Federal Probe Finds Cybersecurity Vulnerabilities In 300+ Drinking Water Systems

Table of Contents

A recent investigation by the U.S. Environmental Protection Agency’s Office of Inspector General (OIG) has revealed serious cybersecurity issues in over 300 drinking water systems across the country.1 

These systems are critical to national infrastructure; weaknesses in reporting and coordinating responses to cyber threats could disrupt services, damage data, or cause system failures. 

Learn about this investigation, which followed strict standards to ensure an objective and thorough process.

Is Your Water System Safe? 

Cybersecurity experts checked 1,062 drinking water systems across the U.S. to find vulnerabilities, impacting over 193 million people. On October 8, 2024, they found that 97 water systems serving about 26.6 million people had critical or high-risk vulnerabilities.

Another 211 systems, serving over 82.7 million people, were flagged for medium or low-risk issues because they had open, visible portals online. Even these lower-risk vulnerabilities can still pose a problem if not addressed.

What You Need to Know

According to the OIG, drinking water systems are made up of many parts spread out across different areas. To check for Cybersecurity risks, experts mapped out the digital footprint of 1,062 water systems, analyzing over 75,000 IPs and 14,400 domains.

If hackers target these vulnerabilities, they could disrupt water services or even damage critical infrastructure beyond repair. The OIG report provided an example of the cost of water disruptions citing a 2023 US Water Alliance report, which shows that just one day without water could risk $43.5 billion in economic activity.

Just recently, American Water Works, the largest water utility in the U.S., was hit by a Cyberattack and had to take some systems offline.

EPA’s Cybersecurity Reporting Gaps

When trying to alert the EPA about Cybersecurity risks, the OIG report states that the agency doesn’t have its system for water and wastewater systems to report cyber incidents. Right now, the EPA relies on the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) for these reports.

CISA has repeatedly warned that water systems are vulnerable to attacks from hacktivist groups. This is due to weak Cybersecurity practices, like using default passwords, not enabling multi-factor authentication (MFA), and leaving systems exposed to the Internet.

The OIG couldn’t find any clear policies on how the EPA coordinates with CISA or other federal and state agencies for emergency response, security plans, or risk management. In August 2024, the Government Accountability Office (GAO) recommended that the EPA evaluate water sector risks, develop a Cybersecurity strategy, and look into acquiring more authority to handle these responsibilities.

As it relates to Cybersecurity, the U.S. Department of Agriculture (USDA) and the White House started a year-long program with the National Rural Water Association (NRWA) to help rural water utilities improve their cyber defenses.

FAQ

What Vulnerabilities Were Found In U.S. Drinking Water Systems?

Federal investigators discovered Cybersecurity vulnerabilities in over 300 drinking water systems across the U.S., including risks from outdated systems, open digital portals, and weak security practices that could be exploited by hackers.

How Could These Vulnerabilities Affect Drinking Water Systems?

If exploited, these vulnerabilities could lead to disruptions in water service, damage to infrastructure, or even compromise public health by tampering with water treatment and distribution processes.

What Can Organizations Do To Address These Vulnerabilities?

Organizations can address these vulnerabilities by working with Cybersecurity experts, who offer attack simulations and penetration testing to ensure compliance with standards like NIST. These tests help identify and patch vulnerabilities in systems. Also, implementing endpoint protection across all devices can prevent breaches and keep systems secure.

Source:

  1. Management Implication Report: Cybersecurity Concerns Related to Drinking Water Systems. (2024). https://www.epaoig.gov/sites/default/files/reports/2024-11/full_report_-_25-n-0004t_1.pdf

Share this article with a friend

Related Posts

Hackers Want Your Data - Meet The Ones Who Are Trying To Protect It | 2Secure Corp

Hackers Want Your Data - Meet The Ones Who Are Trying To Protect It | 2Secure Corp

In this Cybersecurity Insider podcast episode, host Yigal Behar focuses on how hackers target valuable data.  Yigal, a seasoned cybersecurity…
Dell Data Breach! OMG

Dell Data Breach! OMG

Today we have discussed successful and unsuccessful breaches. Today\'s guest Seth Melendez. 1. Dell Customer Database Compromised 2. Library of…
The Seven Cybersecurity Challenges in 2024 | 2Secure Corp

The Seven Cybersecurity Challenges in 2024 | 2Secure Corp

Seven Cybersecurity challenges will continue to evolve and present new threats to individuals, businesses, and governments alike. Here are some…

Sign Up for Your Free 30-Day SoC Trial Today!

We Are Now Offering Our 24/7 SoC Service With a Risk-Free 30-Day Trial—No Commitments Required.

Hurry! Limited Slots Available for This Exclusive Trial.

Ground Rules

  1. 🏢 Minimum Company Size: Must have at least 25 employees.
  2. 💻 Endpoints Limit: Trial is limited to a specific number of endpoints.
  3. One Trial Per Company: You can’t trial more than once.

What You’ll Get During the Trial

  1. 🎁 $150 Amazon Gift Card: Just for signing up.
  2. 👩‍💻 24/7 SoC Team: Our experts monitoring your environment so you can sleep easy.
  3. 🔍 Threat Hunting: Uncover existing threats hiding in your network.
  4. ⚠️ Active Threat Detection:
    • Detect unknown active threats.
    • Detect known active threats.
  5. 🔧 Missing Patch Identification: Stay on top of vulnerabilities caused by unpatched systems.
  6. Free Internal Vulnerability Assessment:
    At the end of your trial, you’ll receive a complimentary assessment to know exactly where you stand.

Test Drive 2Secure

Create an account to access this functionality.
Discover the advantages