large water companies as these cybersecurity measures are implemented.

As the threat landscape evolves, the EPA's proactive stance aims to safeguard one of the nation's most critical infrastructures against emerging cyber threats, ensuring the safety and reliability of public water supplies.