Skip links

US task force aims to plug security leaks in water sector

US government is urging state officials to band together to improve the cybersecurity of the country’s water sector amid growing threats from foreign adversaries.

The Environmental Protection Agency (EPA) announced it is seeking to establish a Water Sector Cybersecurity Task Force to beef up current work to implement “immediate” solutions to prevent one of the US’s most critical services from disruption.

Prevalent vulnerabilities common throughout the sector will be considered by the task force, as will methods to adopt industry-wide best practices. It also plans to build upon existing initiatives, such as the 2023 Roadmap to a Secure and Resilient Water and Wastewater Sector.

Recommendations that come out of a meeting on March 21 between state environmental, health, and homeland security secretaries will also be fed back and considered by the to-be-established task force. The relevant state secretaries were invited via a letter sent to them by Michael Regan, EPA administrator, and Jake Sullivan, national security advisor, which outlines the cyber threat to the industry.

Recent attacks on the Municipal Water Authority of Aliquippa, as well as a collection of unnamed utilities, have prompted a period of heightened awareness from security authorities in recent months.

An Iran-backed group was singled out as the culprit for the Aliquippa incident, while China’s Volt Typhoon crew was linked to a string of critical infrastructure intrusions across various sectors, including water and wastewater systems.

With Iran’s recent history of masterminding a disruptive attack against the Pennsylvania facility, and Volt Typhoon being observed as pre-positioning itself within critical networks – suspected to launch damaging attacks during geopolitical or military conflicts – both countries are thought to present an acute risk of conducting “disabling cyberattacks” against the US water sector.

“Drinking water and wastewater systems are a lifeline for communities, but many systems have not adopted important cybersecurity practices to thwart potential cyberattacks,” said Regan.

“EPA and [the National Security Council] take these threats very seriously and will continue to partner with state environmental, health, and homeland security leaders to address the pervasive and challenging risk of cyberattacks on water systems.”

According to the letter [PDF], in many cases even the cybersecurity basics aren’t being implemented across the sector. Leaving passwords set to manufacturer defaults and failing to update software to secure versions are two security fundamentals that were mentioned as not being adopted as widely as they should be.

“The Biden Administration has built our national security approach on the foundational integration of foreign and domestic policy, which means elevating our focus on cross-cutting challenges like cybersecurity,” said Sullivan.

“We’ve worked across government to implement significant cybersecurity standards in our nation’s critical infrastructure, including in the water sector, as we remain vigilant to the risks and costs of cyber threats. We look forward to continuing our partnership with the EPA to bolster the cybersecurity of America’s water and wastewater systems.”

EPA gets its wish

This isn’t the first time EPA has tried to strong-arm state officials into stepping up their respective water facilities’ cybersecurity practices.

In March 2023, it introduced a fresh rule requiring states to perform evaluations of their water sector’s operational technology systems, only to be met by a barrage of lawsuits months later.

Come October, EPA was forced to abandon its rule after the state attorneys general of Arkansas, Iowa, and Missouri sued the agency, claiming it was infringing on state sovereignty.

But, as is so often the case, all that was seemingly needed was a big cyberattack to actually happen before something concrete was done about it. Just one month later, the attack in Aliquippa happened, and then the news about Volt Typhoon followed.

Remember, this all comes after the attempted Florida poisoning, so it’s not like there wasn’t precedent here.

How this all plays out this time in unclear, but with backing from the Biden-Harris administration, it could lead to the concerted action that is quite apparently needed. ®