Rep. Van Epps Discusses Growing Cyber Threat Against Water Infrastructure

Rep. Van Epps Discusses Growing Cyber Threat Against Water Infrastructure

Washington, D.C. - Today, Rep. Matt Van Epps (TN-07) participated in a Science, Space, and Technology Committee hearing titled “Environment Subcommittee Hearing—Research-Driven Resilience: Applying Science to Secure U.S. Water Systems from Cyber Threats.” The purpose of this hearing was to understand cybersecurity threats to America's water infrastructure. 

Watch Rep. Van Epps’ remarks here or read them below. 

Rep. Van Epps stated, “The risk to operational technologies supporting our critical infrastructure continues to grow as our adversaries expand their attack capabilities. In February 2023, PRC-affiliated Volt Typhoon compromised a Massachusetts water facility. Last month, CISA warned that a U.S. water facility was hit with over 1,900 hacking attempts from Iran's IRGC.

Modern warfare is now a confrontation between opposing operational systems rather than mere opposing armies, and our adversaries are currently seeking to disrupt and destroy the operational capabilities of the key systems facilitating the functions of our drinking water and wastewater utilities.”

Rep. Van Epps also had the opportunity to ask several questions. 

The Congressman asked: “Mr. Corman, in your testimony, you noted that Chinese cyber forces have quietly occupied positions inside our critical infrastructure systems. What can CISA and sector risk management agencies like EPA do to work with private industry to identify and eliminate pre-positioned cyber attacks on our industrial systems before they unleash disruptions to the system?”

Mr. Joshua Corman, Executive in Residence for Public Safety and Resilience, Institute for Security and Technology, said, “...It's a bit unintuitive, but when I look at how difficult it is for one of our best-funded water systems, one of our peak levels of operations for cybersecurity, they too are worried they can't keep pace with the Chinese military. We're currently adopting, for this crisis, a posture of ‘they're likely to get in, let's mitigate the full extent of the damage.’

The Congressman then asked, “I also serve as a member of the House Committee on Homeland Security. The improvement of the most recent frontier AI models, like Anthropic's Claude Mythos, significantly increases the threat of cyberattacks to traditional information systems and critical information infrastructure systems. This development presents an urgent risk to the homeland. 

Mr. Corman, again, you state in your written testimony that Anthropic's Project Glasswing did not include an OT vendor as part of its early access to Claude Mythos. Anthropic claims Claude Mythos has found system vulnerabilities in every major operating system. Do you think these new frontier models developed by Anthropic and OpenAI have advanced to discover deep-rooted vulnerabilities on PLCs and SCADA technologies, perhaps explaining why the model was not given to OT vendors?”

Mr. Joshua Corman, Executive in Residence for Public Safety and Resilience, Institute for Security and Technology, said, “...I think the cybersecurity industry is quite biased towards the Fortune 5000, towards the confidential data, towards criminal behavior. We don't have a ton of participation towards operation technology (OT) and Industrial Control Systems (ICS). We're also biased towards the top of the market, the haves, not the have-nots, which is the overwhelming majority of our asset owners and operators for critical infrastructure. I don't think it's a moral failing; more so, it just reflects the current bias.

It's important to note that many of these software packages also exist in OT and ICS environments. They are using similar open-source; they're similarly flawed. While they are not at the table, they may suffer similar disruptions even by accident. For many of these adversaries, it's imperative we get some balance and some OT participation, both for the top of the market and the bottom market, lest we suffer the consequences.”

The Congressman then asked, “My district includes two major water systems serving our metro areas in Nashville and Clarksville, along with our many rural counties whose water utilities are at greater risk of disruption due to outdated cyber capabilities and aging infrastructure. The battlefield is here, and I see an urgent need to fortify my district from these malevolent foreign cyber threats equipped with advanced capabilities.

Mr. Hinchman, in GAO's 2024 report on risk to water and wastewater systems, your team noted that industry officials stated that water system operators do not dedicate significant time or effort to increase their systems' capabilities to defend against cyberattacks. The report noted that EPA recognized this challenge. Do you believe that EPA's sector-specific risk assessments and risk management plan sufficiently address cybersecurity risks to rural water systems in particular?”

Mr. David Hinchman, Director, IT & Cybersecurity, U.S. Government Accountability Office, said, “I think that everyone recognizes the extent of the problem, which is huge, and as we've all talked about and all mentioned in all of our opening statements, just how broad the sector is and how pervasive the threat is. When we talk to the owner-operators, a lot of them were happy with some aspects of what they got from EPA. As well as the Department of Agriculture, there are technical advisors that are out there that they really rely on. These are folks who tend to be in the community, so they're very familiar with them. It helps them with day-to-day operations, with small little problems they run into.

I think there's opportunity to boost that program, which has been relatively successful and was very popular with the owner-operators. I think that the risk assessment and risk management plan that EPA came up with properly addresses cybersecurity. As I mentioned, there's the challenge. We're not sure what the overall federal government umbrella looks like for cyber, but as we work through that in the coming months, as we get more information from the administration, hopefully that will all sync together well and provide the sector with something they can start to move out on in terms of really beefing up their cyber controls.”