The Biden administration is warning the public about cyber threats against U.S. water systems that may affect clean drinking water in communities nationwide.
The warning directs organizations responsible for securing water systems to be on the lookout for attacks ranging from hacks to ransomware.
The advisory — which was issued Thursday by the Cybersecurity and Infrastructure Security Agency, FBI, Environmental Protection Agency, and the National Security Agency — also explained how to fight back against the attacks.
“This activity — which includes attempts to compromise system integrity via unauthorized access — threatens the ability of [U.S. water and wastewater] facilities to provide clean, potable water to, and effectively manage the wastewater of, their communities,” said the joint advisory. “Note: although cyber threats across critical infrastructure sectors are increasing, this advisory does not intend to indicate greater targeting of the WWS Sector versus others.”
The alert comes as the Biden administration became more vocal about cyber threats affecting water systems in recent weeks.
Homeland Security Secretary Alejandro Mayorkas last week told USA Today’s editorial board that a February cyberattack on a water treatment plant in Oldsmar, Florida, was news that “should have gripped our entire country.”
Poor password security and an outdated operating system in Oldsmar were exploited by a hacker who sought to change the drinking water’s level of sodium hydroxide, also known as the liquid drain ingredient lye, according to an earlier advisory from federal officials. A plant operator in the town near Tampa, Florida, reacted quickly and stopped the hacker from changing the amount of lye in the drinking water from 100 parts per million to 11,100 parts per million.
The new advisory lists several cyber breaches affecting water systems from 2019 to August 2021. The ransomware attacks and hacks hitting water systems are closely linked to threats facing other critical infrastructure sectors, including insider threats, meaning current or former employees with improper access to various systems, and ransomware gangs, according to the advisory.
The alert does not provide full details about who is responsible for the attacks on water systems and instead said “both known and unknown actors” have launched cyber assaults on water systems.
The agencies note, however, that someone providing information about foreign governments involved in cyberattacks on water systems could qualify for a hefty reward.
“The U.S. Department of State’s Rewards for Justice (RFJ) program offers a reward of up to $10 million for reports of foreign government malicious activity against U.S. critical infrastructure,” read the joint advisory.