Earlier this month, the Environmental Protection Agency (EPA) published a report evaluating 1,062 public drinking water systems serving about 193 million people.
What did the report show? That 97 systems (serving 26.6 million customers) had critical or high-risk cybersecurity vulnerabilities. 211 systems (serving 82.7 million customers) were also found to have medium to low-risk weaknesses.
The Cybersecurity and Infrastructure Security Agency reports that there are about 152,000 public drinking water systems
But despite the relatively low percentage overall, cyberattacks on public water systems are on the rise.
Here are just three cyber-attacks in recent memory:
- American Water Works (October 2024): The largest publicly-trade water and wastewater utility company in the United States was impacted by a cyberattack. Customer billing and service operations were temporarily halted.
-
Aliquippa, Pennsylvania (November 2023): The Municipal Water Authority experienced a cyberattack on its industrial equipment, including systems that manage water pressure.
- Oldsmar, Florida (February 2021): Hackers accessed the supervisory control and data acquisition (SCADA) system of a water treatment plant and tried to increase the sodium hydroxide levels to harmful amounts.
According to the California State Water Project, if there was a state-wide water service disruption of any kind it could cost "at least $61 billion in lost revenue per day," not to mention the impact on the average citizen.
Despite knowing these risks, the EPA doesn't actually have its own cybersecurity incident reporting system that water systems could use to notify the EPA of incidents. Instead, the EPA relies on the U.S. Department of Homeland Security's Cybersecurity and Infrastructure Security Agency to relay this communication.
Recently, EPA Administrator Michael Regan and National Security Advisor Jake Sullivan sent a letter to all U.S. Governors urging them to discuss the urgent need to protect critical water infrastructure from looming cyber threats. One of the main topics of discussion is education on how to prevent these incidents.
Resources: On the EPA's main site, you can find some valuable resources to learn about the basics of cybersecurity for water systems. Learn how to conduct a cyber risk assessment, discover upcoming training opportunities for drinking water and wastewater systems, and find out how to request training here.
