US warns hackers are carrying out attacks on water systems
The Biden administration has urged states to enhance security measures for water and wastewater systems, cautioning that utilities nationwide are facing the threat of “disabling cyberattacks.”
In a letter addressed to all US governors on Tuesday, the White House and the Environmental Protection Agency (EPA) highlighted ongoing risks posed by hackers associated with the governments of Iran and China. They warned that similar attacks could disrupt access to clean drinking water and result in significant costs for affected communities.
To address these concerns, secretaries of Environmental, Health, and Homeland Security have been invited to a meeting on March 21st to discuss the necessary safeguards for protecting critical water infrastructure against cyber threats. Additionally, the EPA is establishing a Water Sector Cybersecurity Task Force to identify vulnerabilities and build upon recommendations put forth during the upcoming meeting.
The letter, signed by national security advisor Jake Sullivan and EPA administrator Michael Regan, underscores the attractiveness of drinking water and wastewater systems as targets for cyberattacks due to their status as essential lifeline infrastructure. It also acknowledges the challenges these systems face in adopting robust cybersecurity practices due to limited resources and technical capacity.
States are urged to ensure that their designated water systems undergo assessments for vulnerabilities and are provided with a list of recommended actions by the Cybersecurity and Infrastructure Security Agency (CISA) to enhance security measures. The letter emphasizes that even basic cybersecurity precautions, such as updating software and resetting default passwords, can make a significant difference in preventing disruptive cyberattacks.
The letter cited a November incident in which hackers believed to be affiliated with the Iranian government targeted US water facilities by exploiting default manufacturing passwords on common operational technology. This incident served as a wake-up call to tighten security measures, leading to the US Treasury sanctioning six Iranian Armed Forces officials responsible for the attacks in February.
Furthermore, the letter highlighted the threats posed by Volt Typhoon, a Chinese state-sponsored group that was reported in February to have compromised information about US drinking water systems.