Skip to main content
Report File
Date Issued
Submitting OIG
Environmental Protection Agency OIG
Agencies Reviewed/Investigated
Environmental Protection Agency
Report Number
25-N-0004
Report Description

The passive assessment covered 1,062 drinking water systems for cybersecurity vulnerabilities that serve over 193 million people across the United States. Scan results for October 8, 2024, identified 97 drinking water systems serving approximately 26.6 million users as having either critical or high-risk cybersecurity vulnerabilities. Although not rising to a level of critical or high-risk cybersecurity vulnerabilities, an additional 211 drinking water systems, servicing over 82.7 million people, were identified as medium and low by having externally visible open portals. If malicious actors exploited the cybersecurity vulnerabilities identified in this passive assessment, they could disrupt service or cause irreparable physical damage to drinking water infrastructure. While attempting to notify the EPA about the cybersecurity vulnerabilities, the OIG found that the EPA does not have its own cybersecurity incident reporting system that water and wastewater systems could use to notify the EPA of cybersecurity incidents.

Report Type
Other
Agency Wide
Yes
Number of Recommendations
0
Questioned Costs
$0
Funds for Better Use
$0
Report updated under NDAA 5274
No

Environmental Protection Agency OIG

United States