The Biden administration is calling on states to enhance security measures for water and wastewater systems in response to escalating cyber threats. In a joint letter to all US governors, the White House and the Environmental Protection Agency (EPA) highlighted ongoing cyberattacks linked to government actors from Iran and China, emphasizing the potential for these attacks to disrupt access to clean water and impose significant costs on affected communities.
Scheduled for March 21st, a meeting will convene secretaries from the Environmental, Health, and Homeland Security departments to address safeguarding requirements for critical water infrastructure against cyber threats. Additionally, the EPA plans to establish a Water Sector Cybersecurity Task Force to identify vulnerabilities and implement recommendations from the forthcoming meeting.
The letter, signed by National Security Advisor Jake Sullivan and EPA Administrator Michael Regan, underscored the attractiveness of water systems as targets for cyberattacks due to their status as essential lifeline infrastructure. It emphasized the need for enhanced cybersecurity practices, particularly given the limited resources and technical capacity of many water utilities.
States are urged to ensure that designated water systems undergo vulnerability assessments and implement recommended actions outlined by the Cybersecurity and Infrastructure Security Agency (CISA). Even basic precautions, such as updating software and resetting default passwords, are emphasized as critical measures to mitigate the risk of disruptive cyberattacks.
The letter referenced past incidents, including cyberattacks by Iranian government-affiliated hackers in November, which exploited default manufacturing passwords on operational technology. The US Treasury responded by imposing sanctions on six Iranian Armed Forces officials responsible for these attacks in February. Additionally, concerns were raised about the Chinese state-sponsored group Volt Typhoon, which compromised information on US drinking water systems in February.
These developments underscore the urgent need for heightened vigilance and proactive measures to fortify the resilience of water infrastructure against cyber threats.