EPA Warns of Cybersecurity Risks to US Drinking Water Critical Infrastructure

The United States Environmental Protection Agency (EPA) recently warned that more than 300 drinking water systems across the country face serious cybersecurity risks and vulnerabilities, as well as violate aspects of the Safe Drinking Water Act of 1974. Water facilities and sectors, which provide water to roughly 110 million citizens, are part of the critical infrastructure of our nation – and any cyberattack on their systems would impact public health and safety on a devastatingly widescale level. After noting that “even basic cybersecurity precautions are not in place at water facilities,” the EPA has given a call to action for U.S. governors to begin more proactively addressing these issues.

The EPA’s Review of Critical Water Systems

In a mass review of 1,062 drinking water systems that serve over 193 million people in the U.S., the EPA’s Office of Inspector General (OIG) found that around a quarter of these systems have weaknesses that could result in major impacts, such as service disruptions, loss of customer data, or even biohazard-contaminated water. Specifically, 97 systems affecting 27 million people had critical issues, while 211 systems serving 83 million people had less severe, but still concerning, problems.

These vulnerabilities include outdated software, poor network security, weak access controls, and a lack of employee cybersecurity training. Furthermore, “the agency found that some water systems failed to change default passwords and cut off access to former employees in addition to only using single logins for all staff.” And a particularly risky aspect of water system technology is seen with “unsecured Human Machine Interface (HMI) devices [where] unauthorized remote users could exploit Human Machine Interfaces to view and adjust real-time system settings.” These gaps leave water systems vulnerable to severe attacks that could disrupt operations and harm people on a massive scale. Moreover, even a one-day disruption to the U.S. water system “could jeopardize $43.5 billion in economic activity.” 

Water Systems Critical Infrastructure Prime Target For Cyberattacks

Water systems are prime targets for cyber and terror attacks because they play such a critical role in public health and safety, as well as intersect with other major industries and infrastructure. For example, a successful cyberattack could cause social chaos and political distress, disrupt local economies and financial institutions, and lead to a public health crisis through a pandemic that would impact the healthcare system – thus negatively impacting several critical functions of our society. And as water systems become more digitized for efficiency, they also become more exposed to cyber risks and susceptible to hackers, including state-sponsored actors and cybercriminals. In a 2024 reveal, it was discovered that Chinese hackers have had access to U.S. water sector “computer networks for ‘at least five years,’ according to a new report by US and allied security agencies.” Additionally, facilities in Pennsylvania and Texas have been targeted by malicious actor organizations associated with Iran and Russia, and “New Jersey-based American Water, which services more than 14 million people in 14 states and on 18 military installations, fell victim to a cyberattack that forced it to shut down certain systems.” The incidents demonstrate the very real, but improvable, weaknesses of our critical systems.

The EPA’s Response to Critical System Vulnerabilities

To help address these cybersecurity issues, the EPA is taking several steps to improve the safety of drinking water systems. One major focus is on recognizing the vulnerabilities that lie within the responsibility of the facility management leaders and employees. Thus, the EPA is offering access to cybersecurity assessment tools, resources, and guidance to help water systems staff regularly assess their cybersecurity risks. Through guidance on basic cybersecurity practices, such as updating passwords, applying regular software updates, and implementing more advanced protections like securing networks and detecting intrusions, the EPA aims to help employees find and fix problems before their systems are exploited by hackers. In addition, the EPA runs training sessions for water system operators to help them recognize potential threats and learn how to protect against them. This includes education on common cyber risks, like phishing attacks, as well as emergency response drills. A reporting system for water facilities to quickly report cyber incidents and get help is in development with the EPA as well, which will improve the speed and effectiveness of cyberattack responses.

The EPA also focuses on collaboration with other agencies like the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Centers for Disease Control (CDC) to address major cybersecurity or public health incidents. This ensures a coordinated response to threats and promotes sharing of information and best practices, as well as proper funding for clean water and infrastructure safety programs. In October 2024, the EPA announced the passing of “the Bipartisan Infrastructure Law [which] delivers more than $50 billion to EPA to improve our nation’s drinking water, wastewater, and stormwater infrastructure - the single largest investment in water that the federal government has ever made.” These funds help the EPA and water facilities invest in better training of professionals, stronger cybersecurity practices, and improved overall management of this critical sector.

Critical Infrastructure Education for a Safer Tomorrow

Studying critical infrastructure is essential for building a safer and more resilient future for our nation. As the backbone of our society, critical systems are vital to our daily lives and economic stability, and understanding how these systems function, especially within our cyber world, is crucial for developing strategies to protect them. At Capitol Technology University, our academic programs in the field of Critical Infrastructure focus on using technology for the betterment of society, and through research and innovation, students develop the skills and knowledge necessary to combat critical systems threats and implement proactive solutions. Additionally, through partnerships with leading cyber agencies, as well as training provided by our Critical Infrastructure Center (CIC), students gain practical experience to enter the workforce job-ready and well prepared for the future of the industry.

To learn more, contact our Admissions team or request more information today.