America’s drinking water is facing attack, with links back to China, Russia and Iran
Houston Chronicle/hearst Newspapers Via Getty Images | Hearst Newspapers | Getty Images
The City of Wichita recently had an experience that’s become all too common — its water system was hacked. The cyberattack, which targeted water metering, billing and payment processing, followed the targeting of water utilities across the U.S. in recent years.
In going after America’s water, hackers aren’t doing anything special. Despite rising fears of AI use in cyber threats, the go-to criminal way into systems remains preying on human foibles, be it via phishing, social engineering, or a system still running on a default password — “old school” cyberattacks, according to Ryan Witt, vice president of cybersecurity firm Proofpoint.
The rising cybercrime wave targeting key infrastructure led the Environmental Protection Agency to issue an enforcement alert warning that 70% of water systems it inspected do not fully comply with requirements in the Safe Drinking Water Act. Without quantifying an exact number, the EPA said some have “alarming cybersecurity vulnerabilities” — default passwords that have not been updated, vulnerable single login setups, and former employees who retained systems access.
While the methods may be simple, an attack last year by an Iranian-backed activist group against 12 water utilities in the U.S. reinforced how purposeful “an attacker’s mindset” can be, according to Witt. The targeted utilities all contained equipment that was Israeli-made.
FBI, NSA, CISA all express concern
In February, the FBI warned Congress that Chinese hackers have burrowed deep into the United States’ cyber infrastructure in an attempt to cause damage, targeting water treatment plans, the electrical grid, transportation systems and other critical infrastructure. A Russian-linked hack in January of a water filtration plant in a small Texas town, Muleshoe — located near a U.S. Air Force base — caused a water tank to overflow. “Water is among the least mature in terms of security,” Adam Isles, head of cybersecurity practice for Chertoff Group, recently told CNBC.
Psychological impact on the population is also a strategic aim, seen not only in targeting of water assets but the Colonial Pipeline hack that made national headlines in 2021, and in the words of the federal Cybersecurity and Infrastructure Security Agency, featured “snaking lines of cars at gas stations across the eastern seaboard and panicked Americans filling bags with fuel, fearful of not being able to get to work or get their kids to school.”
Attacks on U.S. water utilities’ IT systems can have a similar psychological impact, and even if the attacks don’t directly interfere with the operations of the utility, still lessen public trust in water supply. No hack to date has shut off the water to a population, but that’s the bigger worry, said Stuart Madnick, an MIT professor of engineering systems and co-founder of Cybersecurity at MIT Sloan.
Meddling with a water supply through attacks targeting IT (informational technology), like Wichita’s system, is minor in comparison to a successful attack on the OT (operating technology) that controls water plants. That is a massive risk, Madnick said, and the threat of it happening is not zero.
“We have demonstrated in our lab how operations, such as a water plant, could be shut down not just for hours or days, but for weeks. It is definitely technically possible,” he said.
A recent letter sent by EPA Administrator Michael Regan and National Security Advisor Jake Sullivan to the nations’ governors detailed the urgency of the threat. But Madnick is wary of the government’s ability to act quickly or robustly enough to prevent such an occurrence. Budgets, outdated infrastructure, and reluctance to move on an issue that may seem both vital and daunting suggest that the fixes may indeed not come quickly enough. “It has not happened yet, and serious action to prevent ‘likely’ will not happen, until after it has happened,” he said.
Outdated water utility technology
Like any modern system, water utilities rely on technology for monitoring, for operations, and for customer communication. The technology creates vulnerabilities — for providers and users — so the need for enhanced security measures is acute. “The community risk from cyberattacks includes an attacker gaining control of the operations of a system to damage infrastructure, disrupt the availability or flow of water, or altering the chemical levels, which could allow untreated wastewater to be discharged into a waterway or contaminate drinking water provided to a community,” said an EPA spokesman.
Witt says there are some initial steps to take in improving the cyber hygiene of dated systems. “Improving password strength, reducing exposure to public-facing internet, and the need for cybersecurity awareness training,” would go a long way to shoring up defenses, he said. Another potential fix is the deployment of what are called air-gapped systems that separate supervisory and control systems from other networks. Since the easiest way into these systems is to obtain credentials and then exploit the system, “A systems admin should not be able to access office systems such as email and be able to operate a control panel of a water system from the same laptop,” Witt said.
For the most part, attacks that have occurred have been preventable, according to the EPA. “Systems were victimized by destructive and costly cyberattacks because they failed to adopt basic cyber resiliency practices,” the EPA spokesman said. “All drinking water and wastewater systems are at risk — large and small, urban and rural,” he said.
While it has not been a tool needed to date in these water utility attacks, AI is coming alongside the concerted cyber efforts of geopolitical rivals. “Rapid advances in artificial intelligence are giving cyberthreat actors more sophisticated tactics, techniques, and procedures to penetrate operational technology that controls critical infrastructure facilities,” the EPA spokesman said. “These attacks have been linked to a variety of types of malicious actors, including hackers working on behalf of or in support of other nations who could use disruptions to U.S. critical infrastructure to their strategic advantage.”
A Xiaomi store in Shanghai, China, on March 16, 2025.
Qilai Shen/Bloomberg | Bloomberg | Getty Images
Chinese electric carmakers Xiaomi, Xpeng and Leapmotor each delivered nearly 30,000 or more cars in March, roughly twice several of their fellow startup competitors.
It’s a sign of how some automakers are pulling ahead, while BYD remains the market leader by far.
Xiaomi delivered a record number of electric vehicles in March, exceeding 29,000 units, the company announced on social media. That topped its prior run of delivering more than 20,000 vehicles in each of the past five months.
The SU7, Xiaomi’s flagship model, was involved in a crash on a highway on Tuesday that left three dead. The automaker on Tuesday afternoon released a statement on Chinese social media that the vehicle was in navigation on autopilot mode before the accident.
Based on preliminary information, the road was obstructed because of construction. The driver took control of the car but collided with construction infrastructure. Xiaomi added in the release that investigations were underway.
That came two weeks after the automaker announced on March 18 its goal to deliver 350,000 vehicles this year. There are also talks of the automaker expanding its second EV factory in Beijing to meet demand, Bloomberg reported on March 18. Xiaomi did not immediately respond to CNBC’s request for comment.
Its competitor Xpeng in March delivered 33,205 vehicles, the fifth consecutive month it has delivered over 30,000 units per month and reflecting a 268% surge in deliveries from the same month last year. March is also the fifth consecutive month the company has delivered over 15,000 units of the Mona M03.
Leapmotor delivered 37,095 vehicles, reflecting a 154% year-over-year growth. The Stellantis-owned automaker last month launched U.K. sales of two electric vehicle models, the T03 and the C10.
Li Auto delivered 36,674 vehicles in March, a 26.5% year-over-year increase, but fewer than every month in the second half of 2024. The company’s cars had gained early traction with Chinese consumers since most come with a fuel tank for charging the vehicle’s battery, reducing anxiety about driving range.
BYD sold 371,419 passenger vehicles in March, reflecting a year-over-year growth of 57.9%. Its overseas sales volume also hit a record high of 72,723 units in March.
In the same month, the automaker unveiled its “Super e-Platform” technology, which boasts 400 kilometers (roughly 249 miles) of range with five minutes of charging. The company in February also announced that it was integrating DeepSeek artificial intelligence to develop “DiPilot,” its advanced driver-assistance system.
Across the board, major companies across China’s electric car industry reported deliveries rose last month, indicating a pick-up in demand from the seasonally soft first two months of the year.
U.S. automaker Tesla sold 78,828 electric vehicles in China in March, marking a 11.5% year-over-year decline in growth.
Other Chinese carmakers saw growth in deliveries but some still struggled to break through the 20,000-unit mark.
Nio delivered 15,039 vehicles, a 26.7% year-over-year growth, but well below the number of cars delivered in the months of May to December last year. Nio-owned Onvo, which markets its electric vehicles as family-oriented, in March recorded 15,039 units in deliveries.
Geely-owned Zeekr delivered 15,422 vehicles in March, increasing by 18.5% year over year. The company last month announced its rollout of free advanced driver-assistance technology to local customers in a bid to compete in the market.
Aito, as of April 2, has not published its delivery numbers for March. The automaker, which uses Huawei tech in its vehicles, on social media had reported monthly deliveries of 34,987 and 21,517 in January and February, respectively.
Quarterly performance
On a first-quarter basis, BYD remained in the lead with 986,098 vehicles sold. The automaker, which overtook Tesla in annual sales last year, surpassed the U.S. EV giant in battery electric vehicles sales this quarter.
Tesla sold 172,754 vehicles in China in the first quarter this year, according to monthly delivery numbers published by the China Passenger Car Association.
Xpeng also reported strong growth, with a total of 94,008 vehicles delivered in the quarter ending in March, reflecting a 331% year-over-year growth.
Leapmotor saw quarterly deliveries more than double to 87,552 units from 33,410 units the same period in 2024, according to publicly available numbers the company published.
However, Li Auto and Nio reported weaker growth than their competitors in the first quarter of the year.
Nio saw 42,094 vehicles delivered in the three months ended March 2025, an increase of 40.1% year over year. Li Auto saw a slower year-over-year growth of 15.5%, with a total of 92,864 vehicles delivered.
A driver for an independent contractor to FedEx delivers packages on Cyber Monday in New York, US, on Monday, Nov. 27, 2023.
Stephanie Keith | Bloomberg | Getty Images
President Donald Trump on Wednesday signed an executive order shutting the de minimis trade loophole, effective May 2.
Trump in February abruptly ended the de minimis trade exemption, which allows shipments worth less than $800 to enter the U.S. duty-free. The order overwhelmed U.S. Customs and Border Protection employees and caused the U.S. Postal Service to temporarily halt packages from China and Hong Kong. Within days of its announcement, Trump reversed course and delayed the cancellation of the provision.
Wednesday’s announcement, which came alongside a set of sweeping new tariffs, gives customs officials, retailers and logistics companies more time to prepare. Goods that qualify under the de minimis exemption will be subject to a duty of either 30% of their value, or $25 per item. That rate will increase to $50 per item on June 1, the White House said.
Use of the de minimis provision has exploded in recent years as shoppers flock to Chinese e-commerce companies Temu and Shein, which offer ultra-low cost apparel, electronics and other items. The U.S. Customs and Border Protection has said it processed more than 1.3 billion de minimis shipments in 2024, up from over 1 billion shipments in 2023.
Critics of the provision say it provides an unfair advantage to Chinese e-commerce companies and creates an influx of packages that are “subject to minimal documentation and inspection,” raising concerns around counterfeit and unsafe goods.
The Trump administration has sought to close the loophole over concerns that it facilitates shipments of fentanyl and other illicit substances on the claims that the packages are less likely to be inspected by customs agents.
Temu and Shein have taken steps to grow their operations in the U.S. as the de minimis loophole has come under greater scrutiny. After onboarding sellers with inventory in U.S. warehouses, Temu recently began steering shoppers to those items on its website, allowing it to speed up deliveries. Shein opened distribution centers in states including Illinois and California in 2022, and a supply chain hub in Seattle last year.
WATCH: President Trump signs executive orders for reciprocal tariffs
-
Sports2 years ago‘Storybook stuff’: Inside the night Bryce Harper sent the Phillies to the World Series
-
Sports12 months agoStory injured on diving stop, exits Red Sox game
-
Sports1 year agoGame 1 of WS least-watched in recorded history
-
Sports2 years agoMLB Rank 2023: Ranking baseball’s top 100 players
-
Sports4 years ago
Team Europe easily wins 4th straight Laver Cup
-
Environment2 years agoJapan and South Korea have a lot at stake in a free and open South China Sea
-
Environment2 years agoGame-changing Lectric XPedition launched as affordable electric cargo bike
-
Business3 years agoBank of England’s extraordinary response to government policy is almost unthinkable | Ed Conway