Feds Warn of Disruptive Cyberattacks Against Municipal and Rural Water Systems

In a warning to state governors, the Biden administration has sounded the alarm about the growing threat of cyberattacks targeting the nation’s water systems.

The Environmental Protection Agency (EPA) Administrator Michael Regan and National Security Advisor Jake Sullivan jointly authored a letter emphasizing the potential for these attacks to disrupt the critical supply of clean and safe drinking water, while also imposing significant financial burdens on affected communities.

The letter specifically identifies two key threats: hackers affiliated with the Iranian Government Islamic Revolutionary Guard Corps and a state-sponsored group from the People’s Republic of China known as Volt Typhoon.

The former has been accused of directly attacking drinking water systems, while the latter has compromised the information technology infrastructure of drinking water and other critical systems.

According to the letter, “Federal departments and agencies assess with high confidence that Volt Typhoon actors are pre-positioning themselves to disrupt critical infrastructure operations in the event of geopolitical tensions and/or military conflicts.” This assessment underscores the severity of the threat and the need for immediate action.

The water system in the United States is particularly vulnerable due to a combination of factors, including weak controls, insufficient funding, and staffing shortages.

As the lead federal agency responsible for ensuring the resilience of the nation’s water sector, the EPA is tasked with addressing these challenges.

The letter also references a recent attack in late November by an Iranian-backed hacking group that targeted Israeli-made digital controls commonly used in the US water and wastewater industries.

As the letter notes, “Drinking water and wastewater systems are an attractive target for cyberattacks because they are a lifeline critical infrastructure sector but often lack the resources and technical capacity to adopt rigorous cybersecurity practices.”

The authors stress that even basic cybersecurity measures, such as resetting default passwords or updating software to address known vulnerabilities, can make a significant difference in preventing disruptive cyberattacks.