Nearly 27 million Americans are served by drinking water systems that have high-risk or critical cybersecurity vulnerabilities, according to a new report from the U.S. Environmental Protection Agency’s Office of the Inspector General (OIG).
An additional 83 million Americans are served by systems that have medium or low-severity vulnerabilities, defined as “having externally visible open portals,” the EPA OIG report said.
The OIG investigation is the latest effort to bolster inadequate cybersecurity in U.S. water systems, following a Government Accountability Office (GAO) report in August, an EPA warning in May, and warnings from security researchers that Russian threat groups and other foreign adversaries are targeting water systems.
Water and wastewater systems are some of the most vulnerable critical infrastructure sectors to cyberattacks – communities are generally unprepared for outages that could last for days or longer. Fortunately, recent cyberattacks on American Water Works and Arkansas City, Kansas did not appear to reach operational technology (OT) networks.
“If malicious actors exploited the cybersecurity vulnerabilities we identified in our passive assessment, they could disrupt service or cause irreparable physical damage to drinking water infrastructure,” the OIG report said.
Water Systems Networks Scanned for Vulnerabilities
The OIG investigation looked at drinking water systems serving 50,000 or more people, 1,062 systems in all, covering 193 million people or about 56% of the U.S. population. The Oct. 8 vulnerability scans identified 97 high-risk water systems and 211 moderate risk ones.
The vulnerability tests “consisted of a multilayered, passive assessment tool to scan the public-facing networks” of the drinking water systems, the report said.
“The results identified cybersecurity vulnerabilities that an attacker could exploit to degrade functionality, cause loss or denial of service, or facilitate the theft of customer or proprietary information,” OIG said.
A non-linear scoring algorithm was used to prioritize the highest risk findings that should be addressed first, OIG said. The findings are ranked by a score that considers the impact of the problem, the risk to the organization, and the number of times the problem has been observed. Risks were grouped by five categories: email security; IT hygiene; vulnerabilities; adversarial threats, and malicious activity.
The report noted the complexity of drinking water systems, which “can be comprised of many components, or facilities, that are located throughout a geographic area. Those facilities can include buildings and infrastructure used for the collection, pumping, treatment, storage, or distribution of drinking water.”
As a result of that complexity, more than 75,000 IPs and 14,400 domains were analyzed for potential vulnerabilities.
Reporting and Incident Response Issues Also Found
The OIG investigation also found weaknesses in reporting and coordinating responses to cybersecurity incidents at the water systems.
“While attempting to notify the EPA about the cybersecurity vulnerabilities, we found that the EPA does not have its own cybersecurity incident reporting system that water and wastewater systems could use to notify the EPA of cybersecurity incidents,” the report said.
Instead, the agency relies on the Cybersecurity and Infrastructure Security Agency (CISA) for incident reporting.
“Moreover, we were unable to find documented policies and procedures related to the EPA’s coordination with the Cybersecurity and Infrastructure Security Agency and other federal and state authorities involved in sector-specific emergency response, security plans, metrics, and mitigation strategies,” OIG said.
Water Infrastructure Act Compliance Challenges
The report also looked at the challenging history of achieving compliance with the America’s Water Infrastructure Act of 2018 (AWIA), a comprehensive revision of the Safe Drinking Water Act.
Section 2013 of AWIA requires community water systems that serve more than 3,300 people to develop or update risk and resilience assessments and emergency response plans, including the resilience of physical and cyber infrastructure, monitoring practices, and strategies for responding to malevolent acts or natural hazards. Section 2013 also requires water systems to certify to the EPA that the system completed its risk and resilience assessment and emergency response plan.
However, findings in the last two years both from the OIG and the EPA have found that compliance with those requirements remains lacking.