EPA looking to create water sector cyber task force to reduce risks from Iran, China

The U.S. Environmental Protection Agency (EPA) said it plans to create a new task force designed to help the water sector deal with the growing number of cyberattacks from nation-states like Iran and China.

The EPA is holding a meeting on Thursday with state environmental, health and homeland security secretaries to discuss the “urgent need to safeguard water sector critical infrastructure against cyber threats.”

As part of the initiative the EPA said it plans to create a “Water Sector Cybersecurity Task Force” that identifies “near-term actions and strategies to reduce the risk of water systems nationwide to cyberattacks.”

The EPA said the task force will focus on the prevalent vulnerabilities of water systems to cyberattacks and the challenges experienced by some systems in adopting best practices — building on existing industry collaborations.

“The Biden Administration has built our national security approach on the foundational integration of foreign and domestic policy, which means elevating our focus on cross-cutting challenges like cybersecurity,” said national security adviser Jake Sullivan. 

“We’ve worked across government to implement significant cybersecurity standards in our nation’s critical infrastructure, including in the water sector, as we remain vigilant to the risks and costs of cyber threats. We look forward to continuing our partnership with the EPA to bolster the cybersecurity of America’s water and wastewater systems.”

In a letter to governors on Monday, Sullivan and EPA Administrator Michael Regan warned that two recent and ongoing threats targeting the U.S. water sector are causing alarm among officials. 

This fall, the Iranian government’s Islamic Revolutionary Guard Corps (IRGC) attacked dozens of water facilities that used Israeli-made software — and while the provision of water was never affected, the lack of cybersecurity protections caused concern about what the hackers could have done. 

The letter also cites worries about Volt Typhoon — a Chinese government hacking group that U.S. agencies believe is “pre-positioning themselves on U.S. critical infrastructure organizations’ networks to enable disruption or destruction of critical services in the event of increased geopolitical tensions and/or military conflict with the United States and its allies.”

“The Task Force will identify the most significant vulnerabilities of water systems to cyberattacks, the challenges that water systems face in adopting cybersecurity best practices, and near-term actions and long-term strategies to reduce the risk of water systems nationwide to cyberattacks,” Sullivan and Regan said.

The two asked states to “ensure that all water systems in your state comprehensively assess their current cybersecurity practices to identify any significant vulnerabilities, deploy practices and controls to reduce cybersecurity risks where needed, and exercise plans to prepare for, respond to, and recover from a cyber incident.”

“In many cases, even basic cybersecurity precautions – such as resetting default passwords or updating software to address known vulnerabilities – are not in place and can mean the difference between business as usual and a disruptive cyberattack,” they added. 

The letter comes at a sensitive time for the EPA and the water sector. Efforts by the agency to regulate water industry cybersecurity protections faced lawsuits by Republican state officials last year and companies involved in the sector have fought against regulations that would issue cybersecurity mandates. 

Water industry officials and Republican lawmakers are now floating a plan that would see the industry effectively regulate itself with “guidance” from the EPA.

The Cybersecurity and Infrastructure Security Agency (CISA) says there are more than 150,000 public water systems across the U.S. that now face a variety of threats from nation-states, ransomware gangs and hackers looking to steal customer information. 

“Drinking water and wastewater systems are a lifeline for communities, but many systems have not adopted important cybersecurity practices to thwart potential cyberattacks,” Regan said in a statement. 

“EPA and [the National Security Council] take these threats very seriously and will continue to partner with state environmental, health, and homeland security leaders to address the pervasive and challenging risk of cyberattacks on water systems.”