Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
Water systems across the nation are treading lightly when it comes to their cybersecurity.
The finding was uncovered in a Nov. 13 report released by the US Environmental Protection Agency’s (EPA) Office of Inspector General (OIG), detailing the results of a passive assessment of 1,062 water systems in the country. Of those, 97 drinking water systems were found to have either critical or high-risk cybersecurity vulnerabilities. The watchdog claims that these water systems service roughly 26.6 million people.
The OIG’s assessment further unearthed that another 211 water systems, servicing a total of more than 82.7 million people, had either medium and low-severity vulnerabilities.
Without incident. A more shocking discovery was found when the OIG attempted to alert the EPA about the discovered vulnerabilities. The entity learned that the EPA does not have a cybersecurity incident reporting system that water and wastewater systems could use to notify them of cybersecurity incidents. Instead, it taps the US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, though the OIG claims it had trouble substantiating the relationship.
“We were unable to find documented policies and procedures related to the EPA’s coordination with the Cybersecurity and Infrastructure Security Agency and other federal and state authorities involved in sector-specific emergency response, security plans, metrics, and mitigation strategies,” the OIG wrote in the report.
Troubled waters. The EPA has remained vocal on its concerns about the security of the country’s water systems in recent years. Earlier this year, the federal agency issued an enforcement alert, warning that cyberattacks against community water systems were “increasing in frequency and severity.” The EPA also helped pen a letter to US governors, asking for additional support in protecting the country’s water systems from cyberattacks in March.
And the concerns are for good reason, as cyberattacks against water systems continue to hit the headlines. In October, American Water, the US’s largest regulated water and wastewater utility, revealed that it had experienced a cyberattack that caused it to temporarily suspend access to its customer portal. Meanwhile, the Municipal Water Authority of Aliquippa was the victim of a cyberattack orchestrated by threat actor group Cyber Av3ngers around this time last year.
Dominique Joseph, a spokesperson for the EPA, told IT Brew, among others, via email that the federal agency is reviewing the OIG’s report and that it “regularly” receives water sector cyber incident information from CISA and the FBI. Joseph added that the agency has had “long-standing concerns about cybersecurity-related threats and vulnerabilities facing the water sector,” and that it is working closely with the sector to mitigate these weaknesses.