Four Federal entities issued a joint advisory to American organizations, including those in the water sector, about an urgent and ongoing Iranian-affiliated cybersecurity threat. The U.S. Environmental Protection Agency (USEPA), Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and National Security Agency (NSA) warn that American organizations from multiple critical infrastructure sectors have reported experiencing exploitation and, in some cases, disruption of commonly used operational technology at drinking water and wastewater systems.
Cybersecurity Risks
“Cyberattacks on drinking water and wastewater systems directly threaten public health and community resilience. A single breach can disrupt treatment or introduce contaminants, damage equipment, and erode public trust,” said USEPA Assistant Administrator for Enforcement and Compliance Assurance Jeffrey A. Hall. “EPA enforcement safeguards our nation’s critical infrastructure, including water systems, by ensuring compliance with applicable safety, maintenance, resilience, and security requirements and by rapidly correcting vulnerabilities. We also work with our law enforcement partners to disrupt attacks and to hold those responsible accountable. Our national security depends on water systems not only taking security seriously but also immediately reporting any incidents and working with our investigators to address them while protecting the public.”
The joint cybersecurity advisory includes information to help water systems identify specific vulnerabilities that are being exploited and take concrete steps to strengthen cyber resilience. It also underscores that the water sector remains an attractive target and continues to face threats from groups seeking to disrupt U.S. critical infrastructure.
Free Cybersecurity Tools
USEPA, as the Federal lead responsible for enhancing the cybersecurity posture of the water sector, supports water systems utilities in identifying cybersecurity gaps and developing risk mitigation plans to address those gaps by providing free cybersecurity assessments, technical assistance, tools, and training. It is important to note that these cybersecurity improvements often entail procedural changes rather than expensive hardware and software upgrades, so water systems with limited technical resources can greatly improve their cyber defenses.
Water systems that need technical support or additional information on cybersecurity best practices are encouraged to utilize USEPA’s new Real Water Technical Assistance (RealWaterTA) resources. The program focuses on public health and compliance with the Safe Drinking Water Act and Clean Water Act. The technical assistance provided aims to benefit Americans across the country, especially in rural areas where small systems face challenges operating and maintaining vital water infrastructure.
RealWaterTA focuses on eight priorities when helping water and wastewater systems reliably provide safe drinking water and effectively treat wastewater over the long term. USEPA says RealWaterTA will:
- Support returning to and maintaining compliance;
- Focus on traditional and innovative water infrastructure;
- Define the scope of technical assistance;
- Strengthen technical, managerial, and financial (TMF) management;
- Empower the water workforce;
- Improve financial readiness and access to financial assistance;
- Reduce inefficient costs; and
- Drive real-world results.
To request assistance from USEPA, visit the Cybersecurity Technical Assistance Program for the Water Sector. Suspicious or criminal activity should be reported to the FBI Internet Crime Complaint Center (IC3) at IC3.gov or to CISA via CISA’s Incident Reporting System.