How safe is America’s drinking water supply?

Environmental Protection Agency’s stark warning this week warned the threat to the United States’ supply of drinking water is increasing, with infrastructure targeted by hackers linked to the Chinese, Iranian and Russian governments. Is our water safe?

The May 20 alert said that more than 70 percent of the water systems inspected by the EPA failed to meet basic security requirements set out in the Safe Drinking Water Act, with inspectors finding “alarming cybersecurity vulnerabilities at drinking water systems across the country.”

Professor Blair Feltmate, an expert in water systems at the University of Waterloo in Canada, told Newsweek cyberthreats to the U.S. water supply are “growing in sophistication” and are a particularly big threat to the southwest of the country, which is already “on the edge of being out of water.”

The Cybersecurity and Infrastructure Security Agency (CISA), which forms part of the Department of Homeland Security, warned specifically about the threat from foreign powers to the American water supply in alerts on December 1, 2023, and February 7 and May 1 this year.

Hackers linked to the Iranian, Russian and Chinese states are launching cyberattacks on the water system across the United States, according to federal authorities. The attacks are getting more sophisticated.

Photo Illustration by Newsweek

In its enforcement alert of May 20, the EPA said its inspectors had “identified alarming cybersecurity vulnerabilities at drinking water systems across the country.”

It continued: “For example, some water systems failed to change default passwords, use single logins for all staff, or failed to curtail access by former employees.”

On March 19, EPA Administrator Michael Regan and National Security Advisor Jake Sullivan sent a joint letter to all 50 U.S. governors urging them to convene local agencies to “discuss the urgent need to safeguard water sector critical infrastructure against cyber threats.”

Regan commented: “Drinking water and wastewater systems are a lifeline for communities, but many systems have not adopted important cybersecurity practices to thwart potential cyberattacks.”

Speaking to Newsweek, Professor Feltmate warned that hostile actors could amplify the impact of their attacks by targeting water supply systems in parts of the U.S. that are already suffering from water shortages.

He said: “Cyberattacks that threaten water supply are growing in sophistication, which in theory is being matched by capacity to counter these attacks. As challenging as cyberattacks may be, there is a growing stress—climate change—that may direct cyber-attackers in selecting targets.

“The U.S. Southwest is on the edge of being out of water, due to a combination of climate-change driven extreme heat, growing drought and excess demand. Nonetheless, survival in the Southwest depends on this increasingly precarious water supply—as such, cyber bad guys will likely target this region using a ‘kick ’em while they are down’ logic.

“In anticipation of this threat, the U.S. should rapidly double-down on water security in the southwest if the worst of cyberattacks on water supply are to be avoided.”

Attacks on United States’ Water Supply

  • The EPA’s December 1 alert, hackers affiliated with the Iranian state’s Islamic Revolutionary Guard Corps, operating under the name ‘CyberAv3ngers,” targeted a number of Israeli produced Unitronics Vision Series programmable logic controllers (PLCs), which are used in water management.
  • It warned IRGC cyber actors “accessed multiple U.S.-based WWS (water and wastewater system) facilities” by compromising internet-accessible devices with default passwords. The system displayed the message: ‘You have been hacked, down with Israel. Every equipment ‘made in Israel’ is Cyberav3ngers legal target.'”
  • In November 2023, the Cyber Av3ngers claimed responsibility for hacking the Aliquippa Municipal Water Authority in Pittsburgh, Pennsylvania, causing it to shut down the automated system and conduct operations manually.
  • The February 7 alert claimed a Chinese “state-sponsored cyber group” called Volt Typhoon had “compromised the IT environments of multiple critical infrastructure organizations,” including water management systems.
  • In December, The Washington Post reported the computer system of a water utility in Hawaii had been infiltrated by “hackers affiliated with China’s People’s Liberation Army.”
  • The CISA warned on May 1, based on intelligence from a range of agencies including the FBI and National Security Agency (NSA), that “pro-Russia hacktivists” had been targeting water supply systems in the U.S., though it said this was “mostly limited to unsophisticated techniques.”
  • A cyberattack on the water supply of the remote Texan town of Hale Center in January, which resulted in the operating system having to be shut down, was linked to internet addresses in St. Petersburg, Russia, according to the Insurance Journal.

Professor David Reckhow, a water treatment expert who used to teach at the University of Massachusetts Amherst, agreed that cyberattacks are a threat to the American drinking water network, but said he doubted these will have a major health impact.

In an interview with Newsweek he said: “All community water systems are somewhat vulnerable to intentional contamination, but it’s unlikely that cyberattack would result in a serious compromise in water quality or public health. On the other hand, a cyberattack could result in financial difficulties.”

When contacted by Newsweek for comment, an EPA spokesperson said: “Water and wastewater systems across the United States are falling victim to cyberattacks. Incidents of cyberattacks against water utilities have increased significantly over the last few years, and this risk is growing with rapid advances in artificial intelligence.

“Rapid advances in artificial intelligence are giving cyber threat actors more sophisticated tactics, techniques, and procedures to penetrate operational technology that controls critical infrastructure facilities… All water and wastewater systems are at risk—large and small, urban and rural.”

The spokesperson said all water management system operators should “reduce exposure to public-facing internet”, “change default passwords immediately” and “conduct cybersecurity awareness training.”

U.S. Internal Problems With Water Supply

Academic experts agreed the U.S. generally has high quality drinking water, although Heather Murphy, an associate professor and water quality expert at the University of Guelph, warned key infrastructure is aging. Newsweek has produced a map showing the number of contaminations and safety violations by state based on data from the EPA’s Enforcement and Compliance History Online for safe drinking water.

She said: “In general, I believe US municipal drinking water is of high quality and is on par with many other advanced countries. What is problematic in the US and in other developed nations is the deteriorating infrastructure that distributes water ( i.e. the pipes).

“Those are aging rapidly and are not being replaced as quickly as needed. As a result, the distribution systems could be compromising the quality of water between the treatment plant and when it reaches a consumers home.”

Murphy also said there are still communities in the U.S. that rely on private wells of questionable quality, and remain independent of public water systems.

The academic commented: “A large portion of the U.S. is served by private wells where the onus is on the homeowner to test and treat their own water supply. Many of these populations are underserved in terms of access to treated water (i.e. they don’t treat their water).

“There are pockets of racialized populations in North Carolina, for example, that live on the outskirts of cities that could be easily hooked up to public water systems, yet they are served by private wells of poor quality.”

Professor Reckhow was more optimistic, saying there is “little regional variation” in water quality across the U.S.

He commented: “Public drinking water in the US, especially community water, is very safe as compared to other developed countries. Strict national standards and strong collaborations between water utilities and the research community helps. With only a few exceptions there is little regional variation.”

In April, the EPA introduced legally enforceable limits for some PFAS compounds, also known as “forever chemicals,” in U.S. drinking water as part of a wider Biden administration effort to reign in PFAS pollution.