Skip to main content
close search
site logo
Dive Brief

Federal probe finds vulnerabilities across more than 300 US water systems

The Environmental Protection Agency lacks a documented plan to coordinate incident reporting with CISA, the agency’s Office of Inspector General found.

Published Nov. 19, 2024
David Jones's headshot
Reporter
Environmental Protection Agency Administrator Michael Regan answers questions during the daily press briefing June 30, 2021, in Washington, D.C. Win McNamee via Getty Images

Dive Brief:

  • Environmental Protection Agency officials found critical or high-risk vulnerabilities in 97 drinking water systems that serve more than 26 million people across the U.S., according to a report released last week by the agency’s Office of Inspector General
  • Another 211 water systems, servicing almost 83 million people, had medium- to low-risk vulnerabilities, including open portals that were visible from the outside. These water systems could face major disruptions or physical damage if a malicious hacker tried to exploit those vulnerable systems.
  • The OIG report noted the EPA does not have an incident reporting system and relies on the Cybersecurity and Infrastructure Security Agency’s system. The OIG also could not find documented policies and procedures for how the EPA coordinates with CISA and other federal agencies to address these issues.

Dive Insight:

The report highlights ongoing concerns about the threat of attack targeting the drinking and wastewater utility industry in the U.S. A growing number of utilities have faced attacks from criminal ransomware and state-linked threat groups over the past year, including adversaries linked to Russia, China and Iran. 

Just last month American Water Works, the nation’s largest regulated water utility, was targeted in a cyber intrusion and had to take certain systems offline. 

“In an era where cyber threats are increasingly sophisticated, we urge the EPA to prioritize the resilience of our water systems and take seriously the issues we highlight in this report,”  EPA Inspector General Sean O’Donnell told Cybersecurity Dive in a emailed statement. “We are committed to providing robust oversight that bolsters the Agency’s efforts to protect water infrastructure and improve the sector’s security posture.”

The EPA is reviewing the report and acknowledged “long-standing concerns about cybersecurity-related threats and vulnerabilities facing the water sector,” a spokesperson said via email.

The OIG report could indicate much wider risks at water utilities. The results were based on passive scanning of only 1,062 drinking water systems in the U.S., which is a fraction of the nation’s tens of thousands drinking and wastewater systems.

The EPA has been working closely with the sector to provide water utilities technical assistance, guidance, tools, training and funding, according to the spokesperson. 

CISA has warned repeatedly that water systems are at risk of attack from hacktivist groups due to poor cyber hygiene and misconfiguration, with operators relying on default passwords, failing to use multifactor authentication and exposing systems to the internet. 

Earlier this month, the USDA and the White House launched a one-year program with the National Rural Water Association to help rural water utilities boost cyber resilience.

Editors' picks

Company Announcements

View all | Post a press release
Traceable Releases 2025 State of API Security Report: API Breaches Persist as Fraud, Bot Attac…
From Traceable AI
October 30, 2024
Mystic Valley Elder Services Data Breach Investigation
From Migliaccio & Rathod LLP
October 31, 2024
CUSO Financial Services, LP Data Breach Investigation
From Migliaccio & Rathod LLP
October 31, 2024
Fathom5’s ARIA Technology Joins NSIN Propel Maritime Digital Defense Accelerator
From Fathom5
November 18, 2024
Editors' picks
Latest in Vulnerability
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell