Cyberattacks targeting water utilities and their infrastructure are growing more in frequency and intensity, the Biden administration warned Monday.
The Environmental Protection Agency (EPA) issued the warning, asserting that private and state-backed actors from countries including China, Iran and Russia are ramping up their efforts to interfere with water utilities’ operations. Approximately 70% of the relevant facilities examined by federal officials over the last 12 months were found to be in violation of rules and safeguards intended to prevent unauthorized access by outside individuals or groups.
“In many cases, systems are not doing what they are supposed to be doing, which is to have completed a risk assessment of their vulnerabilities that includes cybersecurity and to make sure that plan is available and informing the way they do business,” EPA Deputy Administrator Janet McCabe said of the matter.
Some water utility facilities and infrastructure are falling short of even the most basic cybersecurity standards, the EPA said in its warning notice. Some of these shortcomings include neglecting to alter default passwords or terminating former employees’ access to relevant computer systems.
The agency said the threat to America’s water system has grown to such an extent that “additional action is critical.”
“We want to make sure that we get the word out to people that ‘Hey, we are finding a lot of problems here,’” McCabe said.
Water utility systems are often reliant on computer systems to run, meaning that a serious breach could seriously disrupt operators’ ability to provide drinking water or wastewater to customers, according to The Associated Press. It is widely believed that several of the world’s leading powers have spent years gaining access to utility providers and other key infrastructure, planting malware and waiting for an international crisis or a hot war to trigger it and debilitate geopolitical foes.
One China-tied cybercriminal outfit, known as Volt Typhoon, has already breached essential computer systems in American infrastructure, including in its water system, according to the AP.
The American water system has some large utility providers, as well as many smaller operators serving smaller communities nationwide, according to the AP. The smaller companies tend to have fewer resources, making them less able to immediately devote considerable time and attention to hardening themselves against potential threats.
However, the EPA has offered to help utilities bolster their defenses for free, and advised that simple steps — such as not using default passwords — can enhance security, according to the AP.
EPA Administrator Michael Regan and national security adviser Jake Sullivan authored a March letter to all 50 governors urging them to organize their respective administrations in an effort to augment cybersecurity for water utilities and related infrastructure.
Neither the EPA nor the Cybersecurity and Infrastructure Security Agency (CISA) responded immediately to requests for comment.