Skip to content

Illustration by iStock, Security Management

The Biden Administration Warns Water Sector About Cybersecurity Attacks

The Biden administration is warning states that cyberattacks are targeting U.S. water and wastewater systems.

In a letter sent to all U.S. governors, the U.S. Environmental Protection Agency and the White House cautioned that such “attacks have the potential to disrupt the critical lifeline of clean and safe drinking water.” The letter was signed by EPA administrator Michael Regan and national security advisor Jake Sullivan.

The letter, sent on 19 March, included the announcement that the EPA, along with the Water Sector and Water Government Coordinating Councils, is forming a Water Sector Cybersecurity Task Force. The task force will consider cyber vulnerabilities of water systems and identify actions utilities can take to reduce the risks.

Although they are critical infrastructure systems, water and wastewater systems tend to lack resources and abilities to implement and maintain thorough cybersecurity protocols. “The U.S. water sector, which spans 150,000 public water systems, has often struggled to find the cash and personnel to deal with hacking threats,” CNN reported.

Ninety-three percent of public water systems serve less than 3,000 people each, and because most water utilities are run by municipalities, it means they have little funding dedicated to hiring cybersecurity staff and offering employees even basic cyber training, according to Axios. Many of these systems also operate on legacy systems that can be difficult to upgrade, Axios added.

“The lack of fundamental cybersecurity precautions in many facilities poses a significant risk, potentially turning a minor breach into a major disruption. Ensuring the resilience of our water infrastructure against cyber threats is not just a matter of national security, but also of public health and safety, requiring collaborative efforts at all levels of government and between the public and private sectors,” Emily Phelps, director at Cyware, noted in an emailed statement.

In the letter, Regan and Sullivan asked for support from the states in maintaining the security of these systems. The letter asked for cooperation between the EPA and state, local, tribal, and territorial entities in evaluating current cybersecurity practices, identifying weaknesses, reducing risks, training for potential incidents, and responding and recovering from a cyberattack.

The administration also invited governors and certain state officials to a virtual meeting on 21 March to discuss the current state of cybersecurity practices among these systems and where improvements can be made. “The National Security Council (NSC) and EPA are encouraging all states to join this dialogue to drive rapid improvements to water cybersecurity and reinforce collaboration between state and federal entities and water systems,” the EPA said in a press release.

The two threats that the administration pointed to stemmed from the Iranian Government Islamic Revolutionary Guard Corps (IRGC) and the People’s Republic of China (PRC).

Threat actors with ties to the IRGC previously carried out cyberattacks against critical infrastructure in the United States. “In these attacks, IRGC-affiliated cyber actors targeted and disabled a common type of operational technology used at water facilities where the facility had neglected to change a default manufacturer password,” the letter said.

The other highlighted group is Volt Typhoon, a PRC state-sponsored cyber group with a history of compromising information technology of multiple U.S. critical infrastructure systems. “Federal departments and agencies assess with high confidence that Volt Typhoon actors are pre-positioning themselves to disrupt critical infrastructure operations in the event of geopolitical tensions and/or military conflicts,” the administration wrote.

The administration also pointed to actions, guidance, tools, training, resources, and technical assistance available to water and wastewater systems from the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) and the EPA.

In early 2023, the EPA tried to require that water utilities adhere to stricter cybersecurity rules, however, the agency withdrew the rule in October after three Republican state attorneys general asked courts to review the rule, which the U.S. Court of Appeals for the 8th Circuit granted.