The U.S. Environmental Protection Agency (EPA) Office of Inspector General (OIG) has published a report pointing out some major cybersecurity vulnerabilities in drinking water systems serving large populations across the United States.
The report, which focuses on systems serving populations of 50,000 or more, reveals that many of these critical infrastructures are at risk of cyberattacks that could disrupt services, lead to data loss, or enable information theft.
Key Findings of the Report
The OIG conducted a passive assessment of 1,062 drinking water systems, each serving populations of 50,000 or more, covering approximately 193 million people. The findings, based on scans conducted on October 8, 2024, revealed:
- Critical and High-Risk Vulnerabilities: 97 systems serving 26.6 million people were found to have critical or high-risk vulnerabilities, exposing them to potential disruptions, service denials, or data theft.
- Medium and Low-Risk Issues: An additional 211 systems, supporting over 82.7 million people, were identified with open portals visible to external access. Although classified as lower risk, these systems remain vulnerable to exploitation if not addressed.
These vulnerabilities could allow malicious actors to disrupt services, steal sensitive information, or even cause physical damage to infrastructure.
“Although not rising to a level of critical or high-risk cybersecurity vulnerabilities, an additional 211 drinking water systems, servicing over 82.7 million people, were identified as medium and low by having externally visible open portals.”
EPA
The report also highlights a gap in the EPA’s ability to manage cybersecurity incidents effectively. The OIG noted the absence of a centralized incident reporting system for water and wastewater systems. This limitation hampers timely communication and coordinated responses to cybersecurity threats within this critical sector.
Expert Insights
Casey Ellis, founder of Bugcrowd, commented on the issue, emphasizing the unique challenges of critical infrastructure like water systems. “Aging technology, limited cybersecurity support, and the need to prioritize uptime often conflict with patching or adding security measures,” Ellis explained.
He added that many systems were never designed to be connected to the internet but have been adapted to meet modern workforce demands, increasing their exposure to cyber threats.