The Environmental Protection Agency on Friday announced it will require states to report cybersecurity threats in their audits of public water systems.
The EPA’s mandate came one day after the Biden Administration unveiled a new cybersecurity strategy that urges tighter regulation of existing practices and stronger collaboration between the government and private sector.
“Cyberattacks against critical infrastructure facilities, including drinking water systems, are increasing, and public water systems are vulnerable,” said EPA Assistant Administrator Radhika Fox. “Cyberattacks have the potential to contaminate drinking water.”
She added that the EPA would assist states and water systems in building out their cybersecurity programs—but made no mention of financial assistance.
Biden Administration officials said states have been inconsistent in their efforts to protect drinking water from cyberattacks, with many water systems not covered by cybersecurity practices. The EPA asserted that voluntary measures have “yielded minimal progress” as experts have said many municipalities lack the money or expertise.
A failed attempt in 2021 by a hacker to poison the water of a small municipality near Tampa, Florida sparked concerns about the nation’s 151,000 public water systems. The hacker had breached the system via a remote access program, but a supervisor monitoring a console at the water plant caught the cyberattack and stopped it.
The hacker had attempted to add sodium hydroxide to the Florida town’s water system. It’s a chemical used to lower acidity in swimming pools and drinking water, but in high concentrations it can cause chemical burns.
Anne Neuberger, deputy national security advisor for Cyber and Emerging Technologies, said Friday that the EPA’s memo for states would establish minimum cybersecurity measures for municipal water. It comes after the Administration had done the same for pipelines and the rail sector.