The US government is warning state governors that foreign hackers are carrying out disruptive cyber attacks against water and sewage systems throughout the country.
In a letter, National Security Advisor Jake Sullivan and Environmental Protection Agency Administrator Michael Regan warned that “disabling cyber attacks are striking water and wastewater systems throughout the United States.”
The letter singled out alleged Iranian and Chinese cyber saboteurs.
Sullivan and Regan cited a recent case in which hackers accused of acting in concert with Iran’s Revolutionary Guards had disabled a controller at a water facility in Pennsylvania.
They also called out a Chinese hacking group dubbed “Volt Typhoon” which they said had “compromised information technology of multiple critical infrastructure systems, including drinking water, in the United States and its territories.”
“These attacks have the potential to disrupt the critical lifeline of clean and safe drinking water, as well as impose significant costs on affected communities,” the letter said.
China’s Embassy in Washington and Iran’s mission to the United Nations did not immediately return a message seeking comment.
Both countries have in the past denied carrying out cyber attacks
The digital safety of water and sewage plants has long been a concern for cyber security professionals because the facilities provide a critical service and can often be lightly defended.
Last year’s intrusion at a booster facility – which monitors and regulates water pressure – in Aliquippa, Pennsylvania drew particular attention in part because the stricken controller was replaced with a message saying: “YOU HAVE BEEN HACKED.”
No damage to the water system was reported, but, in a statement released at the time, an industry group called the Water Information Sharing and Analysis Center said “this may not be an isolated incident.”
This week’s letter called on governors to “ensure that all water systems in your state comprehensively assess their current cyber security practices” and prepare for potential cyber incidents.