U.S. National Security Advisor Jake Sullivan and Environmental Protection Agency (EPA) Administrator Michael Regan warned governors today that hackers are "striking" critical infrastructure across the country's water sector.

In a joint letter sent on Tuesday, they asked for the governors' support to ensure that water systems in their states are adequately defended against cyberattacks and that they can recover if they are breached.

"Drinking water and wastewater systems are a lifeline for communities, but many systems have not adopted important cybersecurity practices to thwart potential cyberattacks," said EPA Administrator Michael S. Regan.

"EPA and NSC take these threats very seriously and will continue to partner with state environmental, health, and homeland security leaders to address the pervasive and challenging risk of cyberattacks on water systems."

The National Security Council (NSC) and the Environmental Protection Agency (EPA) have invited governors to a virtual meeting on March 21 to strengthen collaboration between government entities and water systems and establish a Water Sector Cybersecurity Task Force.

This task force will be responsible for identifying actions and strategies that can be implemented nationwide to minimize the risk of cyber attacks on water systems.

"We've worked across government to implement significant cybersecurity standards in our nation's critical infrastructure, including in the water sector, as we remain vigilant to the risks and costs of cyber threats," said National Security Advisory Jake Sullivan.

"We look forward to continuing our partnership with the EPA to bolster the cybersecurity of America's water and wastewater systems."

U.S. water infrastructure under attack

This call to action comes after, in February, CISA, the FBI, and the EPA shared a list of defense measures the U.S. water sector should implement to reduce cyberattack risks and boost their systems' resilience against malicious activity.

In recent months, Iranian and Chinese state-backed threat groups have both targeted and breached U.S. water systems. IRGC-affiliated threat actors infiltrated a Pennsylvania water facility, while Volt Typhoon hackers breached the networks of critical infrastructure organizations, including drinking water systems.

CISA also released a free security scan program in September to help critical infrastructure facilities like water utilities find security gaps and secure their systems from breach attempts.

Critical infrastructure facilities within the U.S. Water and Wastewater Systems (WWS) Sector have been breached multiple times over the last decade, sometimes leading to the deployment of Ghost, ZuCaNo, and Makop ransomware.

These ransomware attacks impacted a South Houston wastewater treatment plan in 2011, a water company with outdated software and hardware equipment in 2016, the Southern California Camrosa Water District in August 2020, and a Pennsylvania water system in May 2021.