EPA Inspector General Exposes Potentially Severe Cyber Risks in Water Systems
EPA Inspector General Exposes Potentially Severe Cyber Risks in Water Systems
The U.S. Environmental Protection Agency (EPA)’s Office of Inspector General (OIG) released a report detailing cybersecurity vulnerabilities within U.S. drinking water systems, highlighting concerns for public health and infrastructure integrity. After assessing 1,062 public-facing drinking water systems, serving approximately 193 million individuals, the OIG found that 97 systems—serving contained critical or high-risk vulnerabilities. These weaknesses, identified across email security, IT hygiene, network vulnerabilities, adversarial threats, and malicious activity categories, pose potential risks for service disruption, data breaches, and even physical infrastructure damage. According to the OIG report, "If malicious actors exploited the cybersecurity vulnerabilities we identified in our passive assessment, they could disrupt service or cause irreparable physical damage to drinking water infrastructure."
In addition to the identified security weaknesses, the report raised concerns regarding the EPA’s incident reporting capabilities. Currently, the EPA lacks a dedicated cybersecurity incident reporting system for drinking water and wastewater facilities, relying instead on the Cybersecurity and Infrastructure Security Agency (CISA) for incident notifications and responses. This reliance on external reporting, without an integrated system within the EPA itself, has contributed to challenges in coordinating incident responses and maintaining oversight. “While attempting to notify the EPA about the cybersecurity vulnerabilities, we found that the EPA does not have its own cybersecurity incident reporting system that water and wastewater systems could use to notify the EPA of cybersecurity incidents,” the OIG report stated. This gap could potentially delay timely responses to cybersecurity incidents, heightening the risk of exploitation by malicious actors.
The scope and nature of these vulnerabilities, combined with the critical infrastructure they support, could have extensive downstream impacts if exploited. A single day of disrupted water service across the U.S. could lead to an estimated $43.5 billion in economic losses, according to a report from the U.S. Water Alliance in 2023. Examples from major water systems, such as Charlotte Water and the California State Water Project, suggest potential losses ranging from hundreds of millions to billions in revenue per day in the event of service disruptions. The vulnerabilities identified reflect broader systemic challenges, as a May 2024 EPA report noted that over 70% of water systems were not in compliance with the Safe Drinking Water Act, primarily due to security flaws like default passwords and shared logins among employees.
The report concludes with recommendations for the EPA to develop a national cybersecurity strategy for water systems, prioritize high-risk vulnerabilities, and establish a dedicated incident reporting mechanism.