The Environmental Protection Agency’s (EPA) Office of Inspector General (OIG) has issued a Management Implication Report raising significant cybersecurity concerns for drinking water systems across the United States. The findings highlight vulnerabilities that pose risks to public health, critical infrastructure, and economic activity, urging immediate attention and action to fortify cybersecurity in this essential sector.
The OIG’s analysis reveals that 97 drinking water systems serving over 26.6 million people were identified as having critical or high-risk cybersecurity vulnerabilities. Additionally, 211 other systems, serving over 82.7 million people, were flagged for medium to low-risk concerns. These vulnerabilities include weaknesses in email security, IT hygiene, and other critical cyber defenses, leaving these systems open to potential exploitation by malicious actors.
The report stresses the devastating potential of a cyberattack on drinking water systems, citing economic losses that could reach tens of billions of dollars daily. For example, a single day of disruption to Charlotte Water, which serves 890,000 people, could result in $132 million in lost revenue and replacement costs exceeding $5 billion. Similarly, a statewide disruption in California’s State Water Project could lead to $61 billion in daily economic losses.
Among its findings, the report underscores a lack of a centralized cybersecurity incident reporting system within the EPA, with the agency currently relying on the Cybersecurity and Infrastructure Security Agency (CISA) for such reports. Furthermore, the OIG identified insufficient policies and procedures for coordinating responses to cybersecurity incidents and recommended that the EPA develop a national cybersecurity strategy tailored to the water and wastewater sectors.
The report calls on the EPA to take decisive steps to address these challenges, including developing better oversight mechanisms, enhancing sector-wide risk assessments, and fostering partnerships with state and local authorities to improve compliance and resilience.
Read the full report here.