Hackers Target US Water: White House Raises Alarm on Cyberattacks

The U.S. water supply systems have become targets of cyberattacks by hackers from China and Iran, raising increasing concern among authorities.

As noted by Anne Neuberger, head of cybersecurity at the White House, Iran typically operates through hacktivists rather than state entities. For instance, the group Sandworm has reportedly been involved in attacks on water facilities in the U.S. and Europe, one of which even resulted in a reservoir overflow. Meanwhile, China is accused of cyberattacks on critical infrastructure, including water systems, through the Volt Typhoon group.

Although no severe consequences have yet been recorded, former NSA cybersecurity chief Rob Joyce warns that sooner or later, someone will manage to breach critical infrastructure, leading to real dangers.

Cyberattacks on water systems are made possible by vulnerabilities in operational technology (OT), which controls many infrastructure functions. These systems are rarely updated due to the need for continuous operation and are often spread across multiple sites, complicating protection against threats. The main vulnerability lies in the use of outdated systems that were not designed to withstand modern threats.

Iranian hacktivists have infiltrated U.S. water supply systems using simple tactics, such as standard passwords for programmable logic controllers (PLCs). PLCs manage water purification and distribution, and their connection to the internet makes them easy targets for attacks. Hackers can exploit these vulnerabilities to manipulate water systems, potentially threatening water contamination.

Attempts to bolster cybersecurity in the water sector have so far been unsuccessful. Initial rules establishing minimum security standards were repealed after state lawsuits. A new attempt to introduce such standards is expected to face resistance as well, particularly due to a lack of funds and specialists, especially in smaller utilities.

Industry experts note that the challenges in the water supply sector are worse than those in the energy sector: there is no unified national system, and each small company is left to address security issues on its own, making the water sector especially vulnerable to attacks. Cyberattacks on water systems can not only disrupt operations but also endanger public health and the environment. Access to clean drinking water and wastewater management could be severely compromised.

Experts warn that water facilities are becoming increasingly attractive targets for attackers. Unlike the energy sector, the water supply industry receives less attention, making it an easy mark for cyberattacks. Even minor security breaches can lead to long-term consequences, as was seen in the Flint water contamination crisis.

Initially, the Environmental Protection Agency (EPA) attempted to introduce minimum cybersecurity standards for water facilities in 2023 but faced state lawsuits. As a result, the rule was revoked, depriving the authorities of a key tool for enhancing security.

Despite the challenges, experts believe that broader support from federal agencies such as CISA could help address the issue. CISA is developing guidelines for the water sector, including simple technical solutions like changing passwords and setting up secure remote access.

However, specialists argue that offering financial support, rather than strict regulation, may help smaller water companies improve their cybersecurity and avoid being listed in vulnerability databases like Shodan.