Technology

Biden administration warns states of cyberattack threat to water, wastewater systems

The San Jose-Santa Clara Regional wastewater facility is seen, Wednesday, Dec. 13, 2023, in San Jose, Calif. Sewage water is treated at the site before it is discharged into San Francisco Bay. California regulators are preparing to vote on new rules for turning recycled wastewater into drinking water. (AP Photo/Terry Chea)

The Biden administration warned governors Tuesday that “disabling” cyberattacks are targeting drinking water and wastewater systems throughout the country and urged them to help identify and address any vulnerabilities.

Water and wastewater systems can represent an “attractive target” for cyberattacks because of their essential nature and frequent lack of “resources and technical capacity to adopt rigorous cybersecurity practices,” said Michael Regan, the administrator of the Environmental Protection Agency (EPA), and White House national security adviser Jake Sullivan in a letter.

“Even basic cybersecurity precautions — such as resetting default passwords or updating software to address known vulnerabilities — are not in place and can mean the difference between business as usual and a disruptive cyberattack,” Regan and Sullivan said.

They called on the governors to help ensure all their states’ water systems identify any significant vulnerabilities, put in place practices to reduce cybersecurity risks and exercise plans to prepare for a potential cyber incident.

Cyber actors affiliated with Iran’s Islamic Revolutionary Guard Corps (IRGC) and China have recently targeted critical U.S. infrastructure, including drinking water systems, Regan and Sullivan noted.

IRGC-affiliated actors targeted and disabled operational technology at water facilities that failed to change a default manufacturer password late last year, while a Chinese state-sponsored cyber group has compromised the IT environments of several critical infrastructure organizations and appears to be pre-positioning itself to disrupt operations.

“Drinking water and wastewater systems are a lifeline for communities, but many systems have not adopted important cybersecurity practices to thwart potential cyberattacks,” Regan said in a press release.

The administration is inviting state environmental, health and homeland security secretaries to a meeting to discuss cyber threats to water systems and plans to form a Water Sector Cybersecurity Task Force, according to the letter.

“EPA and [National Security Council] take these threats very seriously and will continue to partner with state environmental, health, and homeland security leaders to address the pervasive and challenging risk of cyberattacks on water systems,” Regan added.