White House, EPA warn water sector of cybersecurity threats
The White House sent a stark warning to U.S. governors on Monday that “disabling” cyberattacks targeting water systems are occurring throughout the United States, in what is the Biden administration’s latest plea to state authorities to direct more resources and attention to protecting water utilities.
In their letter, the White House and the Environmental Protection Agency invited state officials to a Thursday meeting to discuss how to improve digital defenses for the more than 150,000 utilities in the U.S. The EPA is also setting up a water sector cybersecurity task force that will outline some of the biggest challenges the sector faces and develop strategies to defend against the threat.
“Disabling cyberattacks are striking water and wastewater systems throughout the United States. These attacks have the potential to disrupt the critical lifeline of clean and safe drinking water, as well as impose significant costs on affected communities,” National Security Advisor Jake Sullivan and EPA Administrator Michael Regan wrote in the letter.
The letter pointed to the China-sponsored hacking group Volt Typhoon’s targeting of critical infrastructure sectors like drinking water in the U.S. as an example of the threat. National security officials have been sounding the alarm that Volt Typhoon’s intrusion suggests that China is pre-positioning itself to carry out disruptive attacks in the event of a conflict over Taiwan.
Speaking to reporters last week ahead of his retirement, NSA Cybersecurity Director Rob Joyce warned that federal investigators are continuing to discover victims of Volt Typhoon’s hacking campaign and that the full scope of the group’s spree remains unclear.
According to Joyce, the campaign has two primary objectives: being able to disrupt U.S. communication with and military deployment to East Asia in the event of a conflict between the United States and China, and to disable critical U.S. systems and incite widespread panic in a crisis.
Monday’s letter, points out that water systems face attacks by other groups as well, including opportunistic attacks by a group known as the Cyber Av3ngers — an outfit linked to the Iranian Islamic Revolutionary Guard Corps. That group was responsible for attacks on devices made by the Israeli firm Unitronics that impacted several water facilities in the U.S.
While there is no evidence that the attacks were specifically targeting the water sector, the Iran-linked hacking group was only able to breach the devices due to the failure of Unitronics and the water facilities to change the default password. The letter said that basic cybersecurity precautions like changing the default password “can mean the difference between business as usual and a disruptive cyberattack.”
The EPA had attempted to impose more stringent cybersecurity rules for water utilities, but backed off that effort last year amid legal challenges to the effort.
The EPA initiative relied on a creative approach to use the agency’s sanitation authorities to impose some measure of cybersecurity mandates on a water industry that currently lacks binding rules for how to protect its digital systems.
The move was part of a larger attempt to add more stringent cybersecurity regulations to critical infrastructure sectors, many of which are unregulated when it comes to cybersecurity. In the absence of the EPA rules, the water sector continues to have no binding cybersecurity rules.
Major portions of the water sector are notoriously underfunded to secure themselves against state-backed threats, and experts have called for the need for additional funds in order to improve defenses.
Monday’s letter points to existing resources for the sector through both the EPA and the Cybersecurity and Infrastructure Security Agency, and notes that the upcoming meeting will highlight efforts by the government to promote secure practices as well as discuss the need for additional action.
