A recent investigation by the US Environmental Protection Agency's Office of Inspector General (OIG) uncovered critical cybersecurity vulnerabilities in drinking water systems across the United States. The recently released report highlights security gaps that could lead to disrupted water services for millions of Americans.
The OIG identified the security flaws through a passive assessment of 1,062 drinking water systems serving populations of 50,000 or more. The results: 97 systems serving approximately 26.6 million users were found to have critical or high-risk cybersecurity vulnerabilities. An additional 211 systems, servicing more than 82.7 million people, were identified as having medium to low-risk vulnerabilities.
Malicious actors could exploit these vulnerabilities to disrupt service or cause irreparable damage to drinking water infrastructure. The potential economic impact is high: according to a 2023 report from the US Water Alliance [.pdf], a one-day disruption in water service across the United States could jeopardize $43.5 billion in economic activity.
Securing water treatment plants has been a long-standing challenge.
"Historically, this is due to budget constraints, or budget priorities, we could say. Many infrastructure facilities, such as water treatment plants, are owned and operated by cities or counties, which means they depend on local taxes and revenue to fund solutions. They don't ever seem to find the capital necessary to engage in a transformational journey that will take years," said Jon Taylor, director and principal of security at Versa Networks.
"Unfortunately, investing preventively in cybersecurity to defend against events that may seem hypothetical to some can take a back seat to short-term operating needs. They don't seem to realize that the risks are also near-term and real," Taylor added.
A state-wide disruption of the California State Water Project, which serves more than 27 million individuals, could result in a daily loss of at least $61 billion.
Like other critical infrastructure industries, water and wastewater treatment facilities are complex industrial operations.
“They must secure IT and OT, as well as cloud services and the factory machines. They have infrastructure from multiple vendors, some of which are out of support. So, their security requirements are bespoke, and it's not very appealing to cyber professionals who may want to work in fast-growth cloud environments. This all results in substandard security for the facilities," said Ambuj Kumar, CEO at Simbian.
The report does provide two sobering examples of the potential impact. A water service disruption across all Charlotte water facilities, serving 890,000 people, could cost at least $132 million in lost revenue per day. Even more alarmingly, a state-wide disruption of the California State Water Project, which serves more than 27 million individuals, could result in a daily loss of at least $61 billion.
Adding to the concern, the OIG found that the EPA lacks a cybersecurity incident reporting system for water and wastewater systems. Currently, the agency relies on the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency for this critical information.
"What's being described in the EPA OIG report is as much a cultural issue as a technical one. For instance, ‘failure to change default passwords, use of single logins for all staff, and failure to curtail access by former employees’ is emblematic of process issues that should have been addressed in the 1990s," said John Terrill, CISO of Phosphorus Cybersecurity.
"I'm well aware that poor practices like that are still in place in many organizations, but the water infrastructure operators have lacked organizational oversight for some time. I suspect the EPA's focus has been on water quality levels and not on the efficacy or modernization of the operators," Terrill added.
Sean Arrowsmith, head of industrials at cybersecurity consulting firm NCC Group added that risk prioritization must be a key strategy.
“When helping organizations in their security transformation journey as they embrace digitization, it's about having an appropriate and proportionate approach to prioritization and risk treatment. The impact of a cyber incident on some systems may be minimal, so those can be low on the list. Still, if a system could have a safety impact or cause an impact on operational continuity, then it should be a priority," Arrowsmith said.
This report underscores the urgent need for enhanced cybersecurity in critical infrastructure. As water systems become increasingly digitized, the potential for cyberattacks grows, threatening our water supply, public health, and economic stability.
Kumar added that the immediate steps water treatment facilities should take include some of the most straightforward.
"The easiest things are changing the default passwords on systems, changing the default port and network addresses of the services, and disconnecting anything that doesn't need internet from the public internet," he said.
Taylor added that water treatment plants must perform proper security and network segmentation of the OT environment that connects the machines that do water filtration for the population. "Also evaluate and employ modern cyber security measures within the enterprise networks to limit risk and exposure. This will also help in remediation if there is an incident," he said.
Experts agree that plants must attain clear visibility into their entire environment to understand where and how their IT and OT systems interconnect.
Over the long term, Arrowsmith added that sharing threat information and vulnerabilities enables the industry to defend against malicious actors collectively.
"This practice is essential for enhancing overall industry cyber resilience. By sharing threat data and information, companies can identify common risks and implement measures to mitigate them. This data sharing could involve multiple operators and regions, allowing for a comprehensive analysis of cybersecurity threats to the water industry," he said.
Arrowsmith also stressed that there should additionally be a culture of being able to share incident data and vulnerabilities without reprimand, as it will ultimately raise the security posture in the sector.
Kumar stressed how essential and potentially life-threatening attacks on water treatment plants could be. "We ought to take cyberthreats to utilities at the same level as biological weapons," Kumar said. "Let it be known that a cyberattack on a water plant will be considered an act of war and responded with the full power of American forces. When criminals steal data from a website, that's bad, but when they adulterate water supply, people may die," he said.
"Industry and regulators could help by providing guidance, and they do, on achieving this to ensure the best use of scarce resources. Sometimes, vulnerabilities in industrial systems don't matter once the context is understood—for example, if a scan identifies a virus malware in the traffic on an industrial network, it might flag it as a critical risk, but if there are no vulnerable devices that the malware can execute on, then they can disregard that finding and just leave it. They would only need to record that decision," said Arrowsmith.
"When criminals steal data from a website, that's bad, but when they adulterate water supply, people may die."
—Ambuj Kumar, CEO, Simbian
"If we were to put new federal and state regulations in place regarding cybersecurity standards and architectures, then it would force local entities to prioritize these systems for overhaul," said Taylor.
The report comes after the America's Water Infrastructure Act of 2018, which required community water systems serving more than 3,300 people to develop risk and resilience assessments and emergency response plans. However, a May 2024 EPA enforcement alert found that more than 70% of inspected water systems failed to comply with these requirements.
As the designated sector risk management agency for water and wastewater systems, the EPA faces mounting pressure to address these vulnerabilities. The OIG has called for immediate action to strengthen cybersecurity measures and improve incident reporting procedures.
George V. Hulme is an award-winning journalist and internationally recognized information security and business technology writer. He has covered business, technology, and IT security topics for more than 20 years. His work has appeared in CSOOnline, ComputerWorld, InformationWeek, Security Boulevard, and dozens of other technology publications. He is also a founding editor at DevOps.com.
