Cyber threats expected on water systems

The U.S. Environmental Protection Agency (EPA) is urging water systems to bolster their cybersecurity in the wake of U.S.-Israel strikes on Iran.

Iran-based entities targeted American water systems following the Oct. 7, 2023, attack by Hamas in Israel, and U.S. authorities caution they may again.

“Iranian government–affiliated and aligned cyber actors have previously demonstrated the ability to exploit internet exposed operational technology devices at U.S. water and wastewater systems, in some cases forcing temporary reversion to manual operations and causing operational impacts,” notes an advisory from the EPA.

“EPA urges utilities to adopt a heightened security posture and promptly report suspicious activity to CISA (Cybersecurity & Infrastructure Security Agency) and the FBI (Federal Bureau of Investigation),” the advisory continues.

AWWA’s updated cybersecurity resources offer guidance on implementing controls that maximize near-term risk to help water systems build their cyber resilience. They are aligned with the National Institute of Standards and Technology (NIST) Cybersecurity Framework 2.0 and associated standards.

Water systems of all types can enroll in CISA’s vulnerability scanning service to help identify weaknesses that an attacker may exploit among publicly accessible devices.

The EPA encourages all drinking water and wastewater utilities to immediately:

• Avoid exposing operational technology to the internet.
• Replace all default passwords.
• Implement multifactor authentication for all devices.

The agency also recommends additional actions in this factsheet.