Cyberattacks on local water systems throughout the US are “growing in frequency and intensity,” the Environmental Protection Agency (EPA) said.
An alert issued by the EPA on Monday instructs officials running community water systems to ensure they comply with the Safe Drinking Water Act, which requires them to conduct risk assessments and emergency response plans, in light of the rise in cyberattacks.
“Based on actual incidents we know that a cyberattack on a vulnerable water system may allow an adversary to manipulate operational technology, which could cause significant adverse consequences for both the utility and drinking water consumers,” the EPA wrote on Monday.
The agency said federal law enforcement agencies have issued warnings about water system attacks from the Iranian Government Islamic Revolutionary Guard Corps, as well as state-sponsored actors in Russia and China. Some foreign hackers may have already embedded themselves in water systems, waiting to strike, the EPA said.
“By working behind the scenes with these hacktivist groups, now these [nation states] have plausible deniability and they can let these groups carry out destructive attacks,” Dawn Cappelli, a cybersecurity expert with Dragos Inc, told the Associated Press.
Cyberattacks can disrupt the treatment, distribution, and storage of water, the EPA said. Hackers can also damage automatic pumps and alter the levels of chemicals to hazardous amounts.
Late last year, multiple community water utilities in the US were attacked by Iranian-backed hackers because they used an Israeli-made piece of equipment, federal investigators said. One of these water systems was in western Pennsylvania, serving just 22,000 people.
Meanwhile, in 2021 a cyberattack forced the suspension of operations on the Colonial Pipeline, a major US energy pipeline that transports 45 per cent of all fuel consumed on the East Coast.
The alert comes after the EPA found that 70 per cent of water systems inspected since September are out of compliance with “basic” requirements of the Safe Drinking Water Act.
“In many cases, systems are not doing what they are supposed to be doing, which is to have completed a risk assessment of their vulnerabilities that includes cybersecurity and to make sure that plan is available and informing the way they do business,” EPA Deputy Administrator Janet McCabe told the AP.