Water, water everywhere, and not a drop to drink — at least not safely. Perhaps the alternative is our fresh, drinkable water is suddenly cut off from communities around the country.
Warnings about the danger of a cyber attack on our critical infrastructure have been sounded for years, yet most have focused on the electrical grid. Yet just as susceptible as the water sector infrastructure.
Last week, Environmental Protection Agency Administrator Michael Regan and National Security Advisor Jake Sullivan sent a letter to all U.S. Governors inviting state environmental, health, and homeland security secretaries to a convening by their deputies to discuss the urgent need to safeguard water sector critical infrastructure against cyber threats.
The discussion called for current federal and state efforts to promote cybersecurity practices in the water sector, discuss priority gaps in these efforts, and further emphasize the need for states and water systems to take immediate action.
“Drinking water and wastewater systems are a lifeline for communities, but many systems have not adopted important cybersecurity practices to thwart potential cyberattacks,” said EPA Administrator Michael S. Regan. “EPA and NSC take these threats very seriously and will continue to partner with state environmental, health, and homeland security leaders to address the pervasive and challenging risk of cyberattacks on water systems.”
The National Security Council and EPA have also encouraged all states to join the dialogue to drive rapid improvements to water cybersecurity and reinforce collaboration between state and federal entities and water systems.
“We’ve worked across government to implement significant cybersecurity standards in our nation’s critical infrastructure, including in the water sector, as we remain vigilant to the risks and costs of cyber threats. We look forward to continuing our partnership with the EPA to bolster the cybersecurity of America’s water and wastewater systems,” added National Security Advisory Jake Sullivan.
A Serious Threat Vector
Today’s U.S. water sector spans more than 150,000 public water systems, and it has often struggled to find the appropriate funding and personnel to deal with hacking threats.
“The impact of a cyber attack on critical infrastructure, such as water systems, could be devastating and even life-impacting,” warned Dave Ratner, CEO of cybersecurity provider HYAS.
Just last November, hackers successfully breached industrial equipment at multiple U.S. water facilities to display an anti-Israel message on the equipment. The Biden administration blamed the Iranian government for the hacks.
There have also been warnings that Chinese state-backed hackers have also infiltrated the U.S. water sector, and could target critical infrastructure. Beijing has denied the claim. Neither the alleged Iranian nor Chinese hacks had any impact on drinking water, but each was seen as a potentially crippling threat.
Something needs to be done
To address the danger, the EPA has announced it will collaborate with the Water Sector and Water Government Coordinating Councils in forming a Water Sector Cybersecurity Task Force to identify near-term actions and strategies to reduce the risk of water systems nationwide to cyberattacks.
“The recent warnings from the White House and the EPA highlight a critical and growing threat to our nation’s infrastructure: cyberattacks targeting water and wastewater systems,” said Emily Phelps, director at cybersecurity threat intelligence firm Cyware.
“This underscores the urgent need for investment in modern security capabilities to safeguard these essential services,” Phelps told ClearanceJobs. “The lack of fundamental cybersecurity precautions in many facilities poses a significant risk, potentially turning a minor breach into a major disruption. Ensuring the resilience of our water infrastructure against cyber threats is not just a matter of national security, but also of public health and safety, requiring collaborative efforts at all levels of government and between the public and private sectors.”
More security is needed in every sector
This is also a reminder that our water is another sector that needs to be carefully guarded.
“It’s critical that everyone who provides critical infrastructure and services, not just water and wastewater systems, augment their security stack with resiliency-based approaches, such as Protective DNS,” Ratner told ClearanceJobs.
He added this can allow detection “in real-time any and all anomalous activity, render it inert before it causes damage, and ensure the safety of their services and the people who rely on them.”
