The Biden administration is warning states to be on guard for cyberattacks against water systems, citing ongoing threats from hackers linked to the governments of Iran and China.
“Disabling cyberattacks are striking water and wastewater systems throughout the United States,” Environmental Protection Agency Administrator Michael Regan and National Security Advisor Jake Sullivan wrote in a letter to governors made public Tuesday.
“These attacks have the potential to disrupt the critical lifeline of clean and safe drinking water, as well as impose significant costs on affected communities.”
Hackers affiliated with the Iranian Government Islamic Revolutionary Guard Corps have attacked drinking water systems, while a People’s Republic of China state-sponsored group, Volt Typhoon, has compromised information technology of drinking water and other critical infrastructure systems, the letter warned.
“Federal departments and agencies assess with high confidence that Volt Typhoon actors are pre-positioning themselves to disrupt critical infrastructure operations in the event of geopolitical tensions and/or military conflicts,” said the letter.
The water system is an especially vulnerable part of US infrastructure, fraught with weak controls, insufficient funding and staffing shortages. The EPA is the lead federal agency for ensuring the nation’s water sector is resilient to all threats and hazards.
Read More: Iranian-Linked Hacks Expose Failure to Safeguard US Water System
In late November, an Iranian-backed hacking group attacked Israeli-made digital controls commonly used in the water and wastewater industries in the US, affecting multiple organizations across several states, Bloomberg News previously reported.
While the incidents didn’t interfere with water quality or supplies, they highlighted contentious talks between the US government and municipal water associations over how best to protect the water supply.
“Drinking water and wastewater systems are an attractive target for cyberattacks because they are a lifeline critical infrastructure sector but often lack the resources and technical capacity to adopt rigorous cybersecurity practices,” said the letter, which invited state officials to a meeting Thursday to discuss the threat.