Cyber concerns escalating in water infrastructure sector reveal underlying vulnerabilities

Cyber concerns escalating in water infrastructure sector reveal underlying vulnerabilities

The U.S. water sector is facing a heightened cyber risk, with an increase in ransomware attacks and threats from foreign entities. However, the withdrawal of plans by the Biden administration to include cybersecurity as part of periodic audits of public water systems has left states to take the lead in implementing protective measures.

Industry officials, including Mark Montgomery and Cathy Tucker-Vogel, have voiced concerns about the EPA's push for mandatory audits and the need for more resources from the federal government to support the industry. Montgomery suggests adopting a public-private collaborative model similar to the electric power industry, potentially through an outside public-private organization to help implement agreed-upon assessments.

In response, states like New York are leading the charge with robust proposed cybersecurity requirements for public water and wastewater systems. These regulations encompass mandatory formal cybersecurity programs, risk and vulnerability assessments, defensive technical safeguards, and emergency response plans. Larger water systems must appoint a qualified executive for cybersecurity oversight and incorporate incident response plans requiring incident reporting to the Department of Health within 24 hours.

To help utilities, especially smaller and under-resourced ones, comply with these new cybersecurity standards, New York is allocating a $2.5 million grant program as part of its 2025 agenda. This financial aid is critical for modernizing digital infrastructure and improving cyber defenses.

The regulations also mandate baseline cybersecurity controls such as access management, network monitoring, cyber asset inventories, and regular cybersecurity training (minimum one hour every three years). The focus is on safeguarding Operational Technology (OT)—systems controlling water operations—and nonpublic information vital to system compliance and security. Vulnerability assessments target these areas to reduce exposure to cyberattacks.

Other local entities, like the Town of Ledyard, Connecticut, invest in operational cybersecurity controls and cyber insurance to mitigate risks and financial impacts from potential cyberattacks.

While the regulatory landscape is increasingly turning toward state-level mandates and cooperative programs, the water sector's exposure is rising due to increasing digitalization through the installation of data logging equipment and smart meters. Moody's sees the water and wastewater sectors as one of the top five industry sectors at the highest risk of attack.

Anne Neuberger, deputy national security advisor for cyber and emerging technologies, stated that the nation's water systems face cyber threats from criminals and countries alike. The National Cyber Security Centre in the U.K. is working diligently to address the growing threats against the water sector, as highlighted by recent attacks against Veolia North America and Southern Water in the U.K.

As the threat landscape evolves, EPA officials have outlined additional efforts to create a Water Sector Cybersecurity Task Force. The court challenge against the withdrawal of federal audit plans was led by attorneys general from Missouri, Iowa, and Arkansas, and supported by the American Water Works Association and the National Rural Water Association.

In summary, without a direct federal audit regime, states like New York are advancing enforceable cybersecurity regulations for public water systems. These measures focus on vulnerability management, incident response, executive accountability, and grant-supported compliance assistance, aiming to bolster resilience against growing cyber threats targeting water infrastructure. Other local entities adopt cybersecurity controls and insurance to further reduce risks. The water sector continues to confront cybersecurity challenges, but with states taking action and collaborative efforts, progress is being made to protect this critical infrastructure.

[1] New York State Department of Health. (2023). Proposed Cybersecurity Regulations for Public Water and Wastewater Systems. Retrieved from https://www.health.ny.gov/regulations/cybersecurity/

[2] Town of Ledyard. (2024). Cybersecurity Measures and Insurance. Retrieved from https://www.ledyard-ct.gov/government/departments/water-utilities/cybersecurity

[3] Association of State Drinking Water Administrators. (2023). Statement on Cybersecurity Regulations for Public Water Systems. Retrieved from https://asdwa.org/news-and-publications/asdwa-news-and-publications/asdwa-news-and-publications/2023/08/23/statement-on-cybersecurity-regulations-for-public-water-systems

1. The proposed regulations by New York State include mandatory formal cybersecurity programs, risk and vulnerability assessments, defensive technical safeguards, and emergency response plans, aiming to bolster resilience against growing cyber threats in the water sector.
2. In an effort to aid utilities, New York has allocated a $2.5 million grant program to help smaller and under-resourced ones comply with these new cybersecurity standards, with the focus on modernizing digital infrastructure and improving cyber defenses.
3. Under the regulations, larger water systems must appoint a qualified executive for cybersecurity oversight and incorporate incident response plans requiring incident reporting to the Department of Health within 24 hours.
4. Vulnerability assessments are targeted at key areas such as Operational Technology (OT) systems and nonpublic information to reduce exposure to cyberattacks, as part of the ongoing efforts to protect the critical water infrastructure.

Read also: