“Disabling cyberattacks” are hitting critical US water systems, White House warns

The Biden administration on Tuesday warned the nation’s governors that drinking water and wastewater utilities in their states are facing “disabling cyberattacks” by hostile foreign nations that are targeting mission-critical plant operations.

“Disabling cyberattacks are striking water and wastewater systems throughout the United States,” Jake Sullivan, assistant to the president for National Security Affairs, and Michael S. Regan, administrator of the Environmental Protection Agency, wrote in a letter. “These attacks have the potential to disrupt the critical lifeline of clean and safe drinking water, as well as impose significant costs on affected communities.”

The letter cited two recent hacking threats water utilities have faced from groups backed by hostile foreign countries. One incident occurred when hackers backed by the government of Iran disabled operations gear used in water facilities that still used a publicly known default administrator password. The letter didn’t identify the facility by name, but details included in a linked advisory tied the hack to one that struck the Municipal Water Authority of Aliquippa in western Pennsylvania last November. In that case, the hackers compromised a programmable logic controller made by Unitronics and made the device screen display an anti-Israel message. Utility officials responded by temporarily shutting down a pump that provided drinking water to local townships.

The second threat was publicly revealed last month by the Cybersecurity and Infrastructure Security Agency. Officials said that a hacking group backed by the Chinese government and tracked under the name Volt Typhoon was maintaining a foothold inside the networks of multiple critical infrastructure organizations, including those in communications, energy, transportation, and water and wastewater sectors. The advisory said that the hackers were pre-positioning themselves inside IT environments to enable disruption operations across multiple critical infrastructure sectors in the event of a crisis or conflict with the US. The hackers, the officials said, had been present in some of the networks for as long as five years.

“Drinking water and wastewater systems are an attractive target for cyberattacks because they are a lifeline critical infrastructure sector but often lack the resources and technical capacity to adopt rigorous cybersecurity practices,” Sullivan and Regan wrote in Tuesday’s letter. They went on to urge all water facilities to follow basic security measures such as resetting default passwords and keeping software updated. They linked to this list of additional actions, published by CISA and guidance and tools jointly provided by CISA and the EPA. They went on to provide a list of cybersecurity resources available from private sector companies.

The letter extended an invitation for secretaries of each state's governor to attend a meeting to discuss better securing the water sector's critical infrastructure. It also announced that the EPA is forming a Water Sector Cybersecurity Task Force to identify vulnerabilities in water systems. The virtual meeting will take place on Thursday.

“EPA and NSC take these threats very seriously and will continue to partner with state environmental, health, and homeland security leaders to address the pervasive and challenging risk of cyberattacks on water systems,” Regan said in a separate statement.