Cyber threat actors have remained bold with how, when and what they target and public utility systems are not exceptions to threats posed by such actors. At least two threat actors have been linked to cyberattacks that have targeted US water systems, according to the US Environmental Protection Agency (EPA). 

These attacks on important water systems can interrupt water supply and put public health at risk. The recent attacks highlight the weakness of critical infrastructure to cyberattacks.

To protect public service sectors like energy and utilities and oil and gas, it’s important to implement robust security strategies and versatile cybersecurity measures that comply with evolving regulations. 

EPA response to cyber breaches

The two recent and ongoing threats to US water systems are from Iranian IRGC actors, who have exploited default passwords in operational technology at critical US infrastructure facilities, including water systems, and the Chinese state-sponsored Volt Typhoon group whose activities suggest pre-positioning to disrupt operations amid tensions or conflicts.

Since water system operators lack resources for robust cybersecurity, making them vulnerable to cyberattacks, the federal government relies in part on partnerships with state and local governments to build sector resilience. However, the US government continues to make efforts to secure public with its own programs, which will now include a newly established Water Sector Cybersecurity Task Force.

This task force — developed by the EPA — will work to identify near-term actions and strategies to reduce the risk of water systems nationwide to cyberattacks. Furthermore, the task force will build upon existing collaborative products, like the 2024 Roadmap to a Secure and Resilient Water and Wastewater Sector, and recommendations from the meeting with EPA, Department of Health and Human Services and Department of Homeland Security secretaries to be held on March 21.

Securing public services with cyber solutions

According to the EPA, collaborative effort will best result in advances that will better protect the nation’s critical water infrastructure from cyberattacks. Cybersecurity support and technical assistance are available from state programs as well as private sector associations like the American Water Works Association and National Rural Water Association.

Technology solutions providers, such as global technology major HCLTech, also provide an option for services and expertise that can help secure the digital frontier for the public sector. HCLTech offers a range of end-to-end security services for public services organizations that can protect them against threats while ensuring regulatory compliance and improving cybersecurity posture.

The US Cybersecurity and Infrastructure Security Agency (CISA) says that there are more than 150,000 public water systems across the US that face threats from nation states, ransomware gangs and hackers trying to steal customer information. Cybersecurity budgets are often limited for state and local governments, and many have not adopted important cybersecurity practices meant to thwart potential cyberattacks. Collaboration and training will play significant roles in developing cybersecurity best practices to secure water systems.