The Environmental Protection Agency (EPA) has released an enforcement alert, outlining the steps that vulnerable community drinking water systems must take in order to comply with cybersecurity standards set forth by the Safe Drinking Water Act. This alert is part of an ongoing effort to secure the United States’ critical infrastructure. Notably, an investigation by the EPA found that more than 70% of inspected water systems failed to fully comply with the Safe Drinking Water Act requirements. Furthermore, some of these systems have easily compromised cybersecurity vulnerabilities, such as default passwords and single logins. 

Security leaders weigh in 

Tom Kellermann, SVP of Cyber Strategy at Contrast Security:

“The safety of the U.S. water supply is in jeopardy. Rogue nation states are frequently targeting these critical infrastructures, and soon we will experience a life-threatening event. The administration must provide grants to bolster the cybersecurity of these utilities. If funding is lacking, forfeiture of cybercrime proceeds should be used to buttress the cybersecurity of critical infrastructures.”

Roger Grimes, Data-Driven Defense Evangelist at KnowBe4:

“This is the umpteenth time the U.S. government has said the same thing. Will this time be any different? Probably not. I don’t see anything that makes this warning and recommendation any more likely to be fruitful than the previous hundred saying the same thing. Is there a person in the world working at any organization, much less a critical infrastructure plant, that doesn't know their job is to keep the bad hackers out? No. The problem obviously isn’t knowledge and awareness. The problem is in the doing. The problem is in the enforcement. The problem is in management and accountability. We keep treating cybersecurity as this serious thing that everyone should be concerned about, but in practice, it’s treated as a side-job nice-to-have. In nearly every organization you have some soul that really understands the problem and wants to keep the organization secure against the rest of the organization that just wants to do a particular job, cheaply and quickly as possible. And the latter side usually wins.”

“So, cybersecurity is drastically under-resourced, mismanaged and concentrates on the wrong things. As an example, social engineering is involved in 70% to 90% of all successful data breaches and unpatched software and firmware is involved in 33% of all successful breaches. Those two root causes are 90% to 99% of the risk in most environments, including water treatment plants, and yet no organization... no water treatment plant, spends even 5% of their IT resources to mitigate those two huge problems. It’s been this way for decades and it’s not changing now. It is this fundamental misalignment between how organizations are successfully attacked the most and how nearly every organization defends itself that allows hackers and malware to be so damaging. This isn’t a secret. Everyone knows it. It’s a mass delusion that we all understand. And, yet, after every successful compromise, the organization and media readily want to appoint the successful hacker as some uber, super-brilliant hacker that could overcome any defense. Nope, it’s almost never that. It’s hackers and their malware creations doing the same successful things they have done for over 30 years and us responding with the same distracted mitigations wondering why our misaligned defenses aren’t working better.” 

Eric Knapp, CTO of OT at OPSWAT:

“Recent threats, such as those from the Volt Typhoon group, have targeted weaknesses in critical infrastructure and OT environments, and we’ve seen CISA and the Five Eyes alliance issuing recent advisories about the dangers posed by this threat group and others targeting critical sectors. CISA and other U.S. government agencies discovered that these hackers’ access extended to the power grids, communications systems and water supplies for military bases within the U.S. and abroad, showing an even more dire need for these water utilities to improve their cyber resilience.  

“Water systems remain vulnerable for a few reasons, including outdated legacy systems, the use of interconnected networks, limited resources and even a lack of enforced regulations. While a new bill was proposed last month to establish a Water Risk and Resilience Organization that would develop risk and resilience standards specifically tailored for the water sector, we strongly recommend water utilities take immediate action to reduce vulnerabilities and chances of falling victim to a cyber incident. These include: 

• Changing default passwords
• Adopting standards applicable to other critical infrastructure and OT environments, such as NERC CIP
• Controlling peripheral media and securely manage the use of USBs, vendor laptops, and other devices entering critical environments
• Implementing data diodes or unidirectional security gateways to ensure one-way communication and data sharing
• Developing and maintaining comprehensive incident response plans
• Providing regular cybersecurity training.”