Over 300 drinking water systems that serve roughly 110 million people in the US are affected by vulnerabilities that could lead to service disruptions, a new report from the Environmental Protection Agency (EPA)’s Office of Inspector General (OIG) shows.

A passive assessment of security defects in 1,062 drinking water systems that serve over 193 million individuals has revealed that a quarter of them could potentially fall victim to attacks leading to functionality loss, denial-of-service (DoS) conditions, and customer information compromise.

The assessment covered five cybersecurity categories, namely email security, IT hygiene, vulnerabilities, adversarial threat, and malicious activity, and rated the identified weaknesses with critical to low scores, based on their potential impact.

As of October 2024, 97 of the assessed water systems, which serve approximately 27 million individuals, contained critical and high-severity issues, OIG’s report (PDF) shows.

An additional 211 drinking water systems, covering roughly 83 million people, were found to be impacted by medium and low-severity weaknesses, by having externally visible open portals.

“If malicious actors exploited the cybersecurity vulnerabilities we identified in our passive assessment, they could disrupt service or cause irreparable physical damage to drinking water infrastructure,” OIG says.

The assessment included mapping the digital footprint for each of the investigated systems, covering the infrastructure used for collecting, pumping, treating, storing, and distributing the drinking water, and involved the analysis of more than 75,000 IPs and 14,400 domains.

The OIG’s report also points out that the EPA itself lacks a “cybersecurity incident reporting system that water and wastewater systems could use to notify the EPA of cybersecurity incidents” and that the agency relies on CISA for this type of reporting.

“Moreover, we were unable to find documented policies and procedures related to the EPA’s coordination with the Cybersecurity and Infrastructure Security Agency and other federal and state authorities involved in sector-specific emergency response, security plans, metrics, and mitigation strategies,” OIG notes.

The report comes roughly one month after New Jersey-based American Water, which services more than 14 million people in 14 states and on 18 military installations, fell victim to a cyberattack that forced it to shut down certain systems. Water services were not affected.

In May, EPA warned that over 70% of water systems did not comply with the Safe Drinking Water Act, underlining critical-severity issues, such as the use of default passwords and easily hackable authentication systems.

Related: Homeland Security Department Releases Framework for Using AI in Critical Infrastructure

Related: Major US, UK Water Companies Hit by Ransomware

Related: CISA Offering Free Vulnerability Scanning Service to Water Utilities

Related: Submarine Cables at Risk of Nation-State Sabotage, Spying: Report