EPA Issues Alert After Finding Critical Vulnerabilities in Drinking Water Systems

EPA Issues Alert After Finding Critical Vulnerabilities in Drinking Water Systems

May 21, 2024 at 07:21AM

The US EPA issued an enforcement alert on safeguarding drinking water systems from cyber threats. Over 70% of water systems inspected do not comply with the Safe Drinking Water Act and have critical cyber vulnerabilities. Recommendations include reducing internet exposure, regular assessments, changing default passwords, and addressing vulnerabilities. The government is taking action to enhance system security.

Key takeaways from the meeting notes:

1. The US EPA has issued an enforcement alert outlining measures to safeguard drinking water systems against cyber threats.

2. Over 70% of water systems are not fully compliant with the Safe Drinking Water Act, with many having critical cyber vulnerabilities including default passwords and easily compromised authentication systems.

3. Top recommendations for system operators include reducing internet exposure, conducting regular assessments, changing default passwords, making IT and OT asset inventories, developing incident response plans, conducting awareness training, and addressing vulnerabilities.

4. The EPA will increase inspections and take civil and criminal enforcement actions as needed to ensure water systems comply with resilience vulnerability assessment and emergency response plan requirements.

5. The US government is taking action to enhance the security of critical water systems in response to recent cyberattacks, including publishing cybersecurity guidance and sanctioning state-sponsored threat actors.

6. Recent incidents in the water sector include ransomware attacks, Iran-linked hackers targeting industrial control systems, and Russia-linked hackers causing a water overflow in a Texas town.

7. Global CISO at Check Point, Pete Nicoletti, has observed attacks against the water sector and advises security executives to update their security programs, categorize IoT risks, manage IoT devices’ access, protect IoT devices, and consider outsourcing security programs and using managed security services.

8. For utilities with limited resources, outsourcing the security program and using managed security services are recommended by Nicoletti.

Let me know if you need further details or additional information.

Full Article