Dive Brief:
- Environmental Protection Agency officials found critical or high-risk vulnerabilities in 97 drinking water systems that serve more than 26 million people across the U.S., according to a report released last week by the agency’s Office of Inspector General.
- Another 211 water systems, servicing almost 83 million people, had medium- to low-risk vulnerabilities, including open portals that were visible from the outside. These water systems could face major disruptions or physical damage if a malicious hacker tried to exploit those vulnerable systems.
- The OIG report noted the EPA does not have an incident reporting system and relies on the Cybersecurity and Infrastructure Security Agency’s system. The OIG also could not find documented policies and procedures for how the EPA coordinates with CISA and other federal agencies to address these issues.
Dive Insight:
The report highlights ongoing concerns about the threat of attack targeting the drinking and wastewater utility industry in the U.S. A growing number of utilities have faced attacks from criminal ransomware and state-linked threat groups over the past year, including adversaries linked to Russia, China and Iran.
Just last month American Water Works, the nation’s largest regulated water utility, was targeted in a cyber intrusion and had to take certain systems offline.
“In an era where cyber threats are increasingly sophisticated, we urge the EPA to prioritize the resilience of our water systems and take seriously the issues we highlight in this report,” EPA Inspector General Sean O’Donnell told Cybersecurity Dive in a emailed statement. “We are committed to providing robust oversight that bolsters the Agency’s efforts to protect water infrastructure and improve the sector’s security posture.”
The EPA is reviewing the report and acknowledged “long-standing concerns about cybersecurity-related threats and vulnerabilities facing the water sector,” a spokesperson said via email.
The OIG report could indicate much wider risks at water utilities. The results were based on passive scanning of only 1,062 drinking water systems in the U.S., which is a fraction of the nation’s tens of thousands drinking and wastewater systems.
The EPA has been working closely with the sector to provide water utilities technical assistance, guidance, tools, training and funding, according to the spokesperson.
CISA has warned repeatedly that water systems are at risk of attack from hacktivist groups due to poor cyber hygiene and misconfiguration, with operators relying on default passwords, failing to use multifactor authentication and exposing systems to the internet.
Earlier this month, the USDA and the White House launched a one-year program with the National Rural Water Association to help rural water utilities boost cyber resilience.
Source link