EPA Finds the Drinking Water for 193 Million Americans Is Vulnerable to Cyberattacks

The Environmental Protection Agency’s (EPA) Office of Inspector General is warning millions of Americans that their water may be vulnerable to cybersecurity attacks. 

On Nov. 13, the agency released its Management Implication Report, highlighting vulnerabilities throughout the drinking and wastewater utility industry across the nation. The report conducted a “passive assessment,” which covered 1,062 drinking water systems that serve 193 million people across the United States, to identify “cybersecurity vulnerabilities.” It noted that its results from an October 8, 2024 scan identified 97 drinking water systems, which serve approximately 26.6 million users, as having “critical or high-risk cybersecurity vulnerabilities.”

The findings also explained that, “Although not rising to a level of critical or high-risk cybersecurity vulnerabilities, an additional 211 drinking water systems, servicing over 82.7 million people, were identified as medium and low by having externally visible open portals.” 

A cyberattack on water might sound strange, but the goal of these assaults is to target the digital systems that support major infrastructures. It requires an expansive digital network to manage the drinking water for millions of people, ensuring that they have consistent access to clean, properly-treated water. It’s this underlying computer system that’s under threat, and which is crucial to ensuring that the quality of our water is safe. Halting the distribution of water in the case of a cyberattack harms individuals by limiting their access to water, and can also have dramatic financial impacts for distributors.

One example given is the California State Water Project, which serves over 27 million people, accounting for more than two-thirds of California’s population. The report noted that if there was a state-wide water service disruption, it could have the potential to cost “at least $61 billion in lost revenue per day.”

Even smaller communities could face a massive economic impact. The report reviewed Charlotte Water, which serves over 890,000 people across six counties near Charlotte, North Carolina. It outlined that if there was a water service disruption across all Charlotte Water facilities, it could cost at least $132 million in lost revenue per day, and depending on the extent and location of damages, “replacement costs for all facilities could exceed $5 billion.” 

“The agency has long-standing concerns with cybersecurity-related threats and vulnerabilities facing the water sector and continues to work diligently within the water sector to mitigate these vulnerabilities by providing direct technical assistance, guidance, tools, training, and funding that can aid water and wastewater owners and operators with improving cybersecurity,” a spokesperson for the EPA shared with Newsweek. 

However, despite knowing the risks and seeing the potential economic impact, the EPA noted that it does not have its “own cybersecurity incident reporting system that water and wastewater systems could use to notify the EPA of cybersecurity incidents.” Instead it currently relies on the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency to provide this channel of communication. 

The report also found no “policies and procedures related to the EPA’s coordination with the Cybersecurity and Infrastructure Security Agency and other federal and state authorities involved in sector-specific emergency response, security plans, metrics, and mitigation strategies.” This means there is no formal process established between the two agencies for what to do if a cybersecurity breach is reported.

The published findings observed that the Government Accountability Office recommended in August that the EPA develop and implement a national cybersecurity strategy, evaluate the “sufficiency of its legal authorities to carry out its cybersecurity responsibilities,” and seek any additional resources it deems necessary.

While these types of attacks might seem far-fetched, unfortunately this is no longer a hypothetical. In early October 2024, American Water, a New Jersey-based company and the largest water utility in the U.S, was hit by a cyberattack. It noted on its website at the time that it had learned of “unauthorized activity in our computer networks and systems,” which it said was the “result of a cybersecurity incident.” As NBC reported, attacks that target American infrastructure — like water systems — are increasingly common, and can sometimes be linked to geopolitical rivals.

“In an era where cyber threats are increasingly sophisticated, we urge the EPA to prioritize the resilience of our water systems and take seriously the issues we highlight in this report,” EPA Inspector General Sean O’Donnell told Cybersecurity Dive. “We are committed to providing robust oversight that bolsters the Agency’s efforts to protect water infrastructure and improve the sector’s security posture.”