Escalating concerns over digital assaults on water facilities orchestrated by government entities highlighted in recent alerts
The cybersecurity of U.S. water infrastructure is under increased scrutiny due to a series of recent hacking incidents and persistent threats, particularly from Iranian-affiliated cyber actors.
Recent Hacking Incidents and Threat Landscape
In 2024, a hacking group linked to Iran’s Islamic Revolutionary Guard Corps, known as CyberAv3ngers, infiltrated U.S. water utilities by exploiting vulnerabilities in programmable logic controllers (PLCs), causing symbolic but limited operational disruptions. Other incidents include Russian hacking groups targeting wastewater treatment plants in Indiana and Texas, and a cyberattack on New Jersey’s American Water Works Company that forced administrative systems offline.
The U.S. Environmental Protection Agency (EPA) and Department of Homeland Security (DHS) have issued alerts warning of ongoing low-level cyberattacks by Iranian-affiliated hackers against U.S. water and wastewater systems. These actors have demonstrated the capability to force systems back to manual operations, which disrupts normal functionality and increases operational risk.
Nature of Cyber Threats
Common tactics involve brute-force login attempts, multi-factor authentication (MFA) bombing (push fatigue attacks), credential harvesting, exploitation of outdated software, insecure remote access, and sabotage of industrial control systems. These threats are considered persistent and sophisticated because cyber operations are not restricted by international ceasefires or treaties.
Response Measures and Regulatory Actions
The EPA urges water system operators to immediately implement mitigations such as reducing operational technology (OT) exposure to the public internet, replacing default passwords with strong unique ones, and enabling multifactor authentication for remote OT device access.
New York State has taken a pioneering regulatory approach by proposing enforceable cybersecurity requirements for water utilities serving populations over 3,300, including mandatory cybersecurity vulnerability analyses, incident response plans, cybersecurity hygiene training for operators, and rapid incident reporting mandates. New York has allocated $2.5 million for a Cyber Resilience Grant Program focused exclusively on improving cybersecurity in water and wastewater systems.
Summary
The urgency of cyber threats to U.S. water infrastructure is high due to ongoing cyberattacks, especially from Iranian-affiliated actors, and the critical nature of water infrastructure to public safety. Recent hacks show attackers exploiting industrial control system weaknesses, affecting operations and prompting manual overrides. Threats include brute-force attacks, credential theft, and exploitation of insecure systems.
In response, immediate cybersecurity mitigations are advised, and emerging state-level regulations are being proposed with funding for cyber resilience. Emphasis is placed on risk assessments, training, and rapid incident reporting. The Biden administration has urged governors to collaborate on efforts to boost the resiliency of water infrastructure, and the EPA is organising a task force to address the ongoing threat to the water sector.
It is not immediately clear whether new intelligence has developed in recent weeks to spur the urgent call from top administration officials. In January, these officials warned a House panel about the possibility of a diversionary attack in case of military action in the Asia-Pacific region. Veolia North America provides water and wastewater treatment to more than 20 million people across the U.S. The urging comes in response to a rise in threats of malicious attacks from hackers affiliated with the People’s Republic of China and the Iran-backed Islamic Revolutionary Guard Corps. In late 2023, threat actors linked to the IRGC hacked into various U.S. water systems by targeting Israel-made Unitronics Vision Series programmable logic controllers. Officials have warned operators to stop using default passwords and take other steps to improve their cyber resilience. A letter, dated Monday, was sent by EPA Administrator Michael Regan and National Security Advisor Jake Sullivan, specifically warning about recent IRGC-linked hacks of U.S. water systems and the ongoing threat from a China-linked actor known as Volt Typhoon. In February, the Treasury Department’s Office of Foreign Assets Control announced sanctions against six members of the IRGC’s Cyber Electronics Command in connection with the threat activity. Top U.S. cyber and national security officials have warned about an ongoing threat by Volt Typhoon to embed themselves in various critical infrastructure sectors. The Iran-linked threat actors impacted water facilities across 16 states, according to Anne Neuberger. The Biden administration has urged governors to send their top health, environmental, and homeland security officials to a virtual meeting scheduled for Thursday.
- The persisting threats against U.S. water infrastructure from Iranian-affiliated actors, like CyberAv3ngers, have prompted a focus on cybersecurity in association with water systems.
- The nature of these cyber threats extends beyond brute-force attacks and credential theft, involving exploitation of outdated software and insecure remote access, as well as sabotage of industrial control systems.
- In response, the Biden administration is advocating for collaboration among governors to improve the resiliency of water infrastructure, while the EPA is organizing a task force to address ongoing threats in the water sector.
