White House acts to tackle cyber threat to water system
China and Iran blamed for recent spate of hacker attacks
The US state is stepping up efforts to upgrade the nation’s defences against foreign state-backed cyberattacks on its water and wastewater systems, following recent attacks blamed on hackers backed by China and Iran.
Michael Regan, administrator at the Environmental Protection Agency (EPA), and Jake Sullivan, assistant to the president for national security affairs, have written to state governors alerting them of the heightened threat. They called for a meeting to discuss and agree improved risk management defences and create a Water Sector Cybersecurity Task Force, which will build on recommendations from the environmental, health and homeland security secretaries.
In their joint letter to state governors, they said: “Drinking water and wastewater systems are an attractive target for cyberattacks because they are a lifeline critical infrastructure sector but often lack the resources and technical capacity to adopt rigorous cybersecurity practices.”
“Disabling cyberattacks are striking water and wastewater systems throughout the United States. These attacks have the potential to disrupt the critical lifeline of clean and safe drinking water, as well as impose significant costs on affected communities. We are writing to describe the nature of these threats and request your partnership on important actions to secure water systems against the increasing risks from and consequences of these attacks,” they said.
Regan and Sullivan laid the blame squarely on the shoulders of hackers backed by the Chinese and Iranian states.
First, they said that “threat actors affiliated with the Iranian Government Islamic Revolutionary Guard Corps (IRGC) have carried out malicious cyberattacks against United States’ critical infrastructure entities, including drinking water systems”.
In these attacks, IRGC-affiliated cyber actors targeted and disabled a common type of operational technology used at water facilities, where the facility had neglected to change a default manufacturer password.
Second, they said that a state-sponsored cyber group from the People’s Republic of China (PRC) known as Volt Typhoon has compromised information technology of multiple critical infrastructure systems, including drinking water, in the US and its territories. “Volt Typhoon’s choice of targets and pattern of behaviour are not consistent with traditional cyber espionage,” they told governors.
“Federal departments and agencies assess with high confidence that Volt Typhoon actors are pre-positioning themselves to disrupt critical infrastructure operations in the event of geopolitical tensions and/or military conflicts,” they explained.
The EPA is the lead federal US agency that ensures the nation’s water sector is resilient to all threats and hazards.
“Partnerships with state, local, tribal, and territorial governments are critical for EPA to fulfill this mission. In that spirit of partnership, we ask for your assistance in addressing the pervasive and challenging risk of cyberattacks on drinking water systems,” urged Regan and Sullivan.
“We need your support to ensure that all water systems in your state comprehensively assess their current cybersecurity practices to identify any significant vulnerabilities, deploy practices and controls to reduce cybersecurity risks where needed, and exercise plans to prepare for, respond to, and recover from a cyber incident,” they said.
Regan and Sullivan told governors that, in many cases, even basic cybersecurity precautions – such as resetting default passwords or updating software to address known vulnerabilities – are not in place and can mean the difference between business as usual and a disruptive cyberattack.
They said that they will invite state environmental, health and homeland security secretaries to meet and discuss the improvements needed to safeguard water sector critical infrastructure against cyber threats.
“This meeting will highlight current federal and state efforts to promote cybersecurity practices in the water sector, discuss priority gaps in these efforts, and emphasise the need to take immediate action. We will provide details about this convening to your teams shortly,” they said.
Additionally, the EPA will engage the water sector and water government coordinating councils to form a water sector cybersecurity task force, which will build on recommendations from the state environmental, health and homeland security secretaries.
“The Task Force will identify the most significant vulnerabilities of water systems to cyberattacks, the challenges that water systems face in adopting cybersecurity best practices, and near-term actions and long-term strategies to reduce the risk of water systems nationwide to cyberattacks,” stated the letter.
“The White House and EPA are hopeful that the efforts outlined in this letter, and others we may undertake together, will protect the water systems from cyberattacks and prevent the need to use other federal authorities,” concluded Regan and Sullivan.