White House and EPA warn against cyberattacks on water systems

The National Security Advisor and the U.S. Environmental Protection Agency sent a letter to all U.S. Governors urging them to secure critical water infrastructure against cyberattacks.  The letter from the White House, dated 18th of March, stated that disabling cyberattacks are striking water and wastewater systems throughout the United States. The letter recommends implementing basic cyber hygiene practices to utilities prevent, detect, respond, and recover from cyber incidents.

The letter cited two examples of attacks: one was reportedly affiliated with the Iranian Islamic Revolutionary Guard Corps and the other was affiliated with a Chinese government sponsored cybergroup. In the first case, operational technology used at water facilities had been disabled, while the second targeted and compromised the information technology of a broad range of infrastructure systems which included water.

The U.S. government is seeking closer partnership with water utilities in the various states in order to ensure that the water systems comprehensively address cybersecurity practices to identify and respond to vulnerabilities. Both the EPA and the Cybersecurity and Infrastructure Security Agency (CISA) within the Department of Homeland Security are offering a broad range of resources to water institutions.

The recent initiatives are the latest efforts of the U.S. administration to protect infrastructure against cyber attacks in a series that go back to November 2021 when a joint cybersecurity advisory from four federal agencies drew attention to the vulnerability of US Water and Wastewater Systems (WWS) Sector facilities to “ongoing malicious cyber activity”. These included ransomware attacks on WWS facilities in Nevada, Maine, and California as well as attempts to compromise system integrity in the San Francisco Bay Area, Oldsmar, Florida and the Belle Vernon Municipal Authority in Pennsylvania.

As a result, in February 2022, the Biden administration increased the scope of cybersecurity measures to the water sector through a public private partnership known as the Industrial Control Systems Cybersecurity Initiative (ICSCI). The policy had initially been developed for the natural gas and electricity sector but was extended to the water sector in early 2022.