White House Issues Dire Warning Regarding Drinking Water Supply and Wastewater System Cyberattacks

The Biden-Harris Administration is redoubling its efforts to improve cybersecurity for the nation’s water systems. In March, the EPA and the White House issued a dire warning to state governors alerting them of the need to protect water and wastewater systems from ongoing cybersecurity threats, and requested that the states provide plans to decrease the risk of attacks on water and wastewater systems in their state.

Recent and Ongoing Cyber Security Threats to Drinking Water and Wastewater Systems

In a March 18, 2024 letter addressed to all state governors, EPA Administrator Michael Regan and National Security Advisor Jake Sullivan specifically referenced two ongoing threats to the nation’s drinking water systems:

  • Attacks affiliated with the Iranian Government Islamic Revolutionary Guard Corps (“IRGC”). Actors affiliated with IGRC attacked a drinking water system in Pennsylvania in October 2023 by targeting a programmable logic controller used in operation of the water system.
  • People’s Republic of China state-sponsored cyber group, Volt Typhoon, attacks on compromised information technology of multiple critical infrastructure systems, including drinking water, in the United States and its territories.

The letter’s warning was particularly serious with respect to impending attacks by Volt Typhoon, explicitly cautioning that “[f]ederal departments and agencies assess with high confidence that Volt Typhoon actors are pre-positioning themselves to disrupt critical infrastructure operations in the event of geopolitical tensions and/or military conflicts.”

Guidance for Water and Wastewater Systems

The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency’s (CISA) website has a list of actions water and wastewater systems can take to reduce risk and improve protections against cyberattacks. EPA offers guidance, tools, training, resources, and technical assistance to help water systems to take the recommended actions to protect their systems.

Additionally, given the EPA and White House’s warnings that cyberattacks are likely to be queued for intense geopolitical moments, water systems should be especially wary of attacks during politically tense moments in the nation, such as national elections.

Action Needed by State Governments for Investment in Water Infrastructure

In addition to providing guidance to water systems as to what actions they can individually take to protect against cyberattacks, the EPA and the White House also called on state governments to take part in developing solutions at the state-level, including increasing funding for water system infrastructure.

The letter noted that “[d]rinking water and wastewater systems are an attractive target for cyberattacks because they are a lifeline critical infrastructure sector but often lack the resources and technical capacity to adopt rigorous cybersecurity practices.”

While the letter focused on the national need for investment in water infrastructure, California’s water systems are in particularly dire need for upgrades. The EPA has previously estimated that California needs about $51 billion in improvements to its water infrastructure.

Next Steps

Following the March 18, 2024 letter sent by the EPA and the White House, the Biden-Harris Administration hosted a virtual meeting with state and local officials to discuss the urgency of the necessity for states’ to improve their water systems’ cybersecurity.

The Biden-Harris Administration advised states to provide a cybersecurity plan by May 20, 2024. These plans are required to include details regarding: “how states are working with both drinking water and wastewater systems to determine where they are vulnerable to cyberattacks and what actions they are taking to build in cybersecurity protections.”