The EPA Office of Inspector General (OIG) has released a report titled “Management Implication Report: Cybersecurity Concerns Related to Drinking Water Systems.” A passive assessment of cybersecurity vulnerabilities was conducted on drinking water systems that serve over 50,000 people or more. This included 1,062 drinking water systems across the U.S. that serve more than 193 million people.

The report indicates that about a quarter of these systems show weaknesses that can lead to degraded functionality, cause loss or denial of service, or facilitate the theft of customer or proprietary information. 97 water systems in particular, which serve about 27 million people, have critical and high-severity security issues. An additional 211 water systems were identified as medium and low-severity.

OIG stated in the report, “if malicious actors exploited the cybersecurity vulnerabilities we identified in our passive assessment, they could disrupt service or cause irreparable physical damage to drinking water infrastructure.”

The report also shows significant security concerns in the sector at large, including weaknesses with reporting and coordinating responses to potential cybersecurity incidents. This is due in part to the EPA not having its own cybersecurity incident reporting system that water and wastewater systems could use to notify the EPA of cybersecurity incidents. OIG has stated that overseeing, protecting, and investing in the water and wastewater systems sector is a top management challenge facing the EPA. This report represents a positive advancement in addressing the unique challenges facing the sector. Access the full report at EPA OIG.