Cyberattacks are hitting water and wastewater systems “throughout the United States” and state governments and water facilities must improve their defenses against the threat, the White House and Environmental Protection Agency warned US governors on Tuesday.
“We need your support to ensure that all water systems in your state comprehensively assess their current cybersecurity practices,” said the letter to the governors from EPA Administrator Michael Regan and national security adviser Jake Sullivan.
In many cases, Regan and Sullivan said, “even basic cybersecurity precautions” are not in place at water facilities and “can mean the difference between business as usual and a disruptive cyberattack.”
The EPA will also set up a “task force” to “identify the most significant vulnerabilities of water systems to cyberattacks,” among other pressing issues, Regan and Sullivan said in their letter. The Biden officials invited state homeland security and environmental officials to a meeting to discuss cybersecurity improvements needed in the water sector.
The US water sector, which spans 150,000 public water systems, has often struggled to find the cash and personnel to deal with hacking threats.
In November, hackers breached industrial equipment at multiple US water facilities to display an anti-Israel message on the equipment, according to US officials. The Biden administration blamed the Iranian government for the hacks.
Chinese state-backed hackers have also infiltrated US water facilities, according to US officials. It’s a hacking campaign that the Biden administration worries Beijing could use to disrupt critical infrastructure in the event of a conflict with the US. China denies the allegations.
Neither the alleged Iranian nor Chinese hacks have had any impact on drinking water, but they have alarmed senior US officials and lawmakers and draw fresh attention on the security challenges in the water sector.
The Biden administration has tried to use a mix of regulation and federal support for new cyberdefense technologies to address the problem. But the EPA in October was forced to rescind a key cybersecurity regulation for public water systems following a legal challenge from Republican attorneys general.