WASHINGTON—The U.S. government is warning state governors that foreign hackers are carrying out disruptive cyberattacks against water and sewage systems throughout the country.
In a letter released Tuesday, National Security Advisor Jake Sullivan and Environmental Protection Agency Administrator Michael Regan warned that “disabling cyberattacks are striking water and wastewater systems throughout the United States.”
The letter singled out alleged Iranian and Chinese cyber saboteurs. Sullivan and Regan cited a recent case in which hackers accused of acting in concert with Iran’s Revolutionary Guards had disabled a controller at a water facility in Pennsylvania. They also called out a Chinese hacking group dubbed “Volt Typhoon” which they said had “compromised information technology of multiple critical infrastructure systems, including drinking water, in the United States and its territories.”
“These attacks have the potential to disrupt the critical lifeline of clean and safe drinking water, as well as impose significant costs on affected communities,” the letter said.
China’s Embassy in Washington and Iran’s mission to the United Nations did not immediately return a message seeking comment. Both regimes have in the past denied carrying out cyberattacks
The digital safety of water and sewage plants has long been a concern for cybersecurity professionals because the facilities provide a critical service and can often be lightly defended. Last year’s intrusion at a booster facility—which monitors and regulates water pressure—in Aliquippa, Pennsylvania drew particular attention in part because the stricken controller was replaced with a message saying: “YOU HAVE BEEN HACKED.”
No damage to the water system was reported, but, in a statement released at the time, an industry group called the Water Information Sharing and Analysis Center said “this may not be an isolated incident.”
Tuesday’s letter called on governors to “ensure that all water systems in your state comprehensively assess their current cybersecurity practices” and prepare for potential cyber incidents.
By Raphael Satter
