Pennsylvania legislator proposes legislation to enhance cyber support for local water infrastructure by a factor of two.
Community-based water systems in the United States are facing increasing cybersecurity challenges, particularly from nation-state actors and sophisticated threats. In response, recent legislation and federal initiatives have outlined measures and best practices to enhance cybersecurity.
The Environmental Protection Agency (EPA) plays a key role in this regard, overseeing compliance with Section 1433 of the Safe Drinking Water Act (SDWA). However, a 2024 EPA report revealed that over 70% of inspected systems were in violation, underscoring the need for greater focus on core security requirements.
The Cybersecurity and Infrastructure Security Agency (CISA) also provides guidelines and resources for water utilities to improve their cybersecurity posture. These resources emphasise the importance of risk assessments, incident response planning, and regular cyber hygiene practices such as patching, network segmentation, and access controls.
Collaboration between IT and OT teams is also crucial for maintaining security and operational continuity. This includes training employees to recognise cybersecurity risks such as phishing attempts and unauthorised access.
Recent threats have highlighted the importance of securing critical infrastructure against easily exploitable vulnerabilities. For instance, a discovery by Censys revealed hundreds of exposed web-based Human-Machine Interfaces (HMIs) for U.S. water facilities. Such vulnerabilities can be exploited by cybercriminals, as demonstrated by the Iranian-backed cyberattacks that have targeted U.S. water utilities.
In response, federal agencies have issued advisories warning of potential attacks and recommended proactive security measures. For example, Rep. Chris Deluzio, a Democrat from Pennsylvania, is sponsoring the Water Authority Cybersecurity Protection Act, which proposes tactics such as ending reliance on default passwords, removing devices from the open internet, and using multifactor authentication. The bill also aims to double cyber resilience funding for local water utilities.
The bill was unveiled on Friday, March 24, 2023, and follows a series of high-profile attacks against water systems in the U.S., such as the attack on the Municipal Water Authority of Aliquippa, Pennsylvania, which targeted Unitronics PLCs.
Last week, the EPA and CISA released a joint fact sheet for the water utility sector, emphasising the risks posed by internet-exposed HMIs. The funding from the bill will be used to help community-based water systems design programs for emergency response.
The proposed legislation authorises $25 million in funding over two years, and the Water Authority Cybersecurity Protection Act addresses the need for resources and training in the water sector to enhance cyber resilience. An investigation from the inspector general at the Environmental Protection Agency, released in November, revealed that more than 300 water utilities had vulnerabilities that increase their risk of being hacked.
Earlier this month, Minnesota-based Kurita America disclosed it was the target of a late November ransomware attack. Kurita America, a major provider of water treatment solutions for industrial use, is a unit of Japan-based Kurita Group. The attack did not disclose the impact of the ransomware attack.
These measures and practices are designed to strengthen the cybersecurity posture of community-based water systems in the U.S., addressing both regulatory requirements and emerging threats. The EPA, along with other federal agencies, conducts nationwide cybersecurity vulnerability scanning to identify vulnerable systems, and there is also a growing role for states in leading cybersecurity efforts for local utilities.
The Cybersecurity and Infrastructure Security Agency's (CISA) guidelines for water utilities stress the significance of ransomware prevention, as demonstrated by the attack on Minnesota-based Kurita America, a major provider of water treatment solutions. The recently proposed Water Authority Cybersecurity Protection Act aims to address this issue, focusing on measures such as ending the use of default passwords, securing devices from the open internet, and implementing multifactor authentication to enhance cybersecurity in community-based water systems. The Environmental Protection Agency (EPA), alongside federal agencies, conducts nationwide cybersecurity vulnerability scanning to identify and mitigate cybersecurity challenges in these systems, particularly those related to ransomware.
