EPA Issues Enforcement Alert on Water System Cyber Deficiencies — March 18, 2024
The Environmental Protection Agency warned drinking water systems to fix cybersecurity lapses after nationwide inspections uncovered critical gaps.
Executive briefing: On the U.S. Environmental Protection Agency (EPA) released an enforcement alert detailing pervasive cybersecurity weaknesses at community drinking water systems. EPA inspectors observed missing asset inventories, default passwords, and unpatched remote access services, prompting the agency to mandate swift corrective actions and coordinate with CISA for technical assistance.
Key findings
- Basic security controls absent. Many systems lacked multifactor authentication, role-based access, or documented incident response procedures for their industrial control systems.
- Patch management failures. EPA cited outdated Windows operating systems and supervisory control and data acquisition (SCADA) software exposing known CVEs.
- Training gaps. Operators often had no cybersecurity awareness training, leaving phishing and credential theft risks unmitigated.
Control alignment guidance
- America’s Water Infrastructure Act (AWIA). Update risk and resilience assessments and emergency response plans to cover the deficiencies outlined in the alert.
- CISA Water and Wastewater CPGs. Benchmark current safeguards against the cross-sector performance goals and request CISA site assistance where gaps persist.
- NIST SP 800-82 Rev. 3. Apply the guide’s OT configuration baselines to remote telemetry and programmable logic controllers supporting water treatment.
Operational recommendations
- Conduct immediate credential resets and MFA deployment on internet-facing interfaces, prioritizing remote terminal units and engineering workstations.
- Establish an asset inventory and vulnerability management program capable of identifying unsupported operating systems and firmware.
- Coordinate with state primacy agencies and WaterISAC to share threat intelligence and remediation progress.