A recent investigation by the U.S. Environmental Protection Agency’s Office of Inspector General (OIG) has revealed serious cybersecurity issues in over 300 drinking water systems across the country.1
These systems are critical to national infrastructure; weaknesses in reporting and coordinating responses to cyber threats could disrupt services, damage data, or cause system failures.
Learn about this investigation, which followed strict standards to ensure an objective and thorough process.
Is Your Water System Safe?
Cybersecurity experts checked 1,062 drinking water systems across the U.S. to find vulnerabilities, impacting over 193 million people. On October 8, 2024, they found that 97 water systems serving about 26.6 million people had critical or high-risk vulnerabilities.
Another 211 systems, serving over 82.7 million people, were flagged for medium or low-risk issues because they had open, visible portals online. Even these lower-risk vulnerabilities can still pose a problem if not addressed.
What You Need to Know
According to the OIG, drinking water systems are made up of many parts spread out across different areas. To check for Cybersecurity risks, experts mapped out the digital footprint of 1,062 water systems, analyzing over 75,000 IPs and 14,400 domains.
If hackers target these vulnerabilities, they could disrupt water services or even damage critical infrastructure beyond repair. The OIG report provided an example of the cost of water disruptions citing a 2023 US Water Alliance report, which shows that just one day without water could risk $43.5 billion in economic activity.
Just recently, American Water Works, the largest water utility in the U.S., was hit by a Cyberattack and had to take some systems offline.
EPA’s Cybersecurity Reporting Gaps
When trying to alert the EPA about Cybersecurity risks, the OIG report states that the agency doesn’t have its system for water and wastewater systems to report cyber incidents. Right now, the EPA relies on the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) for these reports.
CISA has repeatedly warned that water systems are vulnerable to attacks from hacktivist groups. This is due to weak Cybersecurity practices, like using default passwords, not enabling multi-factor authentication (MFA), and leaving systems exposed to the Internet.
The OIG couldn’t find any clear policies on how the EPA coordinates with CISA or other federal and state agencies for emergency response, security plans, or risk management. In August 2024, the Government Accountability Office (GAO) recommended that the EPA evaluate water sector risks, develop a Cybersecurity strategy, and look into acquiring more authority to handle these responsibilities.
As it relates to Cybersecurity, the U.S. Department of Agriculture (USDA) and the White House started a year-long program with the National Rural Water Association (NRWA) to help rural water utilities improve their cyber defenses.
FAQ
What Vulnerabilities Were Found In U.S. Drinking Water Systems?
Federal investigators discovered Cybersecurity vulnerabilities in over 300 drinking water systems across the U.S., including risks from outdated systems, open digital portals, and weak security practices that could be exploited by hackers.
How Could These Vulnerabilities Affect Drinking Water Systems?
If exploited, these vulnerabilities could lead to disruptions in water service, damage to infrastructure, or even compromise public health by tampering with water treatment and distribution processes.
What Can Organizations Do To Address These Vulnerabilities?
Organizations can address these vulnerabilities by working with Cybersecurity experts, who offer attack simulations and penetration testing to ensure compliance with standards like NIST. These tests help identify and patch vulnerabilities in systems. Also, implementing endpoint protection across all devices can prevent breaches and keep systems secure.
Source:
- Management Implication Report: Cybersecurity Concerns Related to Drinking Water Systems. (2024). https://www.epaoig.gov/sites/default/files/reports/2024-11/full_report_-_25-n-0004t_1.pdf
