‘Critical’ cyber vulnerabilities found in many water utilities, warns EPA inspector general

A recent memo from the Environmental Protection Agency’s Office of Inspector General shows that 9% of the public drinking water systems it scanned last month had “critical” or “high” priority cybersecurity vulnerabilities.

Nicolas Evans, the office’s acting assistant inspector general, detailed in his Nov. 13 memo an assessment of more than 1,000 drinking water systems serving 193 million people. In addition to finding 97 systems with critical- or high-risk vulnerabilities, the office also spotted 211 water utilities with “medium” or “low” risk security vulnerabilities, such as “having externally visible open portals.”

The facilities scanned, which are responsible for collecting, storing, treating and distributing water to the public, comprise an expansive digital footprint of more than 75,000 IP addresses and 14,400 web domains, according to the document. Evans, who forwarded the memo to Bruno Pigott, principal deputy assistant administrator for the EPA’s Office of Water, described the situation as urgent.

“This critical infrastructure sector faces various threats from cyberattack, theft, vandalism, and other risks that can affect public health and leave communities vulnerable to the loss of clean water. This challenge is not hypothetical,” Evans wrote. “Recent high-profile incidents at water systems have demonstrated the urgency needed to address cybersecurity weaknesses and vulnerabilities to physical attacks.”

According to the Cybersecurity and Infrastructure Security Agency, there are approximately 152,000 public drinking water systems. And though successful attacks against U.S. water infrastructure are rare, they aren’t unheard of. A Russian hacking group called the “People’s Cyber Army of Russia” in April took credit for a cyberattack against the Tipton West Wastewater Treatment Plant in Indiana, and it took credit for another cyberattack on a water facility in Texas last January.

“If malicious actors exploited the cybersecurity vulnerabilities we identified in our passive assessment, they could disrupt service or cause irreparable physical damage to drinking water infrastructure,” Evans warned in his memo.

The nonprofit US Water Alliance last year estimated that a one-day, nationwide disruption to water systems in the United States would lead to $43.5 billion in lost sales and $22.5 billion in damage to the country’s gross domestic product. The EPA predicted that a single day of disruption to just California’s State Water Project — a collection of canals, pipelines, reservoirs and hydroelectric power facilities stretching over more than 700 miles — would cost the state $61 billion in revenue.

Tyler Moore, a cybersecurity professor at the University of Tulsa in Oklahoma, told StateScoop that the report’s findings were “not surprising,” given that most of the nation’s thousands of water utilities are operated independently and that many of them lack the funding or expertise to instantiate federal cybersecurity standards on their pre-internet technology.

Last week’s memo follows repeated warnings from federal agencies about the nation’s critical infrastructure, including the water and wastewater sector. The EPA last May issued an alert warning of “alarming cybersecurity vulnerabilities” at water utilities, such as failures to change default passwords. The agency also reported that more than 70% of water systems were failing to comply with a provision of a 2018 law requiring them to develop or update risk assessments and emergency response plans, and to certify them with the EPA.

“The fundamental challenge here is economic, “ said Moore, who pointed out that many regulated utilities don’t have large discretionary budgets. “They can ask for rate hikes to fund it, but that can be politically challenging. It’s often the case that the budget just isn’t there. And even if it were, it’s maybe not always being asked for because of the expertise gap. They may not even know what they should be doing.”

Evans’s memo points to recent funding sources available to utilities seeking to upgrade, including $6.5 billion in the American Rescue Plan Act funding for water infrastructure projects. His office also claims that EPA partnerships with states have in recent years led to $200 billion in water improvement projects, such as by assisting with low-cost loans. But such infrastructure funding is rarely dedicated solely to information technology upgrades.

“If you’re going to try to improve the fundamental cybersecurity of these systems, it’s going to require probably some significant public investment that most likely would need to come originally at least in large part from federal grants,” Moore said.

The memo concludes with a key challenge: the absence of a cybersecurity reporting structure within the EPA. Instead, the agency relies on getting information from CISA and its contact with water utilities and other federal agencies. The Government Accountability Office last August recommended the EPA develop a national cybersecurity strategy that would include an assessment of whether it needs more authority to protect the nation’s water from bad actors online.

Despite the potentially huge economic costs of a disruption to the nation’s water infrastructure, Moore estimated that a terrorist attack on water utilities would, more than anything, exact a psychological cost on the public. He said that though he thinks a successful attack on water infrastructure is unlikely to occur, the Sept. 11 attacks provide historical examples of widespread behavioral change, such as declines in airline travel, that shouldn’t be discounted.

“The lost water bill,” Moore said, “that’s nothing.”