The possibility of Chinese hackers attacking U.S. water utilities in 2026 or 2027 is strong enough that top federal officials scheduled a virtual meeting with state governors and their staffs to discuss cyber threats to critical water infrastructure and federal efforts to help utilities fix those vulnerabilities, said a Federal official who manages the government’s drinking water programs.

To further that effort, Jennifer McLain, director of the Environmental Protection Agency's (EPA) Office of Ground Water and Drinking Water, said large metropolitan water facilities with strong cybersecurity programs are urged to help smaller utilities incorporate more robust programs into their systems.

Identifying vulnerabilities within water utilities and fixing those vulnerabilities “is something we need to do in partnership across the entire water sector,” said McLain, who presented on that subject at a Washington, D.C. conference of water utility agencies hosted by the National Association of Clean Water Agencies (NACWA), which supports policies to provide communities with affordable and sustainable water.

On March 19, 2024, EPA Administrator Michael Regan and National Security Advisor Jake Sullivan sent a letter to all U.S. governors inviting state environmental, health, and homeland security secretaries to a closed meeting scheduled for March 21, 2024, to discuss the need to safeguard water-sector critical infrastructure against cyber threats. 

Chinese hackers are sitting on infrastructure systems waiting for the signal to deploy their attacks, so utilities must prepare for that in 2026 or 2027, McLain said to the NACWA conference attendees. Because of that, “we have a lot of work to do between now and then to identify the vulnerabilities and to fix those vulnerabilities,” she said.

However, while McLain said cyberattacks are predicted for 2026 or 2027, she told The Driller that cyber threats to critical water infrastructure have been “recent and near term.” She also said to The Driller that, in addition to Chinese hackers, “there are other state-sponsored cyberattackers and cyber criminals out there right now looking to harm critical infrastructure across the U.S. So, we (the EPA) are all hands on deck to address this cyber threat to water infrastructure.” Therefore, the EPA wants to “partner with the states and water systems to address that threat,” she said.

McLain said one action being implemented to counter cyber threats to water infrastructure is forming a “water sector cyber security task force” that identifies threats and reviews system risks. The task force is currently being chartered, and EPA and the National Security Council are “looking for utilities and governments to participate in deliberations” on the charter.

According to McLain, once the task force is operational, one of its tasks will be to get the large water-sector utilities to share their “best practices” with smaller water utilities that do not have those best practices. “This is where peer support can be really important. We’re looking for that and other ideas within the task force,” she said. 

Click here to read the meeting announcement.