Inspector General Report Uncovers 97 Water Systems Facing Significant Cybersecurity Threats
In a recent report released by the Environmental Protection Agency’s (EPA) inspector general, serious cybersecurity vulnerabilities have been identified in drinking water systems that affect over 100 million Americans. The findings highlight the risk of potential cyberattacks that could disrupt service or cause severe physical damage to critical water infrastructure.
The investigation involved a review of more than 1,000 drinking water systems across the nation, serving approximately 193 million people. The report pinpointed 97 systems as having critical or high-risk vulnerabilities, impacting 26.6 million individuals. Additional concerns were raised about 211 other systems catering to over 82.7 million residents, which exhibited issues such as "externally visible open portals."
The economic repercussions of a cybersecurity incident in the water sector could be staggering, with a single day of disruption potentially endangering $43.5 billion in economic activity and raising grave public health concerns. Alarmingly, the EPA lacks a formal incident reporting mechanism that would allow water and wastewater system operators to report cybersecurity breaches or vulnerabilities, leaving a gap in responsiveness to such threats.
The report underscored the urgency of addressing these vulnerabilities, citing previous high-profile incidents in water systems as evidence of the critical need for enhancements in cybersecurity measures. This report follows a recent cybersecurity breach at American Water, the largest regulated water utility in the United States, which led to the temporary shutdown of customer services after unauthorized activities were detected in its computer networks.
Compounding concerns, in September, the FBI and the Department of Homeland Security confirmed an investigation into a separate cyberattack targeting a water treatment facility in Arkansas City, Kansas. Federal agencies have been vocal about the necessity for water and wastewater utilities to bolster their cybersecurity defenses amid rising threats to infrastructure.
The complexity of the water sector, characterized by a diverse mix of privately owned and publicly managed utilities governed by varying state and local regulations, presents challenges in achieving uniform cybersecurity standards. Many smaller utilities, lacking the resources to establish dedicated cybersecurity teams, find themselves ill-prepared to respond to sophisticated cyber threats. The Biden administration recently rescinded plans for federally mandated safety assessments, which could have added further scrutiny to under-resourced utilities.
Furthermore, the report revealed that the EPA does not have internal processes for documenting vulnerabilities or coordinating responses to cyber incidents. Instead, it relies on the Cybersecurity and Infrastructure Security Agency (CISA) for these functions. Sean Arrowsmith, a cybersecurity expert at NCC Group, emphasized the need for a structured incident reporting framework to facilitate collaborative resilience across the water sector.
Given this landscape, business leaders and stakeholders in the cybersecurity community must remain vigilant. The vulnerabilities identified in the report align with various tactics and techniques specified in the MITRE ATT&CK framework, particularly in areas such as initial access, persistence, and privilege escalation. As these systems face increasing scrutiny, the importance of fortifying cybersecurity measures becomes ever more apparent. The EPA has yet to comment on the report’s findings, but the pressing need for action is clear.
