Exclusive: America Is Struggling to Safeguard Water Supply From Hackers, New EPA Data Shows

Water utilities across the United States are making important progress in hardening their cyber defenses, but they’re struggling to implement some advanced technologies, according to data obtained exclusively by The Messenger.

The data, contained in an Environmental Protection Agency spreadsheet received through a Freedom of Information Act request, highlights the water sector’s uneven progress in improving its digital defenses. The spreadsheet shows that small utilities are lagging behind their larger peers; that funding issues have prevented utility managers from buying sophisticated protections; and that a shortage of security experts has limited utilities’ ability to practice ongoing readiness.

In March, the EPA began requiring state water system supervisors to review utilities’ cyber defenses as part of their periodic inspections. The directive—which is paused while a court reviews its legality—reflects the Biden administration’s eagerness to shore up cybersecurity oversight of critical infrastructure. Experts say the water sector remains one of the country’s weakest links.

“Water has been one of the more challenging sectors, just because there's so many of them, [and] so many of them are smaller or medium-sized organizations that just don't have the bandwidth, either in people or funding, to do these projects,” said Marty Edwards, deputy chief technology officer at Tenable, a cybersecurity firm that works with many critical infrastructure providers.

The previously unreported EPA data offer a glimpse into the improvements occurring throughout the water sector, which has long overlooked its cybersecurity vulnerabilities.

The EPA says the data reflect important progress. “Overall, we're pleased,” said an EPA official, who insisted on anonymity to discuss security issues. “We saw important, significant improvements in a lot of very essential areas in cybersecurity.”

But the data also show how difficult it remains for many utilities to fend off hackers seeking to interfere with one of Americans’ most vital resources.

“Water utilities are struggling to do the basics … and it will take time to incorporate significant cyber risk reduction measures,” said Brian Harrell, a former assistant director for infrastructure security at the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency.

Meanwhile, in a sign of how desperate the EPA is to convince water utilities to undergo cyber checkups, the agency has transferred its inspections to a contractor and will no longer collect the results itself.

Data show “some good improvements”

The EPA data comes from assessments that were conducted between spring 2020 and spring 2023, with the program ending when the agency issued its new inspection requirements. It is based on initial surveys of 249 utilities that volunteered to be reviewed and six- and 12-month follow-up examinations that only some of those utilities completed. Of the 249 initial participants, 70 percent serve fewer than 20,000 customers, and roughly half serve fewer than 5,000 customers. 

There are more than 150,000 public water systems in the U.S., so the data cover only a tiny sliver of the sector. Plus, the data is self-reported and unverified, obtained through interviews with utility personnel. But despite its limitations, the document represents the public’s first look at government data on the cybersecurity posture of the water sector.

Unsurprisingly, some of the easiest cybersecurity measures were among the most implemented practices during the project. These included developing a list of basic cyber best practices (62 of 249 water utilities did this at some point during the project), designating an employee to receive and act on government cyber alerts (58 utilities), and regularly testing data backup (57 utilities).

Backup testing is “a significant step” that represents a shift toward “more proactive work,” Edwards said.

Other commonly implemented steps included conducting vulnerability assessments of critical technology and updating technology inventories with key data like software versions, both of which help utilities minimize the likelihood of intrusions and maintain awareness of potential risks.

The EPA’s initial assessments of participating water utilities appears to have alerted some of them to important but easily fixed gaps in their preparedness, as evidenced by the data. Between the initial assessment and the first follow-up, 40 of the 166 utilities that completed the follow-up assigned a backup cybersecurity point person in case their primary expert was unavailable, and the same number updated their emergency plans with contact information for key federal agencies like the FBI.

“It looks like the water sector is making some good improvements here,” Edwards said.

Some utilities took longer to implement basic steps. Between the first and second follow-ups, 19 of the 118 utilities that completed all three reviews updated their technology inventories, and 16 utilities developed regular security patching processes.

Some of the most important cybersecurity practices were implemented in low numbers during the project, but for an encouraging reason: Most utilities were already doing them. For example, of the 249 utilities surveyed at the beginning of the project, 185 told the EPA that they were restricting employees’ access to network resources based on those employees’ job functions, and 175 utilities said all their networked devices had anti-virus software.

“We think we saw a lot of good improvement in important areas,” the EPA official said, pointing to best-practices lists, training programs, backup testing and asset inventories.

Time-intensive practices were some of the least implemented at the beginning of the project: Only 18 utilities reported conducting drills to prepare for cyber incidents, for instance, and just 44 said they conducted post-incident debriefs.

When the EPA launched its project, only 21 utilities told the agency that they considered employees’ execution of their cybersecurity responsibilities in their performance evaluations. It was the least implemented practice at the beginning of the project, and it saw one of the weakest improvements during the project, with only 23 utilities starting to do it.

Why water systems struggle

Water utilities face several major challenges that prevent or delay cybersecurity improvements that long ago became the norm in other sectors of critical infrastructure like financial services and energy.

Money is one of the biggest problems. Public water systems receive funding from local tax dollars, making it politically difficult to request large budget increases. Most public water systems serve small, often rural communities that couldn’t afford to fund major cybersecurity improvements even if they wanted to. Indeed, 93 percent of systems serve fewer than 10,000 people, with 59 percent serving fewer than 500 people, according to the most recent data available.

Funding issues prevent utilities from installing some of the most sophisticated protections, such as intrusion detection systems, which only 84 utilities said they used before the EPA project and only 30 added during the project.

There also aren’t nearly enough cybersecurity experts at water utilities to implement the necessary improvements, both because utilities can’t afford to pay them and because of the national cyber workforce shortage. “In the conversations I have with my peers, it’s one of those things that’s definitely top of mind,” said the manager of one rural Midwestern water system, who requested anonymity to avoid making his utility a target.

Without the funds to hire dedicated cybersecurity or IT staff, utilities can’t conduct drills or other time-intensive preparations that could save them time and money later. “We just do not have the people available to put those kinds of processes in place,” the utility manager said.

Dedicated staff are also important for maintaining protections over time. A utility can’t just install a firewall and forget about it. Someone has to keep reconfiguring it as new threats emerge.

Funding and personnel constraints force utilities to prioritize their projects, and cybersecurity rarely wins out over, say, replenishing water treatment chemicals or rebuilding distribution pipes. “Unfortunately, it does take a backseat to some of the stuff that we have to deal with every day,” said the utility manager.

An agency under scrutiny

The EPA data, while capturing progress in only a small fraction of the water sector, contains important lessons about the sector’s cybersecurity improvements. But the government has stopped collecting this vital information.

After the agency issued its March 3 cyber inspection requirements for water systems, it created a new evaluation program and hired a contractor to perform future assessments. In a letter to The Messenger, David Travers, director of the EPA’s Water Infrastructure and Cyber Resilience Division, said the agency contractor’s reports are “given only to the water system,” and the EPA “does not collect any assessment results.”

Without detailed data on water utilities’ cybersecurity postures, it’s unclear whether the EPA can effectively oversee the sector. And the agency’s voluntary surrendering of these insights is likely to fuel concerns that it’s outmatched by the scale of its responsibilities.

“This reduction in direct oversight by EPA is disappointing but not surprising,” said Mark Montgomery, executive director of CSC 2.0, the successor organization to the congressionally chartered Cyberspace Solarium Commission. “EPA’s water cybersecurity efforts are not properly resourced or organized by Congress or the executive branch and this is a decades-long problem.”

An EPA official said the agency decided not to collect assessment reports because of the sensitivity of the data and to encourage participation by utilities worried about a regulator scrutinizing their performance. The official did not explain why they believed utilities and state governments were better able to protect sensitive information than the federal government, which, despite occasional breaches, successfully safeguards vast quantities of highly classified intelligence.

The EPA can still get summary data from its contractor, which has so far performed approximately 90 assessments to help utilities comply with its new inspection rules, according to the official. That data “would give us a picture of where utilities are currently having issues,” the official said. “We haven't done that yet, just because the program is still in a relatively early stage, but as we generate more data, that may be something that we would choose to do.” 

An even more worrying factor: the data obtained by The Messenger may mask the true extent of vulnerabilities in the water sector. According to the EPA official, “the systems that we're most concerned about are not the proactive systems that are signing up for programs like this.” In other words, the very fact that these systems volunteered for assessments may hint that they’re more engaged with cybersecurity than the average water utility.

In any event, if the available data shows anything, it’s that the water sector has a long way to go before it’s fully prepared to repel sophisticated cyberattacks.

“If something does happen, I mean, it can be significant,” the rural utility manager said. “It's important that we all take this threat seriously.”