Modern wastewater treatment plant showing cyber attack on water systems

EPA Warns US Water Systems Vulnerable to a Disruptive Cyber Attack, State Governors Must Do More

The White House is warning state governors that US water systems lack adequate cybersecurity safeguards, making them particularly vulnerable to a disruptive cyber attack.

In a joint letter by the Environmental Protection Agency (EPA) administrator Michael Regan and National Security Advisor Jake Sullivan, the administration also warned about the increasing state-sponsored cyber attacks on water and wastewater systems (WWS).

The United States has over 150,000 WWS spread across various states, underscoring the vastness of the threat landscape.

“Drinking water and wastewater systems are an attractive target for cyberattacks because they are a lifeline critical infrastructure sector but often lack the resources and technical capacity to adopt rigorous cybersecurity practices,” the EPA and White House said.

Regan and Sullivan pleaded with state governors to support the federal government’s efforts to protect water systems from disruptive cyber attacks.

US water systems on a thin line between business and a disruptive cyber attack

The EPA and White House officials noted that US water systems lack basic cybersecurity precautions, such as patching known vulnerabilities and changing the default passwords, which could “mean the difference between business as usual and a disruptive cyberattack.”

Regan and Sullivan requested state governors to support the federal government’s efforts to rid WWS of security vulnerabilities stemming from inadequate cybersecurity safeguards.

“We need your support to ensure that all water systems in your state comprehensively assess their current cybersecurity practices,” the letter said.

They referred the state governors to the list of Top Cyber Actions for Securing Water Systems and resources for cybersecurity resiliency for WWS operators. Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) also published a free security scan utility for critical infrastructure organizations, including WWS.

They stressed the importance of the role that state governments play in ensuring that WWS adopt cybersecurity best practices to prevent a disruptive cyber attack.

“State leadership and messaging to connect water systems with these tools and resources is essential to ensure that utility leaders assess and mitigate critical cyber risks,” the EPA said.

“The impact of a cyber attack on critical infrastructure, such as water systems, could be devastating and even life-impacting,” said Dave Ratner, CEO of HYAS. “It’s critical that everyone who provides critical infrastructure and services, not just water and wastewater systems, augment their security stack with resiliency-based approaches, such as Protective DNS, so they can detect in real-time any and all anomalous activity, render it inert before it causes damage, and ensure the safety of their services and the people who rely on them.”

EPA invites state governors to form a Water Sector Cybersecurity Task Force

The EPA also said it is creating a Water Sector Cybersecurity Task Force to protect water systems from cyber threats.

The Task Force will identify significant vulnerabilities affecting WWS, challenges in adopting cybersecurity best practices, and strategies to reduce the risk of a disruptive cyber attack.

It will build on the recommendations from states’ Environmental, Health and Homeland Security Secretaries. State governors were also invited to a virtual meeting on March 21, 2024, to forge a way forward toward the creation of the Water Sector Cybersecurity Task Force.

In October 2023, the EPA withdrew a guideline imposing minimum cybersecurity requirements for water and wastewater systems after opposition from some state attorneys general. This time, the agency hopes to achieve progress by collaborating with State, local, tribal, and territorial governments.

“In that spirit of partnership, we ask for your assistance in addressing the pervasive and challenging risk of cyberattacks on drinking water systems,” the letter implored.

“US water and wastewater systems are at risk with various forms of governance and authority behind state, local, federal, and commercial entities responsible for management of facilities, where some have largely ignored security practices,” said Ken Dunham, Cyber Threat Director at Qualys Threat Research Unit.

Nation-state actors threaten US water systems

The White House and EPA officials warned that nation-state actors were targeting US water systems with disruptive cyber attacks for geopolitical reasons.

“Nation-state actors have been targeting critical infrastructure for years to posture and prepare cyber weapons and capabilities for escalation and capabilities for a time and place when it is strategically advantageous for them to utilize in an attack,” noted Dunham. “For example, this was seen with attacks by Russians with their attack into Georgia, attacking critical infrastructure week prior to conventional armed forces attacking, facing little to no resistance, with sickness and dysentery set in for many.”

The White House warned that Iranian hackers affiliated with the Iranian Government Islamic Revolutionary Guard Corps (IRGC) have recently targeted critical infrastructure organizations, including water systems.

In November 2023, the Municipal Water Authority of Aliquippa in Pennsylvania suffered a cyber attack attributed to the Iranian hacktivist group Cyber Av3ngers. The cyber attack stemmed from the water authority’s failure to change the default passwords on the Israeli-made Unitronics Programmable Logic Controllers used to control water pressure. The hacktivist group was also responsible for other cyber incidents on critical infrastructure organizations, including the Boston Children’s Hospital cyber attack in 2021.

The EPA letter also warned that Chinese hackers affiliated with the People’s Republic of China (PRC) were entrenching themselves in U.S. critical infrastructure, including WWS, preparing to disrupt operations “in the event of geopolitical tensions and/or military conflicts.”

“Volt Typhoon have been pre-positioning themselves on U.S. critical infrastructure organizations’ networks to enable disruption or destruction of critical services in the event of increased geopolitical tensions and/or military conflict with the United States and its allies,” EPA warned.

Similarly, on March 19, 2024, cybersecurity authorities from the Five Eyes alliance released a joint cybersecurity advisory on Volt Typhoon’s activity on members’ critical national infrastructure.

“The IRGC are actively engaged in disruptive attacks, while the PRC are more focused on establishing persistence for potential future use,” noted Casey Ellis, Founder and Chief Strategy Officer at Bugcrowd.

Almog Apirion, CEO and Co-Founder of Cyolo, a remote privileged access management (RPAM) company, described EPA’s warning as timely.

“The recent warnings from the White House and EPA about hackers breaching water systems are not a surprise when news about critical infrastructure being targeted continues to make headlines,” he said. “It is imperative that organizations operating in sectors, such as water, utilities, oil & gas, fortify their cybersecurity defenses- this involves access across their systems,” noted Apirion.