Fears over recent cyberattacks targeting water plants have prompted the U.S. Environmental Protection Agency (EPA) to form a task force to address security risks faced by water infrastructure providers.
Attacks against unprotected U.S. water and wastewater facilities could jeopardize a “critical lifeline” and impose significant costs on affected communities, White House National Security Advisory Jake Sullivan and EPA administrator Michael Regan said in a March 18 letter (PDF) to state governors.
The letter cited two recent high-profile actions by nation-state-aligned threat groups as examples of “the risk that cyberattacks pose to the nation’s water systems."
The first was a series of attacks by an advanced persistent threat (APT) group linked to the Iran's Islamic Revolutionary Guard Corps (IRGC). The gang, known as Cyber Av3ngers, targeted internet-facing programmable logic controllers (PLCs), including one owned by Pennsylvania’s Municipal Water Authority of Aliquippa.
In Aliquippa, the breach of the PLC used to regulate water pressure forced the temporary shutdown of a remote pump station supplying two towns. Treasury’s Office of Foreign Assets Control sanctioned IRGC officials responsible for the attacks last month.
The second series of attacks highlighted in the letter was carried out by Chinese state-sponsored APT Volt Typhoon, a gang whose sophisticated, stealthy intrusions into critical U.S. infrastructure has been a major concern for authorities since it was first discovered last year.
“Volt Typhoon’s choice of targets and pattern of behavior are not consistent with traditional cyber espionage,” Regan and Sullivan said.
“Federal departments and agencies assess with high confidence that Volt Typhoon actors are pre-positioning themselves to disrupt critical infrastructure operations in the event of geopolitical tensions and/or military conflicts.”
Task force to pinpoint water sector’s biggest cyber challenges
The EPA said it was convening a March 21 meeting of state environmental, health and homeland security secretaries to discuss “the urgent need to safeguard water sector critical infrastructure against cyber threats.”
The agency also planned to work with the industry to form a “Water Sector Cybersecurity Task Force” with the aim of identifying strategies to reduce the risk of cyberattacks against water systems.
“Drinking water and wastewater systems are an attractive target for cyberattacks because they are a lifeline critical infrastructure sector but often lack the resources and technical capacity to adopt rigorous cybersecurity practices,” Regan and Sullivan said in their letter.
“The Task Force will identify the most significant vulnerabilities of water systems to cyberattacks, the challenges that water systems face in adopting cybersecurity best practices, and near-term actions and long-term strategies to reduce the risk of water systems nationwide to cyberattacks.”
The EPA has been endeavoring to tighten cybersecurity protection requirements for water authorities for some time, but has encountered strong resistance from the industry and some politicians who argue the proposed measures would be too costly and that self-regulation is a better path.
Last October, the EPA withdrew guidance it had earlier issued requiring cybersecurity audits for water utilities across the country following a lawsuit filed by Arkansas, Iowa, and Missouri, and supported by trade groups.
