EPA Increases Enforcement to Address Cybersecurity Threats to Community Water Systems

The EPA has issued an Enforcement Alert to Community Water Systems (CWSs) to address cybersecurity threats. Cyberattacks against CWSs are increasing, posing significant risks to water utility operations and public health. The EPA is increasing enforcement activities to ensure compliance with the Safe Drinking Water Act (SDWA) Section 1433, which requires CWSs to conduct Risk and Resilience Assessments (RRAs) and develop Emergency Response Plans (ERPs) to evaluate and reduce risks from physical and cyber threats.

Immediate steps recommended by the EPA, CISA, and the FBI include reducing exposure to public-facing internet, conducting regular cybersecurity assessments, changing default passwords, conducting an inventory of OT/IT assets, developing and exercising cybersecurity incident response and recovery plans, and conducting cybersecurity awareness training. CWSs serving more than 3,300 people must also certify the completion of RRAs and ERPs to the EPA.

EPA inspections have revealed alarming vulnerabilities in over 70% of the systems inspected, including missing RRA and ERP sections, inadequate cybersecurity measures, and potential violations of SDWA Section 1433. In response, the EPA is increasing the number of inspections focusing on cybersecurity and may take enforcement actions against non-compliant CWSs.

To assist CWSs in implementing changes, the EPA offers free help through its Cybersecurity Technical Assistance Form and encourages contacting CISA for Cyber Hygiene Services. Additionally, helpful information and resources are available on EPA’s Cybersecurity for the Water Sector web page and the joint EPA and CISA Water and Wastewater Cybersecurity website.

With the increasing frequency and severity of cyberattacks on water systems, the EPA prioritizes cybersecurity enforcement to protect the nation’s drinking water.