Cybersecurity Vulnerabilities in U.S. Drinking Water Systems

A recent report from the Environmental Protection Agency (EPA)’s Office of Inspector General (OIG) has revealed significant cybersecurity vulnerabilities in over 300 U.S. drinking water systems. These weaknesses threaten service disruptions, data breaches, and potential damage to critical infrastructure, affecting the safety and accessibility of water for millions of Americans.

Who Is Affected?

The OIG's passive assessment analyzed 1,062 drinking water systems serving over 193 million people. Among these:

• 97 systems, serving 27 million individuals, were found to have critical or high-severity vulnerabilities.

• 211 systems, serving 83 million people, were impacted by medium- and low-severity weaknesses, such as open portals visible to external threats.

In total, over 300 systems that supply water to approximately 110 million Americans face cybersecurity risks that could result in severe consequences, including denial-of-service (DoS) attacks, functionality disruptions, and the compromise of customer information.

Key Findings from the Assessment

The evaluation reviewed five key cybersecurity categories: email security, IT hygiene, vulnerabilities, adversarial threats, and malicious activity. The identified weaknesses were rated based on their potential impact, ranging from critical to low severity.

Key Threats Identified

1. Denial-of-Service (DoS) Attacks: These attacks could disable essential water distribution and treatment functions.

2. Unauthorized Access: Exploitable vulnerabilities, such as open portals and weak authentication, could allow attackers to access critical systems.

3. Compromise of Customer Data: Information related to customers, including billing and personal data, could be exposed.

4. Physical Damage: Cyberattacks could manipulate water treatment processes, causing irreparable harm to infrastructure.

The Digital Footprint

The OIG mapped the digital footprint of these systems, analyzing over 75,000 IPs and 14,400 domains. This comprehensive investigation highlighted how interconnected and exposed many of these systems are to potential cyber threats.

Challenges in Cybersecurity Coordination

The OIG's report pointed out significant gaps in coordination and incident response mechanisms within the EPA:

1. Lack of Incident Reporting System: The EPA does not maintain a cybersecurity incident reporting system specifically for water systems. Instead, it relies on the Cybersecurity and Infrastructure Security Agency (CISA) for reporting and response.

2. Absence of Documented Procedures: There are no formal policies or strategies for collaboration between the EPA, CISA, and other authorities, leaving vulnerabilities unaddressed and response plans unclear.

Recent Cybersecurity Incidents

The report underscores the urgency of addressing these vulnerabilities by citing recent events:

• In October 2024, American Water, which services over 14 million people across 14 states, experienced a cyberattack. While water services remained unaffected, certain systems had to be shut down to contain the threat.

• In May, the EPA reported that over 70% of water systems were non-compliant with the Safe Drinking Water Act, citing critical issues like default passwords and insufficient authentication protocols.

These incidents highlight the real-world consequences of lax cybersecurity measures in critical infrastructure.

How to Protect Water Systems

For Water System Operators

1. Implement Strong Authentication: Replace default passwords with robust, unique credentials and enable multi-factor authentication (MFA).

2. Regular Vulnerability Assessments: Conduct routine cybersecurity audits and address identified weaknesses promptly.

3. Network Segmentation: Isolate critical systems from public-facing networks to reduce the attack surface.

4. Incident Response Plans: Develop and test incident response procedures to minimize the impact of potential breaches.

For Government Agencies

1. Establish Reporting Mechanisms: The EPA should implement a dedicated incident reporting system for water systems to improve monitoring and coordination.

2. Collaboration with CISA: Strengthen partnerships with CISA and other federal and state authorities to create robust emergency response strategies.

3. Funding and Support: Provide resources and technical support to local and regional water systems to enhance their cybersecurity capabilities.

For Consumers

1. Stay Informed: Keep up-to-date with local water service providers regarding potential disruptions or breaches.

2. Advocate for Transparency: Encourage local governments and water authorities to prioritize and report on cybersecurity improvements.

3. Protect Personal Data: Be cautious with billing and account details shared with water providers, and report suspicious activity promptly.

Why This Matters

Water is a fundamental resource, and its accessibility, quality, and safety are essential for public health and well-being. The growing sophistication of cyberattacks targeting critical infrastructure means that water systems must prioritize cybersecurity to prevent potentially catastrophic outcomes.

The findings in the OIG's report serve as a wake-up call for water system operators, government agencies, and consumers alike. Addressing these vulnerabilities is not just about protecting infrastructure—it’s about safeguarding the health and safety of millions of Americans.

Conclusion

The cybersecurity vulnerabilities in U.S. drinking water systems present a clear and pressing risk to national infrastructure. With over 110 million people potentially affected, immediate action is required to bolster defenses, implement robust incident response mechanisms, and ensure the continued safety and reliability of our water systems. Collaboration across all levels—operators, government agencies, and the public—is essential to mitigate these risks and secure this critical resource for the future.