Share this article on:
The US has warned that the critical infrastructure powering the nation’s water sector is being targeted by threat actors.
A joint letter written by US Environmental Protection Agency administrator Michael Regan and National Security Advisor Jake Sullivan presented to all US governors has warned the government of the danger that crippling cyber attacks on critical infrastructure can have, adding that they are already happening.
“Disabling cyber attacks are striking water and wastewater systems throughout the United States,” the letter read.
“These attacks have the potential to disrupt the critical lifeline of clean and safe drinking water, as well as impose significant costs on affected communities.”
Attacking water infrastructure is a powerful move for cyber criminals, particularly government or state-sponsored groups, as the sector is vital to the nation’s operations and is the lifeblood of the nation’s people, but the sector is also lacking in cyber security measures due to minimal technical capacity and resources.
The letter names two specific threat groups that have or are targeting the nation’s water infrastructure – Chinese state-sponsored cyber actor Volt Typhoon and the Iranian Islamic Revolutionary Guard Corps (IRGC).
Volt Typhoon has launched a number of attacks on US critical infrastructure in the past, including on drinking water systems. However, the main concern with Volt Typhoon is that its actions aren’t reflective of “traditional cyber espionage” but have government agencies concerned that they are positioning themselves to strike in the event of military conflict or the boil over of geopolitical tensions.
According to Five Eyes reports, the group may have had access to US critical infrastructure providers’ IT networks for at least five years, adding fuel to the belief that it is waiting to strike at an opportune time.
The IRGC, on the other hand, is not waiting for prime opportunity and has attacked US critical infrastructure a number of times, including drinking water.
“In these attacks, IRGC-affiliated cyber actors targeted and disabled a common type of operational technology used at water facilities where the facility had neglected to change a default manufacturer password,” the letter added.
With the joint letter, Sullivan and Regan are calling on the nation’s governors for help, asking them to rally their state environmental, health and homeland security secretaries and have them join a discussion on the need to protect the critical infrastructure powering the water sector.
The meeting will be held on Thursday, 21 March 2024 from 1:00pm to 2:30pm.
“Drinking water and wastewater systems are a lifeline for communities, but many systems have not adopted important cyber security practices to thwart potential cyber attacks,” Regan said.
“EPA and NSC take these threats very seriously and will continue to partner with state environmental, health, and homeland security leaders to address the pervasive and challenging risk of cyber attacks on water systems.”
The EPA is the lead federal agency for protecting the nation’s water sector from threats, cyber or otherwise, as identified by the Sector Risk Management Agency in Presidential Policy Directive 21 for water and wastewater systems.
Additionally, both the EPA and the Cybersecurity and Infrastructure Security Agency (CISA) will be providing critical infrastructure operators in the water sector with advice, training and other resources to assist them in securing the sector.
“The Biden administration has built our national security approach on the foundational integration of foreign and domestic policy, which means elevating our focus on cross-cutting challenges like cyber security,” Sullivan said.
“We’ve worked across government to implement significant cybersecurity standards in our nation’s critical infrastructure, including in the water sector, as we remain vigilant to the risks and costs of cyber threats.
“We look forward to continuing our partnership with the EPA to bolster the cybersecurity of America’s water and wastewater systems.”