The Biden administration has sent out letters to warn states about cyberattacks against water systems.
“Disabling cyberattacks are striking water and wastewater systems throughout the United States … These attacks have the potential to disrupt the critical lifeline of clean and safe drinking water, as well as impose significant costs on affected communities,” Environmental Protection Agency Administrator Michael Regan and National Security Advisor Jake Sullivan wrote in a letter to governors.
The letter pointed to hackers from Iran’s Islamic Revolutionary Guard Corps that have targeted drinking water systems, and Volt Typhoon, a group sponsored by the People’s Republic of China, that has breached the IT of water systems and other critical infrastructure.
“We need your support to ensure that all water systems in your state comprehensively assess their current cybersecurity practices to identify any significant vulnerabilities, deploy practices and controls to reduce cybersecurity risks where needed, and exercise plans to prepare for, respond to, and recover from a cyber incident,” the letter reads.
Regen and Sullivan highlighted that “even basic cybersecurity precautions” like setting strong passwords and updating software “can mean the difference between business as usual and a disruptive cyberattack.”
The EPA, which is the primary federal agency tasked with making sure the nation’s water sector is protected against all threats and hazards, is creating a task force to pinpoint key vulnerabilities of water systems to cyberattacks, among other matters. The letter also extends an invitation to state homeland security and environmental officials for a meeting focused on enhancing cybersecurity in the water sector.
The water system is a particularly vulnerable component of US infrastructure, plagued with weak controls and staffing shortages. This is mostly because it doesn’t always have the funds to secure the necessary funds and personnel to address hacking threats.
“Drinking water and wastewater systems are an attractive target for cyberattacks because they are a lifeline critical infrastructure sector but often lack the resources and technical capacity to adopt rigorous cybersecurity practices,” said the letter.