Chinese, Iranian Cyberattacks Target U.S. Water Systems

As the Sector Risk Management Agency identified in Presidential Policy Directive 21 for water and wastewater systems, the U.S. Environmental Protection Agency (EPA) is the lead Federal agency for ensuring the nation’s water sector is resilient to all threats and hazards. Partnerships with State, local, tribal, and territorial governments are critical for EPA to fulfill this mission. In that spirit of partnership, we ask for your assistance in addressing the pervasive and challenging risk of cyberattacks on drinking water systems.

We need your support to ensure that all water systems in your state comprehensively assess their current cybersecurity practices to identify any significant vulnerabilities, deploy practices and controls to reduce cybersecurity risks where needed, and exercise plans to prepare for, respond to, and recover from a cyber incident. In many cases, even basic cybersecurity precautions – such as resetting default passwords or updating software to address known vulnerabilities – are not in place and can mean the difference between business as usual and a disruptive cyberattack. The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency’s (CISA) website has a list of actions water and wastewater systems can take to reduce risk and improve protections against malicious cyber activity.

Additionally, both EPA and CISA offer guidance, tools, training, resources, and technical assistance to help water systems to execute these essential tasks. Further, cybersecurity support and technical assistance are available from private sector associations like the American Water Works Association, the National Rural Water Association, and the Water Information Sharing and Analysis Center. State leadership and messaging to connect water systems with these tools and resources is essential to ensure that utility leaders assess and mitigate critical cyber risks. Your state Homeland security advisors are a resource, as they have links into Federal cybersecurity efforts and access to relevant information about these threats.

We will invite your Environmental, Health and Homeland Security Secretaries to participate with us in a convening to discuss the improvements needed to safeguard water sector critical infrastructure against cyber threats. This meeting will highlight current Federal and state efforts to promote cybersecurity practices in the water sector, discuss priority gaps in these efforts, and emphasize the need to take immediate action. We will provide details about this convening to your teams shortly.

Additionally, EPA will engage the Water Sector and Water Government Coordinating Councils to form a Water Sector Cybersecurity Task Force, which will build on recommendations from your Environmental, Health and Homeland Security Secretaries. The Task Force will identify the most significant vulnerabilities of water systems to cyberattacks, the challenges that water systems face in adopting cybersecurity best practices, and near-term actions and long-term strategies to reduce the risk of water systems nationwide to cyberattacks.

The White House and EPA are hopeful that the efforts outlined in this letter, and others we may undertake together, will protect the water systems from cyberattacks and prevent the need to use other Federal authorities.

In recognition of the significant risk that cyberattacks pose for mission critical water utility operations, we appreciate your attention to this important issue and thank you for your partnership. If you or your staff would like to engage with the EPA or the National Security Council staff on any aspect of this request, please contact Deputy Director of the EPA Janet McCabe and Deputy National Security Advisor for Cyber and Emerging Technologies Anne Neuberger at the National Security Council at mccabe.janet@epa.gov and anne.neuberger@nsc.eop.gov.