Following the discovery of a Chinese-based hacking group compromising U.S. critical infrastructure, the White House – in collaboration with the Environmental Protection Agency (EPA) – announced plans this week to form a Water Sector Cybersecurity Task Force.
In a March 18 letter to state governors, the White House and the EPA said the new task force will engage state water sectors and water government coordinating councils in an effort to reduce risks of cyberattacks to nationwide water systems.
“Disabling cyberattacks are striking water and wastewater systems throughout the United States,” National Security Advisor Jake Sullivan and EPA Administrator Michael Regan wrote in the letter. “These attacks have the potential to disrupt the critical lifeline of clean and safe drinking water, as well as impose significant costs on affected communities.”
The officials laid out two ongoing cyber threats that pose a risk to the nation’s water systems.
Most recently, Federal agencies – including the Cybersecurity and Infrastructure Security Agency (CISA) – called on critical infrastructure providers to urgently implement a series of cybersecurity actions after discovering that Chinese-based hacking group Volt Typhoon has compromised the IT environments of multiple U.S. critical infrastructure organizations – with the end goal of a future cyberattack.
And late last year, officials warned of continued Iranian-backed cybersecurity attacks aimed towards American water and wastewater systems.
“Drinking water and wastewater systems are a lifeline for communities, but many systems have not adopted important cybersecurity practices to thwart potential cyberattacks,” EPA’s Regan said in a statement.
The White House and the EPA are calling on state, local, tribal, and territorial governments to ensure that all water systems comprehensively assess their current cybersecurity practices to identify any significant vulnerabilities, deploy practices and controls to reduce cybersecurity risks where needed, and exercise plans to prepare for, respond to, and recover from a cyber incident.
“In many cases, even basic cybersecurity precautions – such as resetting default passwords or updating software to address known vulnerabilities – are not in place and can mean the difference between business as usual and a disruptive cyberattack,” the letter warns.
The officials note that CISA has resources for actions that water and wastewater systems can take to reduce risk and improve protections against malicious cyber activity, including guidance, tools, training, and technical assistance.
The White House and the EPA also invited state environmental, health, and homeland security secretaries to participate in a meeting Thursday “to discuss the improvements needed to safeguard water sector critical infrastructure against cyber threats.”
The Water Sector Cybersecurity Task Force is intended to build on the recommendations from this week’s meeting, identifying “the most significant vulnerabilities of water systems to cyberattacks, the challenges that water systems face in adopting cybersecurity best practices, and near-term actions and long-term strategies to reduce the risk of water systems nationwide to cyberattacks.”
