The Environmental Protection Agency’s (EPAs) Office of Inspector General (OIG) on Nov. 13 reported that 97 drinking water systems serving about 26.6 million Americans around the country have either “critical or high-risk” cybersecurity vulnerabilities.
While attempting to notify the EPA about the cybersecurity vulnerabilities, the OIG found that the EPA does not have an incident reporting system that water and wastewater systems around the U.S. could use to notify the EPA of cyber incidents.
“Currently, the EPA relies on the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) to provide this type of reporting information,” said the OIG report. “Moreover, we were unable to find documented policies and procedures related to the EPA’s coordination with CISA and other federal and state authorities involved in sector-specific emergency response, security plans, metrics, and mitigation strategies.”
Overall, the OIG’s assessment covered 1,062 drinking water systems for cybersecurity vulnerabilities that serve more than 193 million Americans. Along with the 97 high-risk systems, the OIG found an additional 211 drinking water systems servicing over 82.7 million people were identified as “medium or low severity” by having externally visible open portals.
“If malicious actors exploited the cybersecurity vulnerabilities identified in this passive assessment, they could disrupt service or cause irreparable physical damage to drinking water infrastructure,” the OIG said in the report.
Morgan Wright, chief security advisor at Sentinel One, said threat actors like Salt Typhoon and Volt Typhoon are actively exploiting vulnerabilities in water systems. Wright said the disparate system of water and waste treatment facilities across the nation lags behind other sectors. He said it suffers from a lack of qualified personnel and appropriate budgets.
“Unless significant action is taken quickly, the potential for a catastrophic event is closer than we think,” said Wright, an SC Media columnist. “Imagine having a fire in your home and there is no 911. Who do you call? This is the current state of readiness in one of the most critical infrastructures in our nation. In fact, during war, to bring a nation to its knees, you target power and water.”
Ken Dunham, cyber threat director at the Qualys Threat Research Unit, added that U.S. water systems are at risk with various forms of governance and authority behind state, local, federal, and commercial entities responsible for management of facilities, where some have largely ignored security practices. Dunham said our situation here is in sharp contrast to adversaries that are organized and managed by a government, rather than commercial and government cooperatives.
“Water shortages are significant, especially based upon geolocation, time of year, and supply chain realities,” Dunhams said. “Take for example, middle of the summer, Southern states with no drinking water or supplies to the home. It’s obvious a rush to stores for drinking water follows with various forms of fallout and/or mayhem. If wastewater is manipulated to create sickness and pollution in local waterways you then introduce large scale sickness and impact in major areas.”
Dale Fairbrother, security product evangelist at XM Cyber, added that several analyst reports have highlighted that although board members and compliance directives continue to stress the importance of cyber resilience of industrial control systems (ICS) and operational technology (OT), the allocated budget for OT security solutions continues to fall.
“This leaves security team struggling to extend the capabilities and best practices of their security in-depth strategy and security tools to provide the coverage and protection needed by legacy and OT systems,” said Fairbrother. “Teams that continue to acquire security solutions that only consider a subset of infrastructure, assets, or entity types, that only offered a siloed viewpoint on security intelligence, often mean critical risks to ICS systems are often overlooked. Neglecting security measures for ICS can indeed pose a significant threat.”
