Report: Over 100M Americans Rely on Vulnerable Water Systems
Inspector General Report Reveals 97 Water Systems With Critical Cybersecurity RisksMore than 100 million Americans rely on drinking water systems with cybersecurity flaws that could enable hackers to "disrupt service or cause irreparable physical damage to drinking water infrastructure," according to a new federal report.
See Also: Five Ways to Improve SOC Efficiency in 2025
The Environmental Protection Agency's inspector general reviewed more than 1,000 drinking water systems serving 193 million people nationwide, identifying 97 systems with critical or high-risk cybersecurity vulnerabilities that affect 26.6 million people. Another 211 systems, serving over 82.7 million, were flagged for issues such as "externally visible open portals."
The report warns that a one-day disruption in water service across the U.S. "could jeopardize $43.5 billion in economic activity" in addition to generating public health concerns.
The inspector general also found that the EPA lacked a cybersecurity incident reporting system for water and wastewater system owners and operators to report potential breaches or vulnerabilities.
"This challenge is not hypothetical," the report warned, noting how recent high-profile incidents at water systems "demonstrated the urgency needed to address cybersecurity weaknesses and vulnerabilities to physical attacks."
The report comes after the largest water utility in the country was hit with a cybersecurity incident that led to the shutdown of its customer portal in October. New Jersey-based American Water, the largest regulated water and wastewater utility in the U.S. serving over 14 million people across 14 states and 18 military installations, reported it had discovered unauthorized activity in its computer networks and systems caused by a cyber incident (see: Largest US Water Utility Hit by Cybersecurity Incident).
In September, the FBI and Department of Homeland Security also said federal law enforcement was investigating a cyberattack on a water treatment facility in Arkansas City, Kansas.
Federal agencies including the EPA and Cybersecurity and Infrastructure Security Agency have urged water and wastewater utilities to strengthen their cybersecurity defenses in response to escalating threats (see: New Guidance Urges US Water Sector to Boost Cyber Resilience). Security experts say the sector’s complexity - spanning a mix of privately owned and public utilities governed by diverse state and local regulations - makes achieving harmonized cyber standards particularly challenging.
Many small and medium-sized water utilities lack the resources to establish dedicated cybersecurity teams capable of countering sophisticated threats. The Biden administration abandoned plans for federally mandated safety assessments earlier this year after attorneys general from Missouri, Arkansas and Iowa argued the measures would impose financial burdens on underresourced utilities and their customers (see: US EPA Nixes Cybersecurity Assessments of Water Systems).
When the inspector general attempted to notify the EPA about water system security flaws, the watchdog discovered that the agency lacks its own reporting system, instead relying on CISA. The report also said the inspector general was unable to find documented policies or procedures related to the EPA's public and private coordination and response plans in the event of a cybersecurity incident.
"One of the themes that has been highlighted is how and where vulnerability reporting happens," said Sean Arrowsmith, head of industrials for the cybersecurity firm NCC Group. "It's important for industries such as water to have the support of a body to report incidents to, and for incident data to be shared among others so there is a collective approach to resilience across the sector."
The EPA did not respond to a request for comment.