Nearly 100 U.S. drinking water systems are exposed to “high-risk” vulnerabilities in the technology they use to serve millions of residents, according to a new report by the Environmental Protection Agency’s (EPA) Office of Inspector General (OIG).
The report, which analyzed cybersecurity practices across 1,062 drinking water systems serving over 193 million people, revealed that 97 of these systems had critical or high-risk vulnerabilities as of October 8. These systems alone serve approximately 26.6 million people. Another 211 systems, servicing more than 82.7 million people, were flagged for medium and low-risk vulnerabilities, such as open portals visible to external threats.
Potential Impact of Cybersecurity Gaps
The vulnerabilities identified include risks that could allow attackers to degrade system functionality, deny services, or steal sensitive data. The report highlighted the potential economic repercussions, citing a study that estimated a single day of disrupted water service in the U.S. could jeopardize $43.5 billion in economic activity.
For instance, a disruptive attack on North Carolina’s Charlotte Water utility could result in losses of at least $132 million per day, underscoring the critical need for cybersecurity improvements.
Gaps in Reporting and Coordination
The investigation uncovered a significant gap in the EPA’s ability to respond to cybersecurity incidents in the water sector. The agency lacks its own incident reporting system, instead relying on the Cybersecurity and Infrastructure Security Agency (CISA). However, the report noted a lack of documented policies or coordination procedures between the EPA, CISA, and other federal and state authorities.
This oversight has been flagged before. In August, the Government Accountability Office (GAO) recommended the establishment of a robust cybersecurity reporting infrastructure for the water sector, but action remains pending.
EPA’s Response and Challenges
An EPA spokesperson stated the agency is reviewing the report and remains committed to improving water sector cybersecurity. Efforts include providing technical assistance, tools, training, and funding to enhance protections. The EPA also receives cyber incident information from CISA and the FBI.
However, recent attempts by the EPA to enforce cybersecurity regulations have faced resistance. Following the release of the National Cybersecurity Strategy, the EPA proposed new rules, but a lawsuit from industry groups and Republican lawmakers led to their repeal. Critics argued the regulations would impose financial burdens on consumers, stalling the EPA’s initiatives.
Increasing Cyber Threats
The report comes amid a surge in cyberattacks on water utilities. Over the past year, ransomware attacks have disrupted water systems in California, Kansas, Texas, Florida, and beyond. American Water Works, a major supplier, suffered a ransomware attack last month, limiting access to key online platforms. Additionally, nation-state actors, including Iranian hackers, have targeted U.S. water systems, further heightening concerns.
Steps Toward Cybersecurity Improvements
Despite setbacks, the EPA is pursuing alternative measures to address vulnerabilities. Initiatives include forming a Water Sector Cybersecurity Task Force to identify mitigation strategies and publishing a manual on cyber incident response in collaboration with law enforcement.
In May, the EPA issued an “enforcement alert” after inspections found over 70% of water utilities fail to meet basic cybersecurity standards. Alarmingly, many still rely on default passwords and single logins, exposing critical systems to potential compromise.
The Road Ahead
The vulnerabilities outlined in the OIG report emphasize the urgency for improved cybersecurity measures across U.S. water systems. As cyber threats continue to grow, strengthening defenses and ensuring robust coordination between agencies, utilities, and law enforcement will be critical to safeguarding public health and economic stability.
Sponsored • TRJ Ads
Inquiries: contact@therealistjuggernaut.com
