The Biden administration is asking states to bolster security for water and wastewater systems, warning that utilities across the country are being targeted by “disabling cyberattacks.”

In a letter sent to all US governors on Tuesday, the White House and the Environmental Protection Agency (EPA) cited ongoing threats from hackers linked with Iranian and Chinese governments, warning that similar attacks could disrupt access to clean drinking water and “impose significant costs on affected communities.”

Environmental, Health, and Homeland Security secretaries have been invited to a meeting on March 21st to discuss safeguarding requirements to protect critical water infrastructure against cyber attacks. The EPA is additionally forming a Water Sector Cybersecurity Task Force to identify vulnerabilities and build on recommendations made during the upcoming meeting.

“Drinking water and wastewater systems are an attractive target for cyberattacks because they are a lifeline critical infrastructure sector but often lack the resources and technical capacity to adopt rigorous cybersecurity practices,” reads the letter signed by national security advisor Jake Sullivan and EPA administrator Michael Regan.

The letter asks states to ensure their designated water systems have been assessed for vulnerabilities, pointing to a list of actions recommended by the Cybersecurity and Infrastructure Security Agency (CISA) that may help to improve security. “In many cases, even basic cybersecurity precautions – such as resetting default passwords or updating software to address known vulnerabilities – are not in place and can mean the difference between business as usual and a disruptive cyberattack,” the letter warns.

Hackers believed to be affiliated with the Iranian government conducted attacks against US water facilities in November that hadn’t changed the default manufacturing password on common operational technology they were using. White House national security official Anne Neuberger said the incident was a call to tighten security around utilities, with the US Treasury sanctioning six Iranian Armed Forces officials responsible for the attacks in February. 

The letter also referenced threats posed by Volt Typhoon, a Chinese state-sponsored group that was revealed in February to have compromised information about US drinking water systems.