US Government's Water Supply Warning, Explained

The federal government issued a stern warning to municipal agencies regarding their water supplies and cybersecurity.

The U.S. Environmental Protection Agency (EPA) revealed last month that there has been an increase in cyberattacks on drinking water facilities throughout the U.S. The agency published an "Enforcement Alert" meant for municipal water systems operators, saying that it will be cracking down on certain laws to ensure that drinking water is safe from foreign attackers. The EPA's data shows that many local agencies aren't keeping up with security protocols.

The Enforcement Alert is addressed to the managers of "community water systems," or "CWSs," saying: "Cyberattacks against CWSs are increasing in frequency and severity across the country. Based on actual incidents we know that a cyberattack on a vulnerable water system may allow an adversary to manipulate operational technology, which could cause significant adverse consequences for both the utility and drinking water consumers. Possible impacts include disrupting the treatment, distribution, and storage of water for the community, damaging pumps and valves, and altering the levels of chemicals to hazardous amounts."

The EPA hopes to implement preventative solutions – primarily bolstering cybersecurity throughout the U.S. The alert asks CWSs to focus on "basic cyber hygiene" so they can "prevent, detect, respond to, and recover from cyber incidents." Specifically, that means enforcing a certain portion of the Safe Drinking Water Act (SDWA) which describes the correct procedures for risk assessment and emergency response planning.

While much of the alert is addressed to CWSs and written in professional jargon, it will undoubtedly be interesting to everyday citizens as well. It says that "water utilities often rely on computer software to operate their treatment plants and distribution systems." It goes on: "Recently, disruptive cyberattacks from adversarial nation states have impacted water systems of all sizes, including many small systems."

The specific law that the EPA is trying to enforce here mandates that CWSs submit their own risk assessment and emergency response plan and then review them every five years. However, a survey in September of 2023 found that 70 percent of the CWSs inspected were not up to date on those inspections. Meanwhile, several government agencies have found evidence of cyber attacks on CWSs, including attacks they believe were sponsored by the governments of Russia, Iran and China.

This alert warns that the EPA will be enforcing these inspection requirements more frequently. For average citizens, this alert may also be a good starting point for those interested in getting involved with their local water safety. There is more detailed information and helpful links available on the EPA's Office of Water website.