What Is the Scale of the Water Infrastructure at Risk?
America’s water systems face a threat landscape that regulators are not equipped to handle. A recent report from the US Government Accountability Office warns that state-backed hackers and criminal syndicates are growing more capable of targeting the facilities that deliver drinking water and treat wastewater. Federal agencies lack the legal authority and the resources to close the gaps. The result is a sprawling, decentralized network of critical infrastructure that remains exposed.
The sheer size of the sector makes defense difficult. The United States operates more than 153,000 drinking water systems and 16,500 wastewater systems. These facilities are spread across cities, suburbs, and rural communities. Many serve small populations with limited budgets. Others are large municipal utilities with complex networks. No single organization owns or operates all of them. This fragmentation means that a vulnerability in one small plant can be just as dangerous as a weakness in a major urban system, because attackers often scan broadly for any open door.
Each of these facilities depends on operational technology, or OT: the software and hardware that controls physical processes. OT systems turn pumps on and off, monitor water levels in tanks, adjust pressure in pipes, and manage chemical dosing for treatment. For decades, these systems operated in near-total isolation. That isolation was itself a security feature. Today, that protection is eroding.
How Has Connectivity Increased Vulnerability?
The convergence of operational technology with internet-enabled devices has fundamentally changed the risk equation. Engineers can now adjust a valve or check a tank level from a remote location. This convenience is valuable across large, geographically spread-out water networks. But the same connectivity that allows a technician to monitor a pump from home also allows an attacker on the other side of the world to attempt the same action.
The GAO found that the merging of OT and internet-connected systems has increased the ability of online attackers to reach critical operational controls. A water facility that once relied on air-gapped control panels may now have those same panels connected to a corporate network, which in turn connects to the internet. Each connection point is a potential entry. Many facilities lack network segmentation, meaning that an intrusion into an administrative computer can lead directly to the systems that manage water pressure and chemical levels.
This is not a hypothetical risk. The consequences of a successful attack could cascade well beyond a disrupted water bill. Hospitals depend on water for patient care. Power plants rely on it for steam generation and cooling. A compromised water system could trigger failures across health care, energy, and other critical sectors. The GAO report explicitly warns that the interdependence of water with other infrastructure amplifies the danger.
What Real-World Attacks Have Already Occurred?
The threat is not theoretical. Ransomware attacks have already hit water and wastewater facilities in California, New Jersey, and Nevada. In each case, malicious software locked staff out of their own computer systems. Workers had to revert to manual operations, running pumps and valves by hand while the digital systems were offline. These incidents caused service disruptions and placed strain on operators who were already stretched thin.
In November 2023, an Iran-affiliated hacking group targeted multiple organizations, including a water system in Pennsylvania. Staff at that facility had to halt pumping at one station and switch to manual control. The attack demonstrated that nation-state actors view water infrastructure as a legitimate target. More recently, in April 2026, the Environmental Protection Agency and the Cybersecurity and Infrastructure Security Agency issued a joint advisory warning that Iran-aligned groups were continuing to target technologies commonly used in water and wastewater facilities.
These events show a pattern. Attackers are probing water systems with increasing persistence. The methods vary — ransomware for financial gain, disruptive strikes for geopolitical reasons — but the outcome is the same: critical services interrupted and human health put at risk. The GAO report makes clear that these are not isolated incidents but symptoms of a systemic vulnerability.
What Are the Structural Obstacles to Improving Defenses?
Despite the clear danger, the water sector faces serious structural barriers to improving its cybersecurity posture. Many facilities were built decades ago, long before the current threat environment existed. Their aging operational technology systems are often incompatible with modern security protocols. Replacing or upgrading them requires significant capital investment, and smaller systems in particular cannot easily afford it.
Workforce shortages compound the problem. Water utilities compete with other industries for cybersecurity talent, and they rarely win. Salaries in the public sector lag behind private-sector offers. Experienced security professionals tend to gravitate toward finance, technology, and healthcare, leaving water facilities understaffed. The people who do work at water plants are often trained in civil or environmental engineering, not in network defense. They know how to keep water clean, but they may not know how to detect an intrusion in their SCADA systems.
There is also a straightforward question of priorities. Meeting regulatory requirements for safe and clean water — testing for contaminants, maintaining pressure, ensuring compliance with the Safe Drinking Water Act — competes directly with spending on cybersecurity. When budgets are tight, the immediate health concern wins. The GAO notes that basic cyber hygiene, such as changing default passwords, keeping operating systems up to date, and maintaining clear separation between administrative and operational networks, is not consistently implemented across the sector.
Default passwords are a telling example. Many OT devices ship from the factory with credentials like “admin/admin” or “1234.” In an isolated network, this might have been acceptable. On a connected network, it is an invitation. Yet facilities continue to operate with these defaults because no one has made changing them a priority, or because the staff who would do so are busy with other tasks. The GAO report identifies this lack of basic hygiene as a widespread weakness.
You may also enjoy reading: 7 James Bond Movie Quiz Challenges.
What Is the Federal Response and Its Limitations?
The federal government has taken steps to address the problem, but those steps remain incomplete. A GAO report from August 2024 found that the EPA had not conducted a comprehensive cybersecurity risk assessment for the water sector. Without such an assessment, it is difficult to know where to focus resources or how to measure progress. The EPA eventually completed that assessment in January 2025, but the delay left the sector operating without a clear picture of its own risks for years.
More critically, the EPA lacks legal authority to require cybersecurity risk assessments from wastewater systems and certain smaller drinking water systems. This is a gap that no amount of guidance or voluntary best practices can fill. When compliance is optional, the facilities with the fewest resources — often the ones most at risk — are the least likely to act. The GAO report concludes that federal regulators do not yet have the legal tools or the resources to fix the problem comprehensively.
The fragmented ownership structure of the water sector compounds this regulatory challenge. No single agency has jurisdiction over all 153,000 drinking water systems and 16,500 wastewater systems. The EPA oversees drinking water quality under the Safe Drinking Water Act, but its authority over cybersecurity is limited. CISA provides threat intelligence and incident response support, but it cannot mandate security upgrades. The result is a patchwork of oversight that leaves many facilities outside any enforceable framework.
The GAO report calls for clearer lines of authority and for additional resources to be directed to the sector. It also recommends that federal agencies work more closely with state and local governments, since many water systems are owned by municipalities. But until Congress acts to expand the EPA’s legal authority, the most vulnerable systems will remain beyond the reach of federal oversight.
Frequently Asked Questions
How can a small water utility with limited budget improve its cybersecurity posture?
A small utility can start with basic cyber hygiene measures that cost little or nothing. Changing default passwords on all OT and IT devices, applying security patches when they become available, and segregating administrative networks from operational control systems are all high-impact, low-cost steps. Staff can also participate in free threat-sharing programs offered by CISA and state-level cybersecurity centers. Even without a dedicated security team, these foundational practices reduce the most common attack vectors significantly.
What is the difference between IT security and OT security in the context of water systems?
IT security focuses on protecting data, networks, and endpoints like servers and workstations, with priorities around confidentiality and integrity. OT security protects the hardware and software that directly control physical processes — pumps, valves, chemical feeders, and pressure regulators. The priority in OT is availability and safety: stopping a pump unexpectedly can cause a pipe burst or a treatment failure. Patching an OT device often requires scheduled downtime, because a reboot could interrupt water service. This operational constraint makes OT security fundamentally different from conventional IT security.
Why does the EPA lack authority over wastewater systems for cybersecurity assessments?
The EPA’s legal authority under the Safe Drinking Water Act covers drinking water systems but does not extend to wastewater systems in the same way. Wastewater facilities fall under different regulatory frameworks, and Congress has not explicitly granted the EPA the power to require cybersecurity risk assessments from them. A similar gap exists for smaller drinking water systems that serve fewer than a certain number of people. Closing these gaps would require new legislation that expands the EPA’s jurisdiction over cybersecurity in the water sector.
The GAO report makes one thing clear: the gaps in cybersecurity water systems are not going to close on their own. The infrastructure is too large, too old, and too fragmented. The attacks are already happening, and the regulatory tools available are insufficient. Until federal authority is expanded and resources are directed to the facilities that need them most, the water systems that millions of Americans depend on every day will remain a vulnerable target.
