Cybersecurity Concerns Loom Over Drinking Water Systems, Says EPA Inspector General Report
A new report from the Office of Inspector General (OIG) of the U.S. Environmental Protection Agency (EPA) has highlighted significant cybersecurity concerns at drinking water systems across the United States. The report, released on November 13, 2024, paints a concerning picture of vulnerabilities that could be exploited by malicious actors to disrupt service, cause irreparable physical damage to infrastructure, or steal sensitive information.
The OIG conducted a passive assessment of 1,062 drinking water systems serving over 193 million people. The assessment revealed that 97 of these systems, serving approximately 26.6 million users, had either critical or high-risk cybersecurity vulnerabilities. An additional 211 systems, serving over 82.7 million people, were identified as having medium to low-risk vulnerabilities due to externally visible open portals.
“The results identified cybersecurity vulnerabilities that an attacker could exploit to degrade functionality, cause loss or denial of service, or facilitate the theft of customer or proprietary information,” the report notes. “If malicious actors exploited the cybersecurity vulnerabilities we identified in our passive assessment, they could disrupt service or cause irreparable physical damage to drinking water infrastructure.”
The report emphasizes the potential economic impact of a cybersecurity-related water service disruption. Citing a 2023 report from the US Water Alliance, the OIG notes that a one-day disruption in water service across the United States could jeopardize $43.5 billion in economic activity. The report also provides examples of the potential impact at two drinking water systems comparable in size and population served to many of the systems assessed.
The OIG also identified weaknesses with reporting and coordinating responses to potential cybersecurity incidents at these water systems. The report notes that the EPA does not have its own cybersecurity incident reporting system and relies on the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) for this type of information.
In response to these findings, the OIG is notifying the EPA of these concerns so that the Agency may take appropriate steps to address them. The OIG has also made several recommendations, including:
- Developing and implementing a national cybersecurity strategy for the water and wastewater sector.
- Evaluating the sufficiency of its legal authorities to carry out its cybersecurity responsibilities.
- Seeking additional authority as necessary.
As the report concludes, “Drinking water systems are critical infrastructure. As such, identifying and addressing cybersecurity concerns within these systems and reporting and coordinating responses to potential cybersecurity incidents is critical to preventing related disruption, corruption, and dysfunction, and to protecting public health.”
