Bring Home Cyber Risks to Water Supply, in Wake of EPA Tightening

March 29, 2023
The drinking water plant in Oldsmar, Fla., was the target of a cyberattack in 2021. The use of cybercontrols across U.S. drinking water systems may make them vulnerable to similar risks. Photo: City of Oldsmar.

TipSheet: Bring Home Cyber Risks to Water Supply, in Wake of EPA Tightening

By Joseph A. Davis

The U.S. Environmental Protection Agency’s push this month to tighten the cybersecurity of public drinking water systems is a chance for journalists to tell the public more about the risks it faces.

The EPA issued a guidance and memo March 3 notifying states they should include cybersecurity in their audits of drinking water systems.

Yes, malign hackers could do bad things to a public water system. In February 2021, an astonished plant operator in Oldsmar, Fla., watched as an unknown cyberintruder tried to dial up the amount of sodium hydroxide (aka lye) being injected into the system’s water.

Normally, this adjusts pH to control corrosion of metals like lead. But too much sodium hydroxide could make the water unhealthful. Fortunately, the operator caught the attack and stopped it.

This wasn’t the first or only such attack. Drinking water systems are complicated, and operators are spread thin. Not all systems are big enough to be able to afford a full-time onsite operator. Hence the standard use of cybercontrols and the potential risks.

[Editor’s Note: Find earlier SEJournal stories on this topic, “Could Hackers Poison Your Local Drinking Water?” and “Will Hackers Crash U.S. Energy, Environment Infrastructure?”]


Why it matters

For a lot of people, the water that comes out of their tap comes from municipal pipes and ultimately a treatment plant. Many skilled treatment professionals work hard to make it safe. But it isn’t always.

Ask the people in Flint, Mich., if they are confident about the healthfulness of their water. When drinking water is bad — and even when it isn’t — people get anxious and angry. When they lose confidence, it’s hard to get it back.

Tapwater is used not just for drinking, but for showering, cooking and other uses that can affect people’s health. Worse yet: People use that water every day over a long time.

People in less urban areas with smaller systems may be even more at risk.


The backstory

Fortunately, Congress passed the Safe Drinking Water Act, or SDWA, back in 1974 (it’s been amended often since). Its goal is healthful drinking water for everybody.

But across the wide and varied U.S. landscape, not everybody fits. Many people in remote areas had their own wells, which were not always regulated. People in big cities often had sophisticated systems which could be centrally run.

But the vast majority of the 153,000 U.S. public drinking water systems — in terms of numbers — are midsized and smaller.


Under the SDWA, most management is

delegated to states. And one way that

states oversee local utilities is via audits.


To deal with this complex landscape, Congress in the SDWA set up a federalistic system where the EPA sets overall national guidelines and standards. But at a workaday level, most management is delegated to states (at least those which met requirements). When states get this authority, it is called “primacy.”

Under SDWA, one way that states oversee local utilities is via their audits, or “sanitary surveys.” These multifaceted audits are conducted by states at varying frequencies for all water utilities.

This is a good time to mention that the SDWA is one of the most open-information laws in the environmental world. Not everything is subject to public disclosure, though. There are some exceptions for security.

The thing is that the EPA regulation prescribing sanitary surveys requires them to be made available to the public.

So if you ask for a copy of a sanitary survey (and related documents), you have a legal right to get it not only under the Freedom of Information Act, but also under the SDWA itself. The fact that you have a legal right to it, however, does not necessarily mean it will be easy to get.


Story ideas

  • The first step is to figure out which realm of drinking water utilities you want to investigate. Because sanitary surveys are done by states, the state level is a natural starting point. But it depends on your audience.
  • Ask for copies of the latest sanitary surveys for the drinking water utilities you are concerned with. If you get them, study them and ask questions. If you don’t get them, ask why.
  • Do the sanitary surveys say anything about cybersecurity or other kinds of security? Utilities are not required to make public their drinking water security plans. Some existing sanitary surveys may have info already prepared about cybersecurity plans.
  • Find out whether there are any remote data connections to your plant(s) of concern. Ask whether the utility has thought through its cybersecurity.
  • Utilities have lots of computer data and systems that do not directly control plant operation. Customer data, for example. Have measures been taken to keep these secure?
  • Does your utility have remote pumping stations that are computer-controlled? Are they secure?


Reporting resources

Joseph A. Davis is a freelance writer/editor in Washington, D.C. who has been writing about the environment since 1976. He writes SEJournal Online's TipSheet, Reporter's Toolbox and Issue Backgrounder, and curates SEJ's weekday news headlines service EJToday and @EJTodayNews. Davis also directs SEJ's Freedom of Information Project and writes the WatchDog opinion column.

* From the weekly news magazine SEJournal Online, Vol. 8, No. 13. Content from each new issue of SEJournal Online is available to the public via the SEJournal Online main page. Subscribe to the e-newsletter here. And see past issues of the SEJournal archived here.

SEJ Publication Types: