Report: Management Implication Report: Cybersecurity Concerns Related to Drinking Water Systems

Report # 25-N-0004, November 13, 2024

Why We Did This Report

As part of the U.S. Environmental Protection Agency Office of Inspector General’s continued oversight of the EPA’s role as a sector risk management agency, passive assessment of cybersecurity vulnerabilities was conducted on drinking water systems with populations served of 50,000 people or greater. The results identified cybersecurity vulnerabilities that an attacker could exploit to degrade functionality, cause loss or denial of service, or facilitate the theft of customer or proprietary information.
 

Summary of Findings

The passive assessment covered 1,062 drinking water systems for cybersecurity vulnerabilities that serve over 193 million people across the United States. Scan results for October 8, 2024, identified 97 drinking water systems serving approximately 26.6 million users as having either critical or high-risk cybersecurity vulnerabilities. Although not rising to a level of critical or high-risk cybersecurity vulnerabilities, an additional 211 drinking water systems, servicing over 82.7 million people, were identified as medium and low by having externally visible open portals. If malicious actors exploited the cybersecurity vulnerabilities identified in this passive assessment, they could disrupt service or cause irreparable physical damage to drinking water infrastructure. While attempting to notify the EPA about the cybersecurity vulnerabilities, the OIG found that the EPA does not have its own cybersecurity incident reporting system that water and wastewater systems could use to notify the EPA of cybersecurity

Report Materials

• Full Report - 25-N-004 (pdf) (1.37 KB)