U.S. water facilities are struggling with glaring cybersecurity problems and receive insufficient support from federal regulators, according to cyber and water industry experts.
Many water systems are small, run by local municipalities and have few resources to invest in cybersecurity tools or staff. Federal funding and security standards for the sector are needed to protect drinking water and wastewater operators from a rising number of ransomware attacks, says Mark Montgomery, senior director of the Center on Cyber and Technology Innovation, part of The Foundation for Defense of Democracies, a think tank in Washington.
The foundation, in a report to be published Thursday, calls for an increase in the Environmental Protection Agency’s budget for cybersecurity and disaster management to as much as $45 million.
The EPA, which oversees the water sector, must hire more cybersecurity staff and increase training and funding for utilities, said Mr. Montgomery, who is also executive director of the federal Cyberspace Solarium Commission.
The EPA’s office for homeland security, which provides cybersecurity training and tools, had a budget of $11.3 million in 2021 and requested $15.4 million for 2022. There are around 52,000 drinking-water and 16,000 wastewater systems in the U.S., according to the report.
“Among infrastructures, water is uniquely vulnerable,” Mr. Montgomery said.
Last month, the Cybersecurity and Infrastructure Security Agency and other federal agencies warned that ongoing hacking that targets water facilities threatens their ability “to provide clean, potable water to, and effectively manage the wastewater of, their communities.” CISA cited five attacks on water utilities since 2019, four of which were ransomware.
An EPA spokesman said in an email the agency “has tools to assist water and wastewater utilities in preparing for, identifying, responding to, and recovering from cyber-attacks. EPA works closely with the water sector industry as well as other federal, state, local, tribal and territorial, and private sector partners.”
The EPA has issued no binding cybersecurity standards for the water sector. Operators that service more than 3,300 people must conduct risk assessments and draft emergency-response plans.
The Biden administration introduced new rules for other critical infrastructure sectors this year, including requiring pipeline operators to inform the Transportation Security Administration when they are targeted or hacked. A security mandate released last month requires certain railroad operators to implement measures such as reporting hacks to the Department of Homeland Security.
“This is a big vulnerability and the EPA is not doing enough. It’s not resourced or organized to address and support the water sector,” said Rep. Mike Gallagher (R., Wis.), a co-chair of the Cyberspace Solarium Commission. Legislation could be needed to provide some targeted funding to the EPA and CISA to support water facilities, but there is likely no need for a law giving the EPA increased powers, he added.
The 2021 National Defense Authorization Act, an annual measure that Congress passed in January, already designated the EPA as the sector risk-management agency overseeing water facilities, Mr. Gallagher said. That status gave the agency new responsibilities such as providing technical assistance to help water operators identify vulnerabilities and deal with security incidents.
In July, the EPA’s inspector general’s office began an audit of the agency’s cybersecurity oversight of the water sector in response to recent hacks. A spokesman for the inspector general’s office said it is too early to estimate when the audit will wrap up.
A ransomware attack on Limestone Water and Sewer in Limestone, Maine, over the July 4 weekend crippled an office computer and most alarms for the district’s sewer system, said Superintendent Jim Leighton. Alarms were down for about a month, he said. The facility had been using an outdated version of Microsoft Windows software.
Limestone Water and Sewer services about 400 people and its sewer department has an annual budget of around $150,000, with most spent on electricity costs to run equipment, he added. After the attack, the facility paid around $6,000 for a new computer and a software update and service but didn’t pay the demanded ransom, he said.
Grants for small utilities to buy equipment after a cyber incident would help, Mr. Leighton said. “That’s a huge expense.”
In a hack of a water-treatment plant in Oldsmar, Fla., in February, levels of sodium hydroxide were reset remotely. A plant operator noticed the change, reversed it and notified his supervisor, Pinellas County Sheriff Bob Gualtieri said afterward.
Hackers could create a devastating ripple effect on other critical sectors by attacking a water facility, said Paul Stockton, former assistant secretary of defense for homeland defense. “Adversaries may look to the water sector as a potential target of attack in order to create cascading failures across multiple infrastructure sectors and to jeopardize health and safety,” he said.
The Foundation for Defending Democracies also calls for establishing a regulatory system operated jointly by the government and the water industry, similar to how the energy sector sets best practices.
Small water facilities are particularly vulnerable to cyberattacks because many don’t have the budget to hire a chief information security officer, or even a technology director, said Michael Arceneaux, managing director of the Water Information Sharing and Analysis Center, a nonprofit group that helps water facilities exchange information about cyber threats.
“Congress needs to write a very large check to help them,” he said.
Write to Catherine Stupp at Catherine.Stupp@wsj.com
Copyright ©2021 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8