EPA Report Identifies Cybersecurity Vulnerabilities in Water Systems
/ 3 min read
Quick take - The EPA’s Office of Inspector General reported on November 13, 2024, that 97 drinking water systems in the U.S. have critical cybersecurity vulnerabilities affecting approximately 26.6 million people, highlighting the need for immediate action to address these risks to public health and economic stability.
Fast Facts
- The EPA’s OIG report identifies cybersecurity vulnerabilities in 97 drinking water systems, affecting approximately 26.6 million Americans.
- The assessment evaluated 1,062 systems, revealing that over 70% fail to meet basic cybersecurity standards, with common issues like default passwords and inadequate access controls.
- In addition to high-risk systems, 211 others show medium or low-risk vulnerabilities, impacting over 82.7 million individuals.
- The report warns of potential severe service disruptions and significant economic losses, with examples including Charlotte Water facing $132 million daily losses.
- The OIG emphasizes the urgent need for a national cybersecurity strategy for water systems and improved coordination among federal and state authorities to protect public health and infrastructure.
EPA Report Highlights Cybersecurity Vulnerabilities in Drinking Water Systems
On November 13, 2024, the Environmental Protection Agency’s (EPA) Office of Inspector General (OIG) released a report identifying critical cybersecurity vulnerabilities in 97 drinking water systems across the United States. These vulnerabilities potentially impact approximately 26.6 million Americans.
Assessment Overview
The OIG’s assessment evaluated 1,062 drinking water systems, which collectively serve over 193 million people. In addition to the high-risk systems, 211 others exhibit medium or low-risk vulnerabilities, affecting over 82.7 million individuals. The assessment involved analyzing more than 75,000 IP addresses and examining 14,400 domains associated with these drinking water systems.
The identified vulnerabilities stem from inadequate risk assessments and poor cybersecurity practices. Insufficient access controls for former employees were also highlighted as a contributing factor. The report warns of potential severe service disruptions, physical damage to drinking water infrastructure, and significant economic losses. For example, Charlotte Water could face a daily loss of $132 million, while the California State Water Project could see an estimated $61 billion in losses.
Lack of Coordination and Strategy
Currently, the EPA lacks a dedicated incident reporting system for cybersecurity threats and relies on the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) for this function. The report highlights the absence of documented procedures for coordination among federal and state authorities regarding cybersecurity incidents.
The Government Accountability Office (GAO) has recommended that the EPA develop a national cybersecurity strategy for water systems and assess the EPA’s legal authorities for oversight. The OIG emphasizes the urgency of addressing cybersecurity vulnerabilities in water systems to safeguard public health and economic stability.
Urgent Need for Action
Over 70% of inspected drinking water systems fail to meet basic cybersecurity standards. Common issues include the use of default passwords and inadequate access controls, which contribute to the susceptibility of these systems. These vulnerabilities could lead to breaches compromising customer and proprietary information.
Water systems play a critical role in public health and infrastructure, making them attractive targets for cybercriminals and state-sponsored attackers. There is a significant potential for severe public health crises and economic disruptions due to water service interruptions. The OIG calls for immediate action from federal, state, and local agencies, emphasizing the need to address these cybersecurity gaps and enforce necessary standards to ensure the resilience of the nation’s critical infrastructure.
Original Source: Read the Full Article Here