November 18, 2024 at 08:34AM
A recent EPA report reveals that over 300 drinking water systems serving 110 million people in the US face cybersecurity vulnerabilities, risking service disruptions and data breaches. The assessment identified critical weaknesses in IT infrastructure and highlighted a lack of effective incident reporting and coordination within the EPA and other agencies.
### Meeting Takeaways:
1. **Vulnerability Findings**:
– Over 300 drinking water systems in the US, serving around 110 million people, are identified as vulnerable to service disruptions according to a recent EPA Office of Inspector General (OIG) report.
– A passive assessment of 1,062 drinking water systems affecting over 193 million individuals revealed that approximately 25% could be at risk of attacks, potentially leading to loss of functionality, denial-of-service (DoS) incidents, and customer information breaches.
2. **Cybersecurity Assessment**:
– The assessment focused on five cybersecurity categories: email security, IT hygiene, vulnerabilities, adversarial threats, and malicious activity.
– The identified weaknesses were scored from critical to low based on potential impact.
– As of October 2024, 97 of the assessed systems serving about 27 million people contained critical and high-severity issues.
3. **Severity of Issues**:
– An additional 211 systems, covering approximately 83 million individuals, were impacted by medium and low-severity vulnerabilities, including open portals.
4. **Risk of Exploitation**:
– The OIG emphasized that if these vulnerabilities are exploited, it could disrupt services or cause significant physical damage to drinking water infrastructure.
5. **Digital Footprint Mapping**:
– The assessment mapped the digital footprint of the investigated systems, analyzing over 75,000 IP addresses and 14,400 domains related to water infrastructure.
6. **Lack of Reporting Systems**:
– The EPA does not have a cybersecurity incident reporting system for water and wastewater systems, depending on the Cybersecurity and Infrastructure Security Agency (CISA) for incident reporting.
– There is a noted absence of documented policies for coordination between the EPA, CISA, and other federal and state authorities regarding emergency responses and cybersecurity strategies.
7. **Recent Cyberattack Incident**:
– The report follows an incident involving American Water, which, despite servicing over 14 million people, was attacked but did not directly affect water services.
8. **Compliance Issues**:
– In May, the EPA reported that over 70% of water systems were not compliant with the Safe Drinking Water Act due to critical cybersecurity issues, such as default passwords and weak authentication systems.
9. **Support and Resources**:
– CISA is offering free vulnerability scanning services to water utilities to help mitigate these cybersecurity risks.
This summary provides a concise overview of the vulnerabilities within drinking water systems and underscores the urgent need for improved cybersecurity measures and reporting protocols.