More than 300 drinking water systems in the United States that serve almost 110 million people have security flaws – including a third of which have “critical” or “high” vulnerabilities – that if exploited by bad actors could disrupt service, physically damage the infrastructure, or lead to the theft of customer or proprietary information, according to the Environmental Protection Agency (EPA).

In addition, the EPA’s Office of the Inspector General (OIG) in a report this week criticized the agency for lacking a system that water and wastewater system operators could use to notify the EPA of cybersecurity incidents and documented policies and procedures outlining coordination with CISA and other federal and state agencies that would be involved in a emergency response, security metrics, or mitigation strategies.

Inspector Sean O’Donnell and Ted Stanich, associate administrator for the Office of National Security, also noted a report by the Government Accountability Office recommending the EPA assess the cyber risks to the water and wastewater sector, create and implement a nation cybersecurity strategy, ensure it has the legal authority to carry out its responsibilities, and, if needed, ask for more authority.

“My office is notifying you of these concerns so that the Agency may take whatever steps it deems appropriate,” O’Donnell and Stanich wrote.

Water Systems Under Siege

The OIG’s report comes after a year that saw municipal water systems come under attack by threat groups, some of which were connected to adversary nation-states like Iran.

The Municipal Water Authority in Aliquippa, Pennsylvania, last year was attacked by a hacking group called CyberAv3ngers, which is linked to Iran’s government and that has a history of targeting critical infrastructure like water, energy, and transportation operations. The hackers exploit several flaws in programmable logic controllers developed by Unitronics to take control of a systems used to monitor the water pressure of nearby towns.

The same group was suspected by the federal government of attacks on other water systems in the United States that were using Israeli-made equipment like Unitronics devices.

More recently, the municipal water system of Arkansas City, Kansas, was hit with a cyberattack at its water treatment facility, with officials saying the drinking water was safe and there was no disruption to services.

It’s why the OIG’s findings regarding security vulnerabilities are important.

“Drinking water systems are critical infrastructure,” O’Donnell and Stanich wrote. “As such, identifying and addressing cybersecurity concerns within these systems and reporting and coordinating responses to potential cybersecurity incidents is critical to preventing related disruption, corruption, and dysfunction, and to protecting public health.”

A Broad, Passive Assessment

The report outlined the results of a passive assessment of vulnerabilities that was run on drinking water systems that served 50,000 or more people. The OIG used a “multilayered, passive assessment tool to scan the public-facing networks of 1,062 drinking water systems across the United States.” The program looked at five areas of concern: email security, IT hygiene, vulnerabilities, adversarial threats, and malicious activity.

Of the 1,062 systems assessed, 97 – serving about 26.6 million people – had either critical- or high-risk security flaws, the report found. Another 211 systems, serving more than 82.7 million people, were given medium- and low-risk scores for having externally visible portals.

The investigators mapped the digital footprint of each of the assessed drinking water systems, which comprise myriad facilities or components found through a geographic area, including buildings and infrastructure used to collect, pump, treat, store, and distribute drinking water.

More than 75,000 IPs and 14,400 domains were analyzed.

Critical Infrastructure at Risk

Water and wastewater systems were among 16 critical infrastructure systems identified by the Biden Administration needing cybersecurity protections. In January, the EPA, FBI, and CISA issued a cybersecurity guide for water system operators, which came weeks after U.S. Department of Homeland Security in a report directed CISA to coordinate with other agencies and water system operators to improve the sector’s cyber resilience.

The EPA in early 2023 ordered states to assess the security of their public water systems but rescinded the order later in the year after states and water works groups sued I federal court, claiming the agency was overstepping its authority.