Join Contact

Enforcement Alert: Drinking Water Systems to Address Cybersecurity Vulnerabilities

EPA Increases Enforcement Activities to Ensure Drinking Water Systems Address Cybersecurity Threats

This Enforcement Alert provides community water systems (CWSs) with information on immediate steps they can take to ensure compliance with SDWA Section 1433 and to reduce cybersecurity vulnerabilities.

Cyberattacks against CWSs are increasing in frequency and severity across the country. Based on actual incidents we know that a cyberattack on a vulnerable water system may allow an adversary to manipulate operational technology, which could cause significant adverse consequences for both the utility and drinking water consumers. Possible impacts include disrupting the treatment, distribution, and storage of water for the community, damaging pumps and valves, and altering the levels of chemicals to hazardous amounts.

Implementing basic cyber hygiene practices can help your utility prevent, detect, respond to, and recover from cyber incidents. Because water utilities often rely on computer software to operate their treatment plants and distribution systems, protecting information technology and process control systems from cyberattacks is vital. Small water systems are not immune from cyberattacks. Recently, disruptive cyberattacks from adversarial nation states have impacted water systems of all sizes, including many small systems. As a result of these increased threats, EPA is increasing its enforcement activity to protect our nation’s drinking water.

Section 1433 of the Safe Drinking Water Act (SDWA) requires all CWSs serving more than 3,300 people to conduct Risk and Resilience Assessments (RRAs), develop Emergency Response Plans (ERPs) and certify their completion to EPA. Additionally, systems must review their RRA and ERP every five years, revise them if necessary, and certify completion of these steps to EPA. These assessments and plans help water systems to evaluate and reduce risks from both physical and cyber threats.

The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), National Security Agency, EPA, and other federal entities have issued numerous advisories for cyberattacks against information networks and process control systems at water and wastewater systems by nation state organizations. Foreign governments have disrupted some water systems with cyberattacks and may have embedded the capability to disable them in the future.

Utilities can find helpful information on cyber risks and available resources to assist CWSs from EPA's Cybersecurity for the Water Sector web page and the joint EPA and CISA Water and Wastewater Cybersecurity website.

EPA Inspections Identify Alarming Vulnerabilities

Over 70% of the systems inspected by EPA since September 2023 are in violation of basic SDWA 1433 requirements including missing specific sections of the RRA and ERP. When on site, EPA inspectors have identified alarming cybersecurity vulnerabilities at drinking water systems across the country and taken actions to address them. For example, some water systems failed to change default passwords, use single logins for all staff, or failed to curtail access by former employees. EPA also has found instances of inadequate RRAs and/or ERPs because analysts did not, for example, include an assessment of the resilience of systems or strategies and resources to improve the resilience of the cybersecurity of those system. These failures involve potential violations of 1433 and miss an opportunity to safeguard operations through the RRAs and ERPs.

As part of EPA’s multi-year drinking water National Enforcement and Compliance Initiative, Increasing Compliance with Drinking Water Standards, inspectors are assessing CWS compliance with SDWA Section 1433. Given the vulnerabilities and attacks on systems, EPA also will increase the number of CWS inspections that focus on cybersecurity. Where vulnerabilities are identified and may present an imminent and substantial endangerment to public health, enforcement actions may be appropriate under SDWA Section 1431 to mitigate those risks.

EPA is Increasing Inspections and Enforcement

EPA has taken over 100 SDWA enforcement actions nationally against CWSs for violations of Section 1433 since 2020, which was the first deadline for systems to develop and update their RRAs and ERPs. These enforcement actions have been based on various findings, including failure to certify, and not addressing the statutorily required elements in the RRAs and ERPs, which include looking at cyber threats. As EPA steps up inspections, the Agency intends to use enforcement authorities to address problems quickly, that it observes in the field such as failure to prepare adequate RRAs and ERPs (SDWA, Section 1433). EPA has a range of enforcement options available, including emergency powers (SDWA Section 1431, 42 U.S.C. § 300i) and criminal sanctions (pursuant to 18 U.S.C. Section 1001 for knowingly and willfully providing false certifications).

There are many resources available to assist utilities with making these essential changes. Visit EPA’s Office of Water website for information and resources for water and wastewater systems related to cybersecurity.

Disclaimer: This Enforcement Alert addresses select provisions of the Safe Drinking Water Act using plain language. Nothing in this Enforcement Alert is meant to replace or revise any applicable permit, any EPA regulatory provision, or any other part of the Code of Federal Regulations, the Federal Register, or the Safe Drinking Water Act.

Mass Rural Water Association

781 Millers Falls Road, Northfield, MA 01360

Phone: 413-498-5779

Fax: 413-498-9943