The Biden administration is warning about an imminent threat of cyberattacks aimed at the nation's drinking water systems.
In a letter to state governors, National Security Advisor Jake Sullivan and Environmental Protection Agency Administrator Michael Regan warned that "disabling cyberattacks are striking water and wastewater systems throughout the United States."
"Drinking water and wastewater systems are an attractive target for cyberattacks because they are a lifeline critical infrastructure sector but often lack the resources and technical capacity to adopt rigorous cybersecurity practices," the letter reads. "These attacks have the potential to disrupt the critical lifeline of clean and safe drinking water, as well as impose significant costs on affected communities."
The team specifically pointed out Iranian and Chinese hackers as working to infiltrate vital infrastructure across the country.
In one example, the letter says hackers affiliated with Iran's Revolutionary Guards had "disabled a common type of operational technology used at water facilities where the facility had neglected to change a default manufacturer password."
In the attack, which happened in November 2023, an Iranian-backed cyber group known as CyberAv3ngers was able to gain control of a remote booster station, which monitors and regulates pressure, at the Municipal Water Authority of Aliquippa in western Pennsylvania. Crews alerted by an alarm quickly switched to manual operation and customers were not affected.
The letter also warned of a China state-sponsored cyber group known as Volt Typhoon which has "compromised information technology of multiple critical infrastructure systems, including drinking water, in the United States and its territories."
The letter asks that each state to comprehensively assess current cybersecurity practices at all water systems to identify any significant vulnerabilities, deploy controls to reduce cybersecurity risks where needed, and exercise plans to prepare for, respond to and recover from a cyber incident.
"In many cases, even basic cybersecurity precautions – such as resetting default passwords or updating software to address known vulnerabilities – are not in place and can mean the difference between business as usual and a disruptive cyberattack," the letter reads.
The EPA said it is also working with the Water Sector and Water Government Coordinating Councils to form a Water Sector Cybersecurity Task Force to identify near-term actions and strategies to reduce the risk of water systems nationwide to cyberattacks.