EPA Office of Inspector General Warns That More Than 200 Drinking Water Systems Have Cybersecurity Vulnerabilities
The National Institutes of Health (NIH) estimates that almost one in two adults and one in four children in the United States do not drink tap water on a given day. The numbers are worse in minority and low-income populations because they tend to live in rural areas where the water is contaminated or in older housing with lead pipes.
A 2017 study published by NIH found that even in areas where tap water is safe to consume, many people remain afraid of contamination or maintain a distrust of the municipal system and avoid drinking it.
Adding to the numerous reasons why someone might distrust tap water are recent cybersecurity concerns raised by the U.S. Environmental Protection Agency’s Office of the Inspector General (EPAOIG).
In a passive assessment of more than 1,000 drinking water systems, the EPAOIG found cybersecurity vulnerabilities that an attacker could use to impact service to tens of thousands, potentially millions, of people.
The systems the EPAOIG studied were those that serve at least 50,000 people. The assessments determined that “97 drinking water systems serving approximately 26.6 million users as having either critical or high-risk cybersecurity vulnerabilities.”
Another 211 systems, serving 82.7 million people, were identified as medium- and low-risk for having externally visible open portals, the report added.
The systems were analyzed and scored based on five categories: email security, IT hygiene, vulnerabilities, adversarial threats, and malicious activity.
The report noted that cybersecurity risks exist for all facilities within drinking water systems, which are made up of several facilities within a geographic area that can include collection, treatment, and storage.
“If malicious actors exploited the cybersecurity vulnerabilities identified…they could disrupt service or cause irreparable physical damage to drinking water infrastructure,” according to the report.
A disruption of just one day of water service across the United States could jeopardize $43.5 billion in economic activity, especially as some industries, such as agriculture, can be highly water-dependent.
During the assessment, the office also determined that the EPA lacks its own cybersecurity incident reporting system, meaning that water and wastewater systems could not directly notify the EPA about cybersecurity incidents. Instead, the agency relies on the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) to provide such reports.
The report is not entirely unique. The U.S. Government Accountability Office issued a report in August that recommended the agency assess risks posed to the water and wastewater sector, develop and implement a national cybersecurity strategy, and more. In March and May, the EPA issued its own warnings about cybersecurity risks to public water utilities.
U.S. critical infrastructure, including water and wastewater systems, has increasingly been targeted by cyberattacks.
“Whether instigated by domestic cyber criminals seeking financial gain or foreign adversaries motivated by geopolitical revenge, the impact of these exploits can be far reaching, propagating problems both down and upstream from the initial target,” Joe Morgan and Wayne Dorris, CISSP, wrote for April’s Security Technology. “…Because nowadays there are many interdependencies among systems that are foundational to our country’s operations and security—everything from healthcare and basic social services to energy and agriculture.”