A recent report from the Environmental Protection Agency’s (EPA) Office of Inspector General (OIG) has unveiled alarming vulnerabilities in over 300 drinking water systems serving roughly 110 million people across the United States. These systems, a cornerstone of the nation’s critical infrastructure, face cybersecurity flaws ranging from low to critical severity, potentially exposing them to disruptive attacks.

The assessment examined more than 1,000 water systems, revealing weaknesses that could lead to service interruptions, physical damage, and compromised customer information.

The findings highlight not only the vulnerabilities within the systems themselves but also gaps in the EPA’s preparedness and response mechanisms. The agency lacks a dedicated cybersecurity incident reporting system for water and wastewater operators, relying instead on external entities like the Cybersecurity and Infrastructure Security Agency (CISA).

These revelations come against a backdrop of growing threats to municipal water infrastructure. From attacks on Arkansas City, Kansas, to operations targeting Pennsylvania’s water systems, the urgency to address these risks has never been greater.

Why It Matters: Drinking water systems, a cornerstone of the nation’s critical infrastructure, face significant cyber vulnerabilities that threaten public health, safety, and daily life by disrupting supply, damaging infrastructure, and exposing sensitive data. The EPA’s report reveals systemic challenges, including outdated cybersecurity measures, insufficient coordination with agencies like CISA, and the growing digital attack surface exploited by adversary nation-states and criminal groups. These findings spotlight the urgent need for policy changes, technical upgrades, and stronger collaboration among federal, state, and local authorities to enhance the resilience of water systems nationwide.

• Scale of Vulnerabilities Identified: Over 300 water systems serving approximately 110 million people were found to have significant cybersecurity flaws, with 97 systems facing critical or high-severity risks. Another 211 systems exhibited medium to low-severity weaknesses, including visible open portals.

• Inadequate EPA Infrastructure: The report criticizes the EPA for its lack of a dedicated incident reporting system and limited policies to coordinate cybersecurity responses with CISA and other federal agencies, exposing systemic gaps in oversight.

• Real-World Threats to Water Systems: Recent cyberattacks on municipal water systems, including suspected state-sponsored operations, underscore the reality of the threat. Incidents in Arkansas City, Kansas, and Pennsylvania exemplify the risks of compromised programmable logic controllers and other digital vulnerabilities.

• Broad Assessment Parameters: The OIG’s assessment examined over 75,000 IPs and 14,400 domains across five cybersecurity categories, including email security and adversarial threats. The findings point to widespread deficiencies in basic IT hygiene and security practices.

Go Deeper -> 300 Drinking Water Systems in US Exposed to Disruptive, Damaging Hacker Attacks – Security Week

EPA IG Office: ‘High-Risk’ Security Flaws in Hundreds of Water Systems – Security Boulevard