{"id":17800,"date":"2024-05-30T10:56:03","date_gmt":"2024-05-30T14:56:03","guid":{"rendered":"https:\/\/www.thesslstore.com\/blog\/?p=17800"},"modified":"2025-07-17T10:41:53","modified_gmt":"2025-07-17T14:41:53","slug":"epa-7-in-10-us-community-water-systems-at-risk-cyber-attacks","status":"publish","type":"post","link":"https:\/\/www.thesslstore.com\/blog\/epa-7-in-10-us-community-water-systems-at-risk-cyber-attacks\/","title":{"rendered":"EPA: 7 in 10 U.S. Community Water Systems Are at Risk of Cyber Attacks"},"content":{"rendered":"\n

Since 2020, the U.S. Environment Protection Agency (EPA) has doled out more than 100 enforcement actions against community water systems (CWS) across the U.S. for violations of the Safe Water Drinking Act.<\/h2>\n\n\n\n

Securing the nation\u2019s approximately 153,000 publicly owned and operated drinking water systems and 16,000 wastewater systems<\/a> is a responsibility that shouldn\u2019t be taken lightly. However, the majority (70%) of community water systems inspected since September 2023<\/a> don\u2019t even meet the baseline security requirements outlined in the Safe Water Drinking Act (SWDA). That\u2019s why the EPA issued an enforcement alert<\/a> outlining the urgency of complying with the SWDA.<\/p>\n\n\n\n

Gee, that\u2019s comforting, particularly when you consider that cyber attacks against U.S. water and wastewater systems are on the rise. We saw evidence of that this year when cybercriminals attacked a small Texas town\u2019s water facility<\/a>, causing a tank to overflow.<\/p>\n\n\n\n

What can these community water systems (and other critical infrastructure organizations) do to harden their defenses against potential cyber attacks and avert disaster?<\/p>\n\n\n\n

Let\u2019s hash it out.<\/span><\/p>\n\n\n\n

Compare IoT Device Certificates<\/a><\/div>\n\n\n\n

What Threats Against a Public Water Utility Look Like<\/h2>\n\n\n\n

Eric Goldstein, Executive Assistant Director for Cybersecurity at Computer Information Security Agency (CISA), described Water and Wastewater Systems (WWS) as being \u201ctarget rich, cyber poor.\u201d<\/a> This is because subsets of these systems (called community water systems) supply potable water to an estimated 80% of the nation\u2019s population. If something were to happen to this critical infrastructure<\/a>, we\u2019d be up an aptly named brown creek without a paddle.<\/p>\n\n\n\n

What sorts of issues or concerns could arise from a cyber attack against public drinking water and wastewater systems? According to the Computer Information Security Agency (CISA)<\/a>:<\/p>\n\n\n\n

\n

“The Water and Wastewater Systems Sector is vulnerable to a variety of attacks, including contamination with deadly agents; physical attacks, such as the release of toxic gaseous chemicals; and cyberattacks. The result of any variety of attack could be large numbers of illnesses or casualties and\/or a denial of service that would also impact public health and economic vitality.\u201d<\/em><\/p>\n<\/blockquote>\n\n\n\n

Even seemingly unrelated international events can spill over and directly impact our water supply. Just look at the sanctions that were placed on Iranian officials<\/a> after a government-sponsored militia group launched a cyber attack on a water authority in western Pennsylvania. <\/p>\n\n\n\n

According to the BBC, the facilities used technologies manufactured by an Israeli company. How\u2019d they do it? By exploiting a default password to disable a water pressure regulation monitor. (We\u2019ll speak more about default password security concerns later.)<\/p>\n\n\n\n

Thankfully, in this situation, plant managers were able to manually override the attackers before something worse happened. But that may not always be the case in future attacks.<\/p>\n\n\n\n

What a Suspected Real-Life Cyber Attack on a Water Treatment Facility Looks Like<\/h3>\n\n\n\n

In February 2021, we wrote about how a hacker breached a Florida water treatment plant<\/a>. At the time, it was widely reported that an unknown assailant remotely tampered with the lye levels in the water (which, when used at proper levels, is used for cleaning and pH balancing), raising them to unsafe levels from 100 parts per million to 11,100 ppm. This would cause a wide array of harmful to potentially catastrophic injuries<\/a> \u2014 deadly gastrointestinal issues, hair loss, skin damage, etc.<\/p>\n\n\n\n

Needless to say, the news spread like wildfire, making international headlines<\/a>. The good news here is that the plant employee reportedly observed the level of the caustic chemical skyrocketing to dangerously high levels and changed it back before anyone got hurt. But the situation doesn\u2019t end there. In April 2023, CyberScoop reported<\/a> that authorities were on the fence about whether an attacker was responsible for the situation after all. They\u2019re still not certain about the cause of the incident. <\/p>\n\n\n\n

Whether that situation resulted from a hacker or an overzealous employee, the point is that if it was<\/em> a hacker, then it could be just one of many water treatment plants that are viewed as being at risk of cyber attacks.<\/p>\n\n\n\n

Breaking Down the Risks to the Nation\u2019s Critical Infrastructure Sectors<\/h2>\n\n\n\n

Some good news for the Water and Wastewater Sector is that it ranked among the lowest in 2023 regarding reported ransomware attacks. Yup, it\u2019s not even in the top 10. The FBI\u2019s Internet Crime Complaint Center (IC3) team reported in its 2023 Internet Crime Report<\/a> that of the 1,193 complaints received in that period, \u201conly\u201d 8 affected Water and Wastewater Systems (WWS).<\/p>\n\n\n\n

Granted, this number is more than double what it was in 2022. But it\u2019s still relatively minor when compared to, say, the Healthcare and Public Health Sector and Critical Manufacturing Sector data shared by the FBI\u2019s Internet Crime Complaint Center (IC3) in its 2021, 2022, and 2021 Internet Crime Reports:<\/p>\n\n\n\n

\"FBI
Graph caption: Data collected from the FBI IC3\u2019s Internet Crime Reports (<\/em>2021<\/em><\/a>, <\/em>2022<\/em><\/a>, and 2023). Two sectors (Dams Sector and Nuclear Reactors, Materials, and Waste)<\/em> were not included on this list<\/em>, as this list focuses on the 14 critical infrastructure sectors that had \u201cat least 1 member that fell to a ransomware attack\u201d in each of the three reporting years<\/em>.<\/figcaption><\/figure>\n\n\n\n

So, even though Water and Wastewater Systems rank near the bottom of the list for reported ransomware incidents, there are other methods of attack that bad guys can employ. They’re essential systems that consumers and businesses across the country rely on every day and must be protected at any cost.<\/p>\n\n\n\n

What Makes Water Systems Vulnerable? Insecure IT and IoT<\/h2>\n\n\n\n

The security of WWS IT infrastructure and systems often depends on how organizations use and (don\u2019t) secure their connected technologies.<\/p>\n\n\n\n

How Water Utilities Are Using IoT and OT<\/h3>\n\n\n\n

U.S. drinking water and wastewater systems often rely on a web of Internet of Things (IoT) and operational technology (OT) devices. These tools help reduce operational costs, increase efficiency, and improve monitoring (e.g., to keep an eye on water quality levels and identify leaks more quickly).<\/p>\n\n\n\n

But what do some of these systems entail? Several Polish researchers compiled a summary list of common IoT technologies you\u2019ll find in water quality systems<\/a>, which include:<\/p>\n\n\n\n