On March 18, 2024, Michael S. Regan, Environmental Protection Agency (“EPA”) Administrator, and National Security Advisor Jake Sullivan issued a letter urging state governors to take immediate action to address the increasing threat of cyberattacks targeting critical water and wastewater systems in the United States.

This bulletin represents an urgent call to action as “[t]hese attacks have the potential to disrupt the critical lifeline of clean and safe drinking water, as well as impose significant costs on affected communities.” Sullivan identified the threats to drinking water and wastewater systems as being particularly acute because these utilities serve as a “lifeline critical infrastructure sector but often lack the resources and technical capacity to adopt rigorous cybersecurity practices,” such as those often seen in the private sector.

The letter specifically highlighted two recent and ongoing threats as illustration of the risks that cyberattacks pose to the nation’s water and wastewater systems:

1. Hackers affiliated with the Iranian Government Islamic Revolutionary Guard Corps exploited a common type of operational technology used at U.S. water facilities for general facility operations, including the provision of clean, potable water to their communities, and the effective management of their communities’ wastewater. The root cause of the attacks was identified as a simple failure to change the password at the targeted water facility from the default password originally set by the manufacturer.

2. In the second example, a People’s Republic of China state-sponsored cyber group, known as Volt Typhoon, compromised the information technology of multiple critical infrastructure systems at a water facility, including its drinking water system. Based on the facilities that the cyber group targeted, it appears that the cyber group is strategically positioning itself to disrupt essential infrastructure operations in the United States, should there be geopolitical tensions or military conflicts.

Regan and Sullivan encouraged state governors to implement enhanced cybersecurity measures and protocols to safeguard essential infrastructure from potential cyber threats and attacks. Regan and Sullivan emphasized the importance of coordination and collaboration among federal, state, and local agencies, as well as public and private sector stakeholders, to strengthen cybersecurity defenses and respond effectively to cyber incidents.

To combat these threats, the EPA and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (“CISA”) will offer guidance, tools, training, resources, and technical assistance to help water and wastewater systems reduce the risks and improve protections against malicious cyber activity. Additionally, the secretaries from each state’s Environmental, Health, and Homeland Security departments will be invited to discuss improvements needed to safeguard critical water systems infrastructure against cyber threats with top Biden Administration officials.

The EPA will engage the Water Sector and Water Government Coordinating Councils to form a Water Sector Cybersecurity Task Force (“Task Force”), which will build on recommendations from the secretaries of each state’s Environmental, Health and Homeland Security departments. The Task Force will identify the water systems most vulnerable to cyberattacks, the challenges that water systems face in adopting cybersecurity best practices, and discuss necessary near-term actions and long-term strategies to reduce the risks of cyberattacks on water systems nationwide.

This warning from top administration officials emphasizes the need for increased awareness and preparedness efforts to mitigate cyber risks and ensure the continued delivery of safe and reliable water services to communities nationwide. Governors are encouraged to provide support to water utilities to help guarantee that all water systems in the United States comprehensively assess their current cybersecurity practices to “identify any significant vulnerabilities, deploy practices and controls to reduce cybersecurity risks where needed, and exercise plans to prepare for, respond to, and recover from a cyber incident.”