Many US water systems exposed to ‘high-risk’ vulnerabilities, watchdog finds

Nearly 100 drinking water systems across the U.S. have “high-risk” vulnerabilities in the technology they use to serve millions of residents, according to a new report from a federal watchdog. 

The Environmental Protection Agency’s Office of Inspector General conducted a review of the agency’s cybersecurity initiatives, using an algorithm to rank issues at specific water utilities across the U.S. revolving around email security, IT hygiene, vulnerabilities, adversarial threats, and malicious activity. 

The watchdog assessed 1,062 drinking water systems that serve more than 193 million people. Among those, 97 systems had “either critical or high-risk cybersecurity vulnerabilities” as of October 8. Those systems serve 26.6 million people.

“The results identified cybersecurity vulnerabilities that an attacker could exploit to degrade functionality, cause loss or denial of service, or facilitate the theft of customer or proprietary information,” wrote Inspector General Sean O’Donnell and the Office of National Security’s Ted Stanich. 

“Although not rising to a level of critical or high-risk cybersecurity vulnerabilities, an additional 211 drinking water systems, servicing over 82.7 million people, were identified as medium and low [risk] by having externally visible open portals.”

The study focused on drinking water systems serving 50,000 people or more. The investigators analyzed more than 75,000 IP addresses and 14,400 domains as part of the effort. They highlighted a 2023 study that found that a one-day disruption to water in the U.S. “could jeopardize $43.5 billion in economic activity.”

As an example, the investigators said a disruptive attack on North Carolina water utility Charlotte Water would “potentially cost at least $132 million in lost revenue per day.” 

In addition to the water system vulnerabilities, investigators uncovered a bigger issue during their efforts to report problems to the EPA.

“While attempting to notify the EPA about the cybersecurity vulnerabilities, we found that the EPA does not have its own cybersecurity incident reporting system that water and wastewater systems could use to notify the EPA of cybersecurity incidents,” the investigators said. 

The agency, they explained, relies on the Cybersecurity and Infrastructure Security Agency (CISA) as the organization to contact when there are issues.

But the investigators said they were “unable to find documented policies and procedures related to the EPA’s coordination with [CISA] and other federal and state authorities involved in sector-specific emergency response, security plans, metrics, and mitigation strategies.” 

The investigators added that the federal Government Accountability Office told the EPA this kind of reporting infrastructure was needed in a report published in August. 

An EPA spokesperson declined to answer several specific questions about the claims made by the inspector general but said they are reviewing the report’s implications. 

“The agency has long-standing concerns with cybersecurity-related threats and vulnerabilities facing the water sector and continues to work diligently within the water sector to mitigate these vulnerabilities by providing direct technical assistance, guidance, tools, training, and funding that can aid water and wastewater owners and operators with improving cybersecurity,” they said. 

“EPA regularly receives water sector cyber incident information from CISA and the FBI. Overall, the agency agrees with the OIG that a robust cybersecurity program that helps the water sector prevent, detect, respond to, and recover from cyber incidents is critical to protecting public health.”

The EPA was one of the first agencies to implement new cybersecurity regulations following the release of the National Cybersecurity Strategy last year. 

But the efforts were quickly stymied through a lawsuit by industry groups and Republican lawmakers — who said the costs needed to pay for cyber protections would be passed on to consumers. The EPA eventually repealed the regulation after a court ruled against the agency. 

Since then, there have been multiple ransomware attacks on water utilities, reigniting concern about cybersecurity in the sector. Water utilities in California, Kansas, Texas, Florida and more have dealt with breaches and ransomware attacks over the last year. American Water Works, which supplies water to millions of Americans across 14 states and 18 military installations, announced a ransomware attack last month that limited access to key online platforms. 

In addition to the cybercriminal attacks on water organizations, nation-states have also targeted water systems. Multiple U.S. water utilities were attacked by Iranian government hackers last year. 

Despite the lawsuit, the EPA has found other ways to address cybersecurity issues. The agency is working to establish a Water Sector Cybersecurity Task Force that could identify strategies to reduce the risk of cyberattacks against water systems and worked with law enforcement to publish a manual with more information about cyber incident response.

The EPA released an “enforcement alert” in May that said recent inspections found more than 70 percent of water utilities fail to meet basic cybersecurity standards, including some with “critical” vulnerabilities, such as relying on default passwords that haven’t been updated and single logins that “can easily be compromised.”