White House warns states of continued cyber threats to water infrastructure
EPA Administrator Michael S. Regan, shown here at a May 2023 budget hearing, joined National Security Advisor Jake Sullivan in alerting state governors of potential cybersecurity risks to water systems. Chip Somodevilla/Getty Images
The letter to state governors comes after the U.S. sanctioned Iran-linked hackers in February for their breach of water treatment systems last year.
The Environmental Protection Agency and National Security Council are urging states to stay alert for cyber threats targeting water sector infrastructure, according to a letter made public on Tuesday.
The missive from EPA Administrator Michael Regan and National Security Advisor Jake Sullivan is addressed to state governors and warns that hackers linked to China and the IRGC still pose a threat to water sector systems that clean and distribute water to communities.
“Drinking water and wastewater systems are an attractive target for cyberattacks because they are a lifeline critical infrastructure sector but often lack the resources and technical capacity to adopt rigorous cybersecurity practices,” it says, encouraging state governments to “comprehensively assess their current cybersecurity practices to identify any significant vulnerabilities” and implement other safeguards to stop hackers.
The Treasury Department sanctioned Iranian cyber operatives in early February for supporting a Tehran-backed hacking group’s infiltration into multiple states’ programmable logic controllers used for water treatment late last year, prompting mitigation advisories from officials.
The letter also calls out Volt Typhoon, a hacking group linked to the Chinese government that has been surreptitiously digging into U.S. critical infrastructure. A top NSA official said Friday that the U.S. is still identifying victims targeted by the group.
The Biden administration has been pushing to shore up protections for water treatment facilities against cyber threats, which researchers say are highly exposed to hacking attempts. But the EPA in October rescinded a memorandum that would have directed providers to evaluate cyber defenses of their water systems when conducting sanitation surveys, after facing legal pushback from GOP-led states and trade groups.
A group of water trade group representatives testified before a House panel earlier this year, urging Congress to take up measures that would give water facilities more federal funding for training and other resources they say are needed to defend their infrastructure.
The letter says the administration will invite states’ Environmental, Health and Homeland Security secretaries to partake in discussions around safeguarding the U.S. water sector. It also encourages them to engage with the Cybersecurity and Infrastructure Security Agency on developing defenses.