Dive Brief:
- The White House and the Environmental Protection Agency on Tuesday urged U.S. governors to collaborate on efforts to boost the resiliency of water infrastructure following a rise in threats of malicious attacks from hackers affiliated with People’s Republic of China and the Iran-backed Islamic Revolutionary Guard Corps.
- A letter, dated Monday from EPA Administrator Michael Regan and National Security Advisor Jake Sullivan, specifically warns about the recent IRGC-linked hacks of U.S. water systems and the ongoing threat to critical infrastructure by the China-linked actor known as Volt Typhoon.
- The Biden administration urged governors to send their top health, environmental and homeland security officials to a virtual meeting scheduled for Thursday. The EPA is also organizing a task force to address the ongoing threat to the water sector.
Dive Insight:
The letter underscores an increasing sense of urgency from the Biden administration about the potential risks to drinking and wastewater systems in the U.S.
In late 2023, threat actors linked to the IRGC hacked into various U.S. water systems by targeting Israel-made Unitronics Vision Series programmable logic controllers. Officials warned operators to stop using default passwords, among other steps to improve their cyber resilience.
Top U.S. cyber and national security officials warned a House panel in January about an ongoing threat by Volt Typhoon to embed themselves in various critical infrastructure sectors, in preparation for a possible diversionary attack in case of military action in the Asia-Pacific region.
The Treasury Department’s Office of Foreign Assets Control in February announced sanctions against six members of the IRGC’s Cyber Electronics Command in connection with the threat activity.
Anne Neuberger, deputy national security advisory for cyber and emerging technology at the White House, said the Iran-linked threat actors impacted water facilities across 16 states, during a discussion at The Intersect, a technology industry policy summit held in February.
The U.S. has about 150,000 public water systems and 16,000 publicly owned wastewater systems.
Moody’s in January issued a report warning about the continued risks to the water and wastewater sectors, citing an attack against Southern Water, a U.K.-based company, and a separate ransomware attack against Veolia North America.
Veolia provides water and wastewater treatment to more than 20 million people across the U.S., both as a regulated utility in six states and a contract operator for more than 200 government agencies, according to the company.
It is not immediately clear whether some specific intelligence has developed in recent weeks to spur such an urgent call from top administration officials.
“We're certainly seeing more alarm bells being rung within the U.S. government when it comes to water systems, but we're not at a point where we can confirm any new intelligence that hasn't already been made public,” Chris Grove, director, cybersecurity strategy at Nozomi Networks, said via email.
