A recent report from the U.S. Environmental Protection Agency (EPA) Office of Inspector General (OIG) has highlighted significant cybersecurity vulnerabilities in the nation's drinking water systems. The report, released on November 13, 2024, underscores the urgent need for increased security measures to protect critical infrastructure.
The report examines drinking water systems with populations serving 50,000 people or more. The findings revealed exploitable cybersecurity weaknesses that could disrupt service, cause data loss, or lead to information theft. Furthermore, while attempting to notify the EPA about the cybersecurity vulnerabilities, the OIG found that the EPA does not have a "cybersecurity incident reporting system" that water and wastewater systems could use to notify the EPA of cybersecurity incidents.
Among the key findings:
- Widespread vulnerabilities: The OIG's passive assessment revealed critical or high-risk vulnerabilities in 97 drinking water systems serving more than 26.6 million people.
- Potential for disruption: Successful exploitation of these vulnerabilities could lead to service disruptions, physical damage to infrastructure, and theft of sensitive information.
- Lack of centralized reporting: The EPA currently lacks a dedicated system for water and wastewater systems to report cybersecurity incidents.
Cyberattacks on critical infrastructure, including water systems, have become increasingly common. Malicious actors can exploit vulnerabilities to disrupt services, manipulate systems, or steal valuable data. The OIG's findings underscore the need for a more proactive approach to cybersecurity in the water sector.
Adding to the concern is that the vulnerabilities—and the lack of action—of drinking water systems have been called to task for years. According to a 2021 report by the Water Sector Coordinating Council (WSCC), the majority of the 52,000 drinking water systems in the U.S. have not inventoried some or any of their IT systems.
"Critical infrastructure suffers the challenge of aging technology that is more likely to be vulnerable, a general lack of cybersecurity support, the need to maintain uptime—which is often in conflicts with patching or adding security mitigations—and the market bring systems which were never designed to be on internet online to accommodate changes in the workforce," said Casey Ellis, Founder and Advisor at Bugcrowd. "Water is no exception."
To mitigate these risks, water utilities should:
- Prioritize cybersecurity: Implement robust cybersecurity practices, including regular vulnerability assessments, penetration testing, and employee training.
- Invest in security technology: Utilize advanced security technologies to protect critical infrastructure and data.
- Collaborate with industry peers: Share information and best practices to enhance collective security.
- Work with regulatory agencies: Engage with regulatory agencies like the EPA to develop and enforce strong cybersecurity standards.
"Several analyst reports have highlighted that although board members and compliance directives continue to stress the importance of cyber resilience of Industrial Control Systems (ICS) and Operational Technology (OT), the allocated budget for OT security solutions continues to fall," said Dale Fairbrother, Security Product Evangelist at XM Cyber. "This leaves security teams struggling to extend the capabilities and best practices of their security in-depth strategy and security tools to provide the coverage and protection needed by legacy and OT systems."
Fairbrother added, "Teams that continue to acquire security solutions that only consider a subset of infrastructure, assets, or entity types, that only offered a siloed viewpoint on security intelligence, often mean critical risks to ICS systems are often overlooked. Neglecting security measures for ICS can indeed pose a significant threat.
"OT/ICS environments are often critical components of all organizations, not just manufacturing and critical infrastructure. Neglecting security practices in these systems can result in vulnerabilities that could be exploited by malicious actors for various purposes, including disruption of operations, data theft, and damage to physical assets."
Some recent incidents highlight the risks:
- Arkansas City, Kansas, experienced a cybersecurity incident on September 22, 2024, affecting its water treatment facility. The incident prompted a shift to manual operations.
- A New Jersey-based utility, American Water, which supplies water to more than 14 million people, reported a cyberattack in an SEC filing on October 3, 2024.
- In 2023, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) responded to an active cyberattack on a water facility in western Pennsylvania, shedding light on the exploitation of Unitronics programmable logic controllers (PLCs) within the Water and Wastewater Systems (WWS) sector.
Ken Dunham, Cyber Threat Director at Qualys Threat Research Unit, opined on the issue:
"U.S. water systems are at risk with various forms of governance and authority behind state, local, federal, and commercial entities responsible for management of facilities, where some have largely ignored security practices. This is in sharp contrast to adversaries that are organized and managed by a government, rather than commercial and government cooperatives.
"Water shortages are significant, especially based upon geolocation, time of year, and supply chain realities. Take for example, middle of the summer, southern states, with no drinking water or supplies to the home. It's obvious a rush to stores for drinking water follows with various forms of fallout and/or mayhem. If wastewater is manipulated to create sickness and pollution in local waterways you then introduce large scale sickness and impact in major areas.
"Very quickly, entire regions can be tossed into dangerous life threatening situations where critical infrastructure is threatened and lives at risk just by not having drinkable water, shortages of care facilities for the scale of support needed, possible power outages, and more, dependent upon the scale and swatch of critical infrastructure attacks imposed by adversaries at the time of attack.
"Operators of these facilities need to meet compliance as well as foster a culture of security and best practices to lower risk. They should adopt a mindset and awareness of critical infrastructure and the importance of protecting operations and assets, respectively. Involve trusted third parties for roadmap planning, audits, and additional support to ensure robust security planning and integrity in SecOps."
Fairbrother continued, "It is crucial for organizations to prioritize the security of their OT/ICS environments by implementing holistic cybersecurity measures that continuously assess exposure risk across all layers of their digital attack surface to better understand how a weakness in one segment of their network can have a catastrophic impact across their entire business.
"Don't let your OT environments get left in the dark; make sure to extend your cyber resilience programs across all entity types, assets, and critical components of your infrastructure."
