← Back to all briefings
Cybersecurity 5 min read Published Updated Credibility 90/100

EPA Issues Enforcement Alert on Water System Cyber Deficiencies — March 18, 2024

EPA warned drinking water utilities about cybersecurity gaps in March 2024. Their inspections found serious problems. If you are running water infrastructure, expect more regulatory attention on cyber.

Kodi C.

Editor & Research Lead

Accuracy-reviewed by the editorial team

Cybersecurity pillar illustration for Zeph Tech briefings
Cybersecurity threat, control, and response briefings

High-level summary

On , the U.S. Environmental Protection Agency (EPA) released an enforcement alert detailing pervasive cybersecurity weaknesses discovered at community drinking water systems across the nation. The alert followed full inspections revealing critical gaps in basic security controls, prompting EPA to mandate swift corrective actions and coordinate with CISA for technical assistance to the water sector.

Inspection Findings

EPA inspectors identified systematic cybersecurity deficiencies across drinking water systems:

  • Default credentials: Many systems operated with factory-default usernames and passwords on industrial control systems and operational technology equipment.
  • Missing authentication: Multi-factor authentication was absent from remote access systems, leaving credentials as the sole barrier to unauthorized access.
  • Unpatched systems: Outdated Windows operating systems and SCADA software with known vulnerabilities remained in production without security updates.
  • Asset inventory gaps: Operators lacked complete inventories of connected systems, making full security assessment impossible.
  • Inadequate access controls: Role-based access controls were not implemented, with operators sharing credentials or having excessive privileges.
  • Missing incident response: Many systems lacked documented incident response procedures or had never tested their response capabilities.

Regulatory Context

The enforcement alert operates within EPA's existing regulatory authority:

  • Safe Drinking Water Act: EPA has authority to ensure public water systems provide safe drinking water, including from cybersecurity threats that could affect treatment or distribution.
  • America's Water Infrastructure Act (AWIA): Community water systems serving more than 3,300 people must conduct risk and resilience assessments covering cybersecurity and maintain emergency response plans.
  • Sanitary surveys: State primacy agencies conduct regular sanitary surveys that can include cybersecurity elements.
  • EPA enforcement authority: EPA can take enforcement action against systems failing to address significant security vulnerabilities.

Critical Infrastructure Context

The water sector faces unique cybersecurity challenges:

  • Sector fragmentation: Over 150,000 public water systems exist in the U.S., ranging from large urban utilities to small rural systems with limited resources.
  • Resource constraints: Many water systems operate with minimal IT staff and limited cybersecurity budgets.
  • Legacy technology: Operational technology equipment often has extended lifecycles, running outdated software without vendor security support.
  • Interconnection risks: Treatment and distribution systems now connect to corporate networks and the internet for remote monitoring and management.
  • Public health impact: Cyber attacks on water systems could affect treatment processes, chemical dosing, or distribution, potentially endangering public health.

Recent Threat Activity

The enforcement alert follows documented attacks on water infrastructure:

  • Oldsmar, Florida (2021): Intruders accessed the water treatment plant and attempted to increase sodium hydroxide levels to dangerous concentrations before an operator intervened.
  • Iranian-linked activity: CISA has documented Iranian cyber actors targeting water utilities through vulnerable programmable logic controllers.
  • Ransomware incidents: Multiple water utilities have experienced ransomware attacks affecting business systems and, in some cases, operational technology.
  • Nation-state reconnaissance: Intelligence agencies have warned of nation-state actors conducting reconnaissance against water infrastructure.

Required Corrective Actions

EPA expects water systems to address identified deficiencies:

  • Credential security: Immediately reset default passwords on all industrial control systems, HMIs, PLCs, and remote access equipment.
  • Multi-factor authentication: Deploy MFA on all internet-facing interfaces, remote access systems, and administrative accounts.
  • Patch management: Establish vulnerability management programs to identify and address security updates for operating systems and applications.
  • Asset inventory: Develop full inventories of IT and OT assets, including network diagrams and data flows.
  • Access controls: Implement role-based access controls limiting user privileges to minimum necessary for job functions.
  • Incident response: Develop and test incident response plans covering cyber attacks on operational technology.

AWIA Compliance Updates

Covered water systems must incorporate cybersecurity into AWIA requirements:

  • Risk and resilience assessments: Update assessments to specifically address cyber risks to monitoring, control, and treatment systems.
  • Emergency response plans: Include cyber incident response procedures, communication protocols, and recovery procedures in emergency plans.
  • Certification updates: Re-certify assessments and plans following significant changes or on required schedules.
  • Documentation: Maintain documentation of cybersecurity controls and testing for regulatory review.

Available Resources

EPA and partner agencies offer support for water system cybersecurity improvement:

  • CISA site assistance: Water systems can request free CISA cybersecurity assessments and technical assistance through regional coordinators.
  • WaterISAC: The Water Information Sharing and Analysis Center provides threat intelligence, alerts, and good practices for water sector cybersecurity.
  • NIST guidance: NIST SP 800-82 Rev. 3 provides detailed guidance for industrial control system security applicable to water treatment systems.
  • CISA CPGs: Cross-Sector Cybersecurity Performance Goals provide baseline security controls applicable to water systems.
  • State programs: Many state primacy agencies offer technical assistance and funding programs for water system security improvements.

Implementation Priorities

Water systems should focus on remediation based on risk:

  • Immediate (30 days): Change default credentials, implement MFA on remote access, disable unnecessary internet exposure.
  • Short-term (90 days): Complete asset inventory, implement network segmentation, establish monitoring and logging.
  • Medium-term (6 months): Develop incident response plans, conduct security assessments, address legacy system vulnerabilities.
  • Ongoing: Maintain patch management, conduct regular assessments, train staff on security awareness.

Coordination Requirements

Effective remediation requires coordination across teams:

  • Engage state primacy agencies to understand compliance expectations and available support
  • Coordinate with vendors and integrators responsible for OT systems and SCADA equipment
  • Participate in WaterISAC information sharing and sector coordination
  • Report incidents to CISA and EPA as required by sector guidance

Closing analysis

The EPA enforcement alert signals increased regulatory attention to water sector cybersecurity following documented deficiencies and growing threats. Water systems must treat cybersecurity as a core operational requirement, implementing basic controls that protect treatment and distribution systems from compromise. The combination of regulatory pressure, available technical assistance, and sector-specific guidance provides water systems with both incentive and resources to improve their security posture.

Similar analysis

Additional analysis covering similar themes.

Continue in the Cybersecurity pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

  • Cybersecurity Operations Playbook

    Use our research to align NIST CSF 2.0, CISA KEV deadlines, and sector mandates across threat intelligence, exposure management, and incident response teams.

  • Network Security Fundamentals Explained Practically

    A practitioner-focused guide to network security fundamentals covering firewalls, segmentation, IDS/IPS, DNS security, VPNs, wireless security, zero trust architecture, and traffic…

  • Small Business Cybersecurity Survival Checklist

    A budget-conscious cybersecurity checklist built specifically for small businesses. This guide covers foundational security policies, network hardening, employee training, phishing…

Coverage intelligence

Published
Coverage pillar
Cybersecurity
Source credibility
90/100 — high confidence
Topics
United States · Environmental Protection Agency · Critical infrastructure · Water sector
Sources cited
3 sources (epa.gov, iso.org)
Reading time
5 min

Further reading

  1. EPA Enforcement Alert — Cybersecurity at Public Water Systems
  2. EPA Press Release — EPA Takes Action to Protect Nation’s Drinking Water from Cyberattacks
  3. ISO/IEC 27001:2022 — Information Security Management Systems — International Organization for Standardization
  • United States
  • Environmental Protection Agency
  • Critical infrastructure
  • Water sector
Back to curated briefings

Comments

Community

We publish only high-quality, respectful contributions. Every submission is reviewed for clarity, sourcing, and safety before it appears here.

    Share your perspective

    Submissions showing "Awaiting moderation" are in review. Spam, low-effort posts, or unverifiable claims will be rejected. We verify submissions with the email you provide, and we never publish or sell that address.

    Verification

    Complete the CAPTCHA to submit.