EPA Drills Water Utilities on Disconnection Crisis Preparations
In a recent simulation exercise conducted by the U.S. Environmental Protection Agency (EPA), water utilities across the nation faced a critical scenario designed to test their resilience during a major cyberattack. The exercise, which was held via Zoom, focused on the ramifications of a complete communications breakdown—specifically, a significant cyber incident attributed to a Chinese military hacking group, known as Salt Typhoon. This fictitious attack resulted in a widespread outage that affected a major cellular and telecommunications provider, cutting off internet access and cellular service for millions of consumers and various commercial and government organizations.
The situation was set in the fictional town of Riverbend, representing a realistic crisis for water utilities across the United States. During the simulated three-day event, the Riverbend Public Utility was tasked with ensuring the safe and continuous delivery of water to its 120,000 customers despite losing vital communication tools. Participants grappled with the implications of not having access to cellular and landline phones, SMS-based alerts, or cloud services like email and document sharing. The absence of telemetry data and SCADA (Supervisory Control and Data Acquisition) connectivity to remote sites exacerbated the crisis.
Brandon Carter, a Senior Cybersecurity Specialist with the EPA, indicated that this training scenario aimed to reflect real threats to the nation’s water systems, particularly regarding the malicious activities of international cyber adversaries. During the exercise, engagement came from over 200 water and wastewater utilities, as well as emergency response planners and IT specialists. The drill was designed to enhance participants’ preparedness for severe cyberattacks that could potentially disrupt operations on an unprecedented scale.
The training outlined the importance of declaring a "significant operational incident" and determining who would be responsible for preserving the incident record essential for post-event analysis. The discussions highlighted the necessity to establish alternative communication channels, workforce requirements, and the changing dynamics of staffing amidst a crisis. As one participant noted, some facilities might require round-the-clock staff presence, while adjustments to shift patterns—from eight-hour to twelve-hour shifts—became a topic of conversation.
The exercise didn’t shy away from the complexities facing water utilities in a real crisis. Participants discussed operational trade-offs, particularly concerning water treatment processes. Some questioned whether to fully treat water in an effort to maintain quality, or merely ensure that water pressure remained sufficient for fire-fighting capabilities, even if that meant releasing untreated water into the system—a dilemma with significant public health and safety implications.
Despite the sensitivity and relevance of the exercise, participation levels were unexpectedly low. The EPA had promoted the opportunity for utilities to conduct a live action drill, either in advance of or during the Zoom meeting. Of approximately 390 participants on the call, only a small fraction—67—opted for the manual operations module. A mere handful confirmed that they had trialed manual operations before or during the drill, which raises concerns about the readiness of utilities to respond effectively to real-world cyber incidents.
Andy Krapf, the director of Cybersecurity for Loudoun Water, commented on the innate challenges utilities face when transitioning to manual operations during significant disruptions. Depending on the size and complexity of the utility, switching to manual processes after a communications outage could be a formidable task. While a smaller utility with fewer complexities might adapt quickly, larger metropolitan systems may struggle significantly without remote operations capabilities.
In another perspective shared during the meeting, one attendee felt confident in their ability to notify local authorities and switch to a manual operational structure efficiently due to the simplicity of their own system. However, an engineer from Massachusetts shared a different viewpoint, emphasizing that many utilities rely on non-internet-based communication methods to manage remote operations, thus lessening the impact of such an outage.
Krapf stressed that water utilities are incredibly diverse in nature, indicated by various customer bases, treatment technologies, and regulatory environments. He noted that while local operations might shift in an outage—where remote facilities could no longer report but could still function under local automation—true manual operation would require constant human oversight. The importance of understanding the operational landscape and preparedness for such cyber threats is critical—a lesson that this exercise aimed to impart to the participants.
As cyber threats continue to evolve, the need for water utilities to be proactive in their readiness is clearer than ever. The EPA’s simulation provided valuable insights into the potential vulnerabilities faced by the nation’s water systems and underscored the importance of collaboration among utilities, cybersecurity specialists, and government officials to create a more resilient infrastructure against the ever-looming threat of cyberattacks. The implications of a successful attack could spell disaster; therefore, drills like this are essential tools for fostering a culture of preparedness within the vital sector of public utilities.
