Water agency prepares for possible cyberattacks

Peter Boylan, The Honolulu Star-Advertiser
·3 min read

May 21—The Environmental Protection Agency is warning water utilities nationwide to be wary of cyberattacks from hackers affiliated with Iran and China seeking to sabotage drinking and wastewater resources.

The cyberattacks are increasing in severity and frequency, according to a statement Saturday from the EPA.

Oahu's water supply has not been attacked, according to the Honolulu Board of Water Supply.

"We have not experienced an attack, nor have we been notified of a potential attack by any federal agencies (EPA, FBI, CISA, et al.)," said Kathleen M. Pahinui, BWS information officer, in a statement to the Honolulu Star-Advertiser.

The BWS adheres to the actions recommended by the U.S. Department of Homeland Security's Cybersecurity and Infrastructure Security Agency and as noted in the May 18 letter from the White House, and a "list of actions water and wastewater systems can take to reduce risk and improve protections against malicious cyber activity."

"We also incorporate guidance, tools and resources provided by both EPA and CISA in the ongoing operation of our Cyber Security framework," said Pahinui.

The two threats highlighted by the White House's May 18 letter came from actors affiliated with the Iranian Government Islamic Revolutionary Guard Corps and the People's Republic of China state-sponsored cyber warfare group known as Volt Typhoon.

Hackers aligned with Iran have carried out malicious cyberattacks against critical infrastructure entities in the U.S., including drinking water systems, according to the letter.

"In these attacks, IRGC-­affiliated cyber actors targeted and disabled a common type of operational technology used at water facilities where the facility had neglected to change a default manufacturer password," read the letter authored by Michael S. Regan, EPA administrator, and Jake Sullivan, assistant to the president for National Security Affairs.

China's Volt Typhoon group has "compromised information technology of multiple critical infrastructure systems, including drinking water, in the United States and its territories," officials said. Volt Typhoon's targets and "pattern of behavior are not consistent with traditional cyber espionage."

Federal departments and agencies "assess with high confidence" that Volt Typhoon actors are pre-­positioning themselves to disrupt critical infrastructure operations in the event of "geopolitical tensions and/or military conflicts," Regan and Sullivan wrote.

Drinking water and wastewater systems are an "attractive target for cyberattacks" because they are a lifeline critical infrastructure sector but often "lack the resources and technical capacity" to adopt top-line cybersecurity practices.

In 2023 an and other government and private assets in Hawaii were targeted by hackers working for China's People's Liberation Army who look for ways to undermine U.S. military capabilities in the Asia-Pacific.

A Dec. 11 report in The Washington Post detailed the Chinese military's efforts to increase its capacity for crippling U.S. power and water utilities, communication networks and transportation systems.

China is preparing in the event a U.S.-Chinese war breaks out in the Pacific.

The public water utilities on Oahu, Maui and Hawaii island previously told the Honolulu Star-Advertiser they were not hacked by China in 2023.

More than 70% of water systems inspected by the EPA do not fully comply with requirements in the Safe Drinking Water Act, and some of those systems have critical cybersecurity vulnerabilities, such as default passwords that have not been updated and single logins that can easily be compromised, according to an EPA news release.

"Protecting our nation's drinking water is a cornerstone of EPA's mission, and we are committed to using every tool, including our enforcement authorities, to ensure that our nation's drinking water is protected from cyberattacks," said EPA Deputy Administrator Janet McCabe, in a statement Monday. "EPA's new enforcement alert is the latest step that the Biden-­Harris Administration is taking to ensure communities understand the urgency and severity of cyberattacks and water systems are ready to address these serious threats to our nation's public health."

EPA issued the alert Monday because "threats to, and attacks on," the nation's water system have increased in frequency and severity to a point where "additional action is critical."