The vulnerability of drinking water systems in the United States to cyberattacks has become a pressing concern following a recent report from the Environmental Protection Agency’s (EPA) Office of Inspector General. These systems, which are critical for public health and economic stability, face growing risks from increasingly complicated cyber threats.
The EPA report reveals alarming deficiencies in cybersecurity protections for water infrastructure, affecting millions of Americans and threatening significant disruptions.
The cyberattacks on critical infrastructure have become more frequent and damaging, and a coordinated response is essential. Addressing these vulnerabilities requires implementing an effective cybersecurity plan, fostering collaboration between agencies, and leveraging best practices from other sectors such as healthcare to secure essential systems.
Key Takeaways
Cyber threats to America’s drinking water systems pose significant risks to public health and economic stability, necessitating a coordinated response to implement effective cybersecurity measures.
- Drinking water systems are highly vulnerable to cyberattacks due to the increasing reliance on digital technologies for monitoring and control, with over 26.6 million individuals served by water systems categorized as having critical or high-risk cybersecurity vulnerabilities.
- Lessons from data security in healthcare can provide valuable insights for securing water infrastructure, including encryption, access controls, continuous monitoring, incident response planning, and collaboration and information sharing.
- A national cybersecurity strategy tailored to drinking water systems is essential, prioritizing risk assessments, investments in technology, training programs, and compliance with best practices and standards such as the National Institute of Standards and Technology (NIST) Cybersecurity Framework.
Cybersecurity threats to drinking water systems
Drinking water systems are highly vulnerable to cyberattacks due to the increasing reliance on digital technologies for monitoring and control. These technologies, while efficient, create entry points for malicious actors.
The EPA report estimates that over 26.6 million individuals are served by water systems categorized as having critical or high-risk cybersecurity vulnerabilities. These risks arise from weak access controls, unpatched software, and publicly visible portals that expose operational systems to external threats.
An additional 211 water systems serving more than 82.7 million people were found to have medium or low-risk vulnerabilities. These vulnerabilities could allow attackers to disrupt water supplies, manipulate treatment processes, or even contaminate water sources.
The potential impact of such attacks is staggering, with economic losses from a statewide water service disruption in California estimated to exceed $61 billion daily. Smaller communities, too, face significant threats, with localized disruptions costing millions of dollars daily.
Beyond the economic fallout, the implications for public health are profound. A successful cyberattack could compromise water quality, causing widespread illness or forcing communities to rely on costly emergency measures. The need to safeguard drinking water systems from these risks has never been more urgent.
Lessons from data security in healthcare
The challenges faced by drinking water systems closely parallel those in the healthcare sector, particularly in protecting electronic health records (EHRs). Both sectors manage highly sensitive data and rely on interconnected systems that are attractive targets for cybercriminals. Lessons from healthcare cybersecurity can provide valuable insights for securing water infrastructure.
Encryption and access controls: Encryption is a cornerstone of data security in healthcare, ensuring that sensitive patient information is protected during storage and transmission. Similarly, water systems can use encryption to safeguard patient data and communications between facilities. This measure prevents unauthorized access and reduces the likelihood of data breaches.
Access controls are another critical element. In healthcare, only authorized personnel can access EHRs, with role-based restrictions limiting the actions users can perform. Drinking water systems can adopt similar practices, restricting access to operational controls and sensitive data to minimize exposure.
Continuous monitoring and incident response: Healthcare providers use real-time monitoring tools to detect unusual activity in their networks, allowing them to respond quickly to potential breaches. Water systems can implement similar monitoring solutions, providing early warnings of cyber threats and enabling rapid incident response.
Incident response planning is also essential. Just as hospitals develop detailed protocols for responding to data breaches, water utilities must have clear strategies for mitigating the effects of a cyberattack. These plans should include steps for isolating affected systems, restoring operations, and communicating with stakeholders.
Collaboration and information sharing: The healthcare sector benefits from collaborative initiatives that share threat intelligence and best practices. Organizations like the Health Information Sharing and Analysis Center (H-ISAC) help healthcare entities stay informed about emerging threats.
A similar framework for water utilities could enhance their ability to defend against cyberattacks. By sharing information about vulnerabilities and successful mitigation strategies, utilities can strengthen their collective defenses.
The role of federal and state oversight
The EPA report highlights significant gaps in the federal response to cybersecurity risks in drinking water systems. Unlike other critical infrastructure sectors, the EPA lacks an in-house system for tracking and addressing cybersecurity incidents. Instead, it relies on the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) for information and support.
This dependence underscores the need for greater interagency coordination. The report identifies deficiencies in policies and procedures for collaborating with state and local authorities during emergencies. Improving communication and establishing clear roles and responsibilities are critical to ensuring an effective response to cybersecurity threats.
The Government Accountability Office (GAO) has recommended that the EPA develop a national cybersecurity strategy tailored to drinking water systems. Such a strategy would provide a roadmap for addressing vulnerabilities, allocating resources, and coordinating efforts across federal, state, and local levels.
Acting Assistant Administrator Benita Best-Wong has committed to presenting a detailed plan by January 2025, aligning with President Biden’s National Security Memorandum on critical infrastructure.
This strategy should prioritize risk assessments to identify the most vulnerable systems, investments in technology to strengthen defenses, and training programs to build cybersecurity expertise among water utility staff. Ensuring compliance with best practices and standards, such as the National Institute of Standards and Technology (NIST) Cybersecurity Framework, will also be essential.
Building resilience through technology
Modernizing outdated systems is a critical step in protecting drinking water infrastructure. Many water utilities rely on legacy technologies that lack built-in security features, making them easy targets for cyberattacks. Upgrading these systems with advanced cybersecurity tools, such as firewalls, intrusion detection systems, and secure communication protocols, can significantly enhance their resilience.
Training and education are equally important. Utility staff must be equipped to recognize and respond to potential threats, from phishing emails to suspicious network activity. Regular drills and simulations can help prepare teams for real-world scenarios, ensuring they can act swiftly and effectively during an incident.
Public-private partnerships can also play a key role. Collaborating with technology companies and cybersecurity experts provides water utilities with access to cutting-edge solutions and expertise. These partnerships can support the development of innovative tools and techniques for detecting and mitigating cyber threats.
Transparency is another vital component. The EPA must maintain open communication with stakeholders, including water utilities, local governments, and the public. Regular updates on progress and challenges will foster trust and encourage collective action to address cybersecurity risks.
A call to action for securing drinking water systems
The risks outlined in the EPA report demand immediate attention. As cyber threats continue to evolve, drinking water systems must be fortified to withstand potential attacks. This requires a comprehensive approach that combines technology, policy, and collaboration.
A national cybersecurity strategy for water systems should be developed and implemented without delay. This strategy must address the unique vulnerabilities of water infrastructure, prioritize investments in modern technology, and foster collaboration between agencies and stakeholders.
By adopting best practices from sectors like healthcare, leveraging advanced cybersecurity tools, and enhancing workforce training, the EPA and its partners can build resilient water systems capable of withstanding future threats. These efforts will protect not only the health and safety of millions of Americans but also the economic stability of the communities they serve.
A secure and reliable drinking water infrastructure is not just a public health necessity but also a cornerstone of economic and social well-being. Every aspect of modern life—from hospitals and schools to industries and agriculture—depends on access to clean and safe water. A single cyberattack on a water system could cascade into widespread disruptions, with long-term consequences for individuals, businesses, and governments.
Taking proactive measures to safeguard these systems involves more than just upgrading technology. It requires a cultural shift toward prioritizing cybersecurity at every level of water system management.
Utility operators, local governments, and federal agencies must work together to create a comprehensive approach that includes regular vulnerability assessments, investment in secure technologies, and robust incident response plans.
