A report from the U.S. Environmental Protection Agency’s (EPA) Office of Inspector General has revealed critical cybersecurity vulnerabilities in over 300 water facilities across the country, posing significant risks to public health and economic stability. The report highlights systemic weaknesses in reporting, preparedness, and response mechanisms, leaving drinking water systems susceptible to cyberattacks.
Investigation highlights and key findings
The investigation, led by Nicolas Evans, Acting Assistant Inspector General, used a passive assessment tool to analyze over 75,000 IP addresses and 14,400 domains across 1,062 drinking water systems. Of these, 97 systems serving 26.6 million people were flagged for critical or high-risk vulnerabilities, while an additional 211 systems were found to have medium and low-risk issues. Together, these systems supply water to over 82.7 million residents, underscoring the widespread nature of the threat.
Key findings include:
- Many systems failed to change default passwords and relied on shared login credentials across all staff.
- Access for former employees remained active, exacerbating risks.
- Exposed infrastructure allowed potential attackers to infiltrate sensitive systems.
The vulnerabilities identified could allow attackers to degrade system functionality, deny service, or steal proprietary information. Notably, a one-day disruption to the U.S. water infrastructure could result in $43.5 billion in economic losses, according to the U.S. Water Alliance.
Systemic problems in critical infrastructure
The EPA, tasked with ensuring the security of water systems under Presidential Policy Directive 21, has faced challenges in its oversight responsibilities. While the America’s Water Infrastructure Act of 2018 mandated risk assessments and emergency response plans, over 70% of inspected systems failed to comply. The EPA has struggled to enforce compliance, citing limited resources and inadequate policies for cybersecurity incident reporting.
The report also highlighted two case studies demonstrating the potential economic and societal impact of disruptions. The first one was Charlotte Water, serving 890,000 residents, where a service disruption could lead to $132 million in daily losses. The second concerns the California State Water Project, serving 27 million residents. A statewide disruption on the latter could cost $61 billion per day.
Recommendations for mitigation
To address these vulnerabilities, the report recommends the following actions:
- Systems identified as high-risk must prioritize resolving flagged issues.
- Staff at water facilities should receive comprehensive cybersecurity education to prevent common errors.
- Eliminate shared credentials and ensure prompt revocation of access for departing employees.
- Perform periodic assessments to identify and mitigate emerging threats.
- Develop a national cybersecurity strategy for water systems, leveraging resources from the Cybersecurity and Infrastructure Security Agency (CISA).
Given the critical role water systems play in public health and the economy, securing these infrastructures is a matter of national importance. The EPA warned that, without immediate and decisive intervention, the vulnerabilities in these essential systems will continue to pose severe risks to communities and the economy alike.
Facebook Ads Target Bitwarden Users with Malicious Chrome Extension
Leave a Reply