Keaton PetersThe Environmental Protection Agency is raising the alarm that water infrastructure is at risk of “disabling cyberattacks” that could “disrupt the critical lifeline of clean and safe drinking water.” In a letter addressed to governors, EPA Administrator Michael Regan and National Security Advisor Jake Sullivan urged states to be on high alert for cyberattacks and called a meeting for Thursday to discuss how to best ward off the threat.
“Drinking water and wastewater systems are an attractive target for cyberattacks because they are a lifeline critical infrastructure sector but often lack the resources and technical capacity to adopt rigorous cybersecurity practices,” the letter said.
The threat comes from groups associated with the governments of China and Iran. Groups affiliated with the Iranian Government Islamic Revolutionary Guard Corps (IRGC) have successfully targeted water systems in the past. Volt Typhoon, a group sponsored by the People’s Republic of China, is also preparing to strike water infrastructure, according to the letter.
As recently as December 2023, an Iranian-backed cyberattack targeted several water utilities, including one in a small town in western Pennsylvania, the AP reported. Chinese-associated groups have also invested in a longstanding effort to hack into U.S. infrastructure for at least five years, according to CNN.
There are more than 150,000 water systems across the country with various levels of security, maintenance and funding. Hacking them can stop pumps from letting water flow or even lead to contamination.
Passed in 2018, the America’s Water Infrastructure Act requires water systems serving more than 3,300 people to complete risk and resilience assessments every five years that include an assessment of cybersecurity. The next assessment is not due to be completed until 2025 or 2026, depending on the size of the water system.
The EPA is the primary agency tasked with safeguarding America’s drinking water supply and wastewater systems. With the National Security Council and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), the federal government is offering the states guidance to ensure they are prepared for an attack.
“EPA and NSC take these threats very seriously and will continue to partner with state environmental, health, and homeland security leaders to address the pervasive and challenging risk of cyberattacks on water systems,” Regan said in a press release.
The letter recommends simple protections such as resetting passwords to access the computer networks that run water systems and completing software updates. Federal officials are also directing state governments to a CISA action list for protecting water infrastructure that includes not using public internet networks, completing regular security assessments and training exercises and backing up IT systems.
“We’ve worked across government to implement significant cybersecurity standards in our nation’s critical infrastructure, including in the water sector, as we remain vigilant to the risks and costs of cyber threats,” Sullivan said.
Along with the warning to states and calling a meeting, the EPA will also establish a Water Sector Cybersecurity Task Force. CISA already convenes councils of the private sector and all levels of government to address the security of water infrastructure. The task force will draw upon these existing councils to develop strategies that will lower water systems’ vulnerability to cyberattacks.
Photo courtesy of the Water Education Foundation
