A report out this month by the Environmental Protection Agency’s (EPA) Inspector General (IG) finds that drinking water systems serving approximately 26.6 million people have critical or high-risk cybersecurity vulnerabilities.
The IG completed a cyber assessment on Oct. 8 of more than 1,000 drinking water systems that serve over 193 million people across the United States, and found that 97 drinking water systems serving more than 50,000 users each were identified as either in the critical or high-risk cybersecurity category.
The IG assessment used a non-linear scoring algorithm to prioritize the highest risk findings that should be addressed first. The findings were ranked by the score and considered the impact of the problem identified, risk to the organization, and number of times the problem has been observed. The score impact was in one of four levels grouped across the five categories: email security; IT hygiene; vulnerabilities; adversarial threats; and malicious activity.
Although not rising to a level of critical or high-risk cybersecurity vulnerabilities, the IG identified an additional 211 drinking water systems – servicing over 82.7 million people – as medium and low by “having externally visible open portals.”
The report emphasizes that cybersecurity risks exist for all the facilities within drinking water systems. The methodology used for determining cybersecurity risks included mapping the digital footprint for each of the 1,062 drinking water systems. Over 75,000 IPs and 14,400 domains were analyzed for potential cyber vulnerabilities.
“If malicious actors exploited the cybersecurity vulnerabilities we identified in our passive assessment, they could disrupt service or cause irreparable physical damage to drinking water infrastructure,” the report says.
While attempting to notify the EPA about the cybersecurity vulnerabilities, the IG found that the EPA does not have its own cybersecurity incident reporting system that water and wastewater systems could use to notify the EPA of cybersecurity incidents.
The IG noted that the EPA currently relies on the Cybersecurity and Infrastructure Security Agency to provide this type of reporting information, but the IG was unable to find “documented policies and procedures related to the EPA’s coordination with the Cybersecurity and Infrastructure Security Agency and other federal and state authorities involved in sector-specific emergency response, security plans, metrics, and mitigation strategies.”
The agency said earlier this year it plans to develop a water sector risk assessment and risk management plan that addresses cybersecurity in accordance with President Biden’s April 2024 National Security Memorandum.
“The water sector risk assessment and risk management plan will be completed in January 2025 and refreshed biannually thereafter,” Acting Assistant Administrator for the Office of Water at EPA, Benita Best-Wong said.
