Nearly 100 large community water systems (CWS) in the United States are still facing serious security weaknesses in their Internet-facing systems, leaving the water supply of nearly 27 million Americans vulnerable despite recent cyberattacks raising awareness of infrastructure vulnerabilities.
According to a report released by the Environmental Protection Agency (EPA) on November 13, more than 9% of the 1,062 water systems serving at least 50,000 people have critical and high-severity vulnerabilities. These vulnerabilities were identified through passive assessments that examined over 75,000 IP addresses and 14,400 domains.
The potential impact of these vulnerabilities is significant, as millions of citizens, along with businesses, schools, and hospitals, rely on these water systems. The EPA expressed concern that malicious actors could exploit these cybersecurity weaknesses to disrupt services or cause irreparable damage to drinking water infrastructure.
In recent years, water systems have increasingly become targets for cyberattacks by state-sponsored groups, ransomware gangs, and hacktivists. For example, in 2023, Iran-linked cyber attackers compromised programmable logic controllers (PLCs) at a water utility in Pennsylvania and targeted wastewater treatment plants in Israel. In 2021, a hacker tampered with the chemical mixture for the water at a treatment plant in Florida, while a water treatment plant in Arkansas City, Kan., had to switch to manual operation after a cybersecurity incident.
With nearly 150,000 water systems in the United States serving different types of communities, including community water systems, transient noncommunity water systems, and nontransient noncommunity water systems, the challenges of securing these systems are complex. Many water agencies, especially small ones serving communities, face resource constraints, outdated technology, and lack of visibility into cybersecurity threats.
Despite EPA regulations requiring water systems serving over 3,300 people to conduct risk and cybersecurity assessments, many utilities struggle to comply due to financial constraints. The lack of funding makes it difficult for water utilities to invest in adequate security measures to protect critical infrastructure and ensure public safety.
Government officials are increasingly concerned about the vulnerabilities in water systems, as evidenced by warnings from the EPA about heightened cyberattacks by foreign actors and the release of cybersecurity guides by agencies like the Cybersecurity and Infrastructure Security Agency (CISA) for the water and wastewater sector.
Experts emphasize the need for increased investment in water system cybersecurity defense beyond just regulatory requirements. Simply increasing regulations may not address the financial constraints preventing utilities from adequately protecting critical infrastructure. The federal government must provide more support to address the security challenges posed by legacy infrastructure, operational technology, and the convergence of OT with IT in water systems.
In conclusion, securing water infrastructure is a critical priority to safeguard public health and prevent catastrophic consequences. The vulnerabilities identified in large community water systems underline the urgent need for comprehensive cybersecurity measures and investment to protect the water supply for millions of Americans.