The Biden administration warned governors Tuesday that “disabling” cyberattacks are targeting drinking water and wastewater systems throughout the country and urged them to help identify and address any vulnerabilities.
Water and wastewater systems can represent an “attractive target” for cyberattacks because of their essential nature and frequent lack of “resources and technical capacity to adopt rigorous cybersecurity practices,” said Michael Regan, the administrator of the Environmental Protection Agency (EPA), and White House national security adviser Jake Sullivan in a letter.
“Even basic cybersecurity precautions — such as resetting default passwords or updating software to address known vulnerabilities — are not in place and can mean the difference between business as usual and a disruptive cyberattack,” Regan and Sullivan said.
They called on the governors to help ensure all their states’ water systems identify any significant vulnerabilities, put in place practices to reduce cybersecurity risks and exercise plans to prepare for a potential cyber incident.
Cyber actors affiliated with Iran’s Islamic Revolutionary Guard Corps (IRGC) and China have recently targeted critical U.S. infrastructure, including drinking water systems, Regan and Sullivan noted.
IRGC-affiliated actors targeted and disabled operational technology at water facilities that failed to change a default manufacturer password late last year, while a Chinese state-sponsored cyber group has compromised the IT environments of several critical infrastructure organizations and appears to be pre-positioning itself to disrupt operations.
“Drinking water and wastewater systems are a lifeline for communities, but many systems have not adopted important cybersecurity practices to thwart potential cyberattacks,” Regan said in a press release.
The administration is inviting state environmental, health and homeland security secretaries to a meeting to discuss cyber threats to water systems and plans to form a Water Sector Cybersecurity Task Force, according to the letter.
“EPA and [National Security Council] take these threats very seriously and will continue to partner with state environmental, health, and homeland security leaders to address the pervasive and challenging risk of cyberattacks on water systems,” Regan added.