America's drinking water systems have a hard-to-swallow cybersecurity problem

Nearly a third of US residents are served by drinking water systems with cybersecurity shortcomings, the Environmental Protection Agency's Office of Inspector General found in a recent study – and the agency lacks its own system to track potential attacks. 

The EPA OIG released a report last week that found 308 of the 1,062 drinking water systems it tested were lacking in terms of the security of their computer systems. By the sounds of it, we're talking the IT used in back-office and operational functions.

The analysis relied on a "passive assessment of cybersecurity vulnerabilities," which included mapping the digital footprint of water systems.

Some 211 of the 308 contained medium or low risk vulnerabilities in their IT environment based on "a non-linear scoring algorithm" that the OIG didn't explain in depth, with many reported having "externally visible open portals." These systems serve approximately 82.7 million people, the report noted. A further 97 of the 308 vulnerable systems had critical or high-risk issues that weren't identified in the report, serving about 26.6 million people. 

The vulnerabilities, if exploited, could affect the physical infrastructure or operating systems of those drinking water systems

"We don't want to discuss any particular vulnerabilities," EPA Assistant Inspector General for Strategic Analysis and Results Adam Seefeldt told The Register. "But as we mention in the report, the vulnerabilities, if exploited, could affect the physical infrastructure or operating systems of those drinking water systems."

Seefeldt told us that even the low-risk vulnerabilities could be meaningfully exploited by a miscreant, meaning there's a danger to water safety and security at all levels of the report. 

To make matters worse, only drinking water systems that serve 50,000 or more people were studied, meaning there are far more systems out there that could also be vulnerable, but which didn't make it into the scope of the EPA OIG study. 

The OIG also revealed that the EPA lacks its own cybersecurity incident reporting system. Instead, it relies on the Department of Homeland Security to notify it of incidents affecting drinking water systems - but that's not all.

"We were unable to find documented policies and procedures related to the EPA's coordination with the Cybersecurity and Infrastructure Security Agency and other federal and state authorities involved in sector-specific emergency response, security plans, metrics, and mitigation strategies," the report concluded. 

This might not come as a surprise to anyone who's aware of the history of the EPA's fight to protect America's water systems: The agency rescinded cybersecurity evaluation rules last year following a lawsuit filed against it by several Republican state attorneys general and water industry trade groups that called the matter an intrusion on state sovereignty.

Unsurprisingly, cyber threats to US water systems continue to be a growing concern that has led to the EPA trying to establish a Water Sector Cybersecurity Task Force to pick up the pieces of its shattered drinking water cybersecurity plans, though the current status of the task force is unclear.

• American Water rinsed in cyber attack, turns off app
• Uncle Sam probes cyberattack on Pennsylvania water system by suspected Iranian crew
• Kremlin's Sandworm blamed for cyberattacks on US, European water utilities
• Cybercrims: When we hit IT, they sometimes pay, but when we hit OT... jackpot

Constantly playing catch-up is a common refrain in critical infrastructure cybersecurity, says NCC Group head of industrial Sean Arrowsmith, as old infrastructure is suddenly connected to modern IT systems without regard for security concerns. 

"It may be the case that water is seen as a sector that will have vulnerabilities with legacy outdated infrastructure being converged with IT systems, and therefore suddenly exposed to internet-borne threats," Arrowsmith said in a statement. "The potential disruption is also attractive, particularly at a nation-state level because compromise of a water facility is headline news and could ultimately cause a threat to safety."

It may be the case that water is seen as a sector that will have vulnerabilities with legacy outdated infrastructure being converged with IT systems, and therefore suddenly exposed to internet-borne threats.

In short, protecting drinking water supplies is critical and urgent, and it might already be too late. Seefeldt told us his office has relayed the issues it discovered to the EPA to be addressed, but noted it's now the agency's responsibility to take care of them.

"We will continue to conduct oversight in this area and would encourage any potential whistleblowers with information about cyber vulnerabilities in the water sector to reach out to us," Seefeldt said. 

The EPA told us that it's reviewing the OIG report, and has had "long-standing concerns" regarding water system cybersecurity, but insists it regularly receives cyber incident information on water infrastructure from CISA and the FBI.

Nonetheless, the EPA agrees with the findings.

"The agency agrees with the OIG that robust cybersecurity program that helps the water sector prevent, detect, respond to, and recover from cyber incidents is critical to protecting public health," an EPA spokesperson told us, adding that the agency "continues to work diligently within the water sector to mitigate these vulnerabilities by providing direct technical assistance, guidance, tools, training, and funding."

The EPA didn't answer questions about how it was addressing vulnerabilities identified in the OIG report.

Not just an American problem

While politics and lawsuits have slowed the development of cybersecurity standards for drinking water systems in the US, the UK is having its own set of problems when it comes to securing its water infrastructure - in large part due to how old much of it is.

Thames Water, the UK's largest water and wastewater treatment company, faces significant challenges in maintaining the security of its systems, with aging hardware and software across its network creating potential vulnerabilities that could be exploited by cybercriminals.

According to The Guardian, some systems are so outdated that, as irreplaceable hardware fails, Thames Water has had to rely on repurposing other antiquated systems to maintain operations.

"Ancient operations like this are a goldmine for cybercriminals," Camellia Chan, CEO and co-founder of industrial storage hardware firm Flexxon, said in a statement. "The consequences if these are infiltrated can be devastating and put real people at risk." 

Thames Water told The Guardian that it regularly reviews its systems, while still acknowledging that it suffers from a tech deficit. "We have set out an ambitious plan for 2025-30 which asks for £20.7bn of expenditure and investment … so that we can meet our customers' expectations and environmental responsibilities." ®