Federal efforts emphasizing cyber defense underscore vulnerabilities within the water industry
In the ever-evolving digital landscape, the nation's public water systems are facing increasing cyber threats. With more than 90% of community water systems being small and under-resourced, they are particularly vulnerable to these threats.
Recently, Phil Cope from Moody's Ratings highlighted the rising exposure of the water sector due to the installation of data logging equipment and smart meters. This digitalization, while beneficial for efficiency, also exposes these systems to potential cyberattacks.
Katherine Ledesma, head of public policy and government affairs at Dragos, underscored the challenges utilities of all sizes face in defending against cyberattacks. She emphasized the unique challenges in accessing the resources, tools, and expertise needed to bolster their defenses.
Efforts to address these issues are underway, both at the state and federal levels. New York State, for instance, proposed comprehensive cybersecurity regulations in mid-2025, targeting public water and wastewater systems serving significant populations. These regulations require formal security programs, risk and vulnerability assessments, incident response plans, network monitoring, access control, and mandatory cybersecurity training for certified operators.
The Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) of 2022 is another significant forthcoming federal mandate. Effective from 2026, it will require critical infrastructure operators, including water utilities, to report significant cyber incidents and ransomware payments within tight timelines, enhancing national cyber incident visibility and response.
However, these efforts are not without challenges. The U.S. water sector is diverse and decentralized, making uniform compliance difficult. The EPA's attempt to mandate cybersecurity sanitary surveys in 2023 was withdrawn due to opposition and concerns about feasibility across many water systems.
Small systems often lack the technical and financial resources to implement mandated cybersecurity measures without grants or assistance. The withdrawal of the Biden administration’s EPA's planned sanitary survey cybersecurity audits in 2023 has raised concerns over federal enforcement and reliance on states and utilities to voluntarily comply or adopt regulations.
The sector has experienced increased targeting by cyber attackers. Recent reports indicate over 60% of U.S. and UK water and electric utilities were attacked in the past year, illustrating the urgent need for robust defenses.
Industry officials, including Anne Neuberger, deputy national security advisor for cyber and emerging technologies, have emphasized the need for more resources from the federal government to support the industry if new rules are to be imposed. Alan Roberson, executive director of the Association of State Drinking Water Executives, agrees, stating that if the federal government wants cybersecurity measures to be effective, they need to provide financial support to the states.
Mark Montgomery suggests a public-private collaborative model similar to the electric power industry to address cybersecurity in the water sector. He proposes an outside public-private organization to help implement agreed-upon assessments in the water sector.
Against this backdrop, the EPA, Cybersecurity and Infrastructure Security Agency, and other agencies offer resources such as vulnerability scanning, tabletop exercises, and local funds to water utilities. The National Cyber Security Centre in the UK is also working to address the growing threats against the water sector.
In conclusion, efforts are being made to enhance cybersecurity in the U.S. public water systems, but these efforts face challenges related to regulatory complexity, sector diversity, resource availability, escalating cyber threats, and the lack of federal audit enforcement. Industry officials agree on the need for more resources from the federal government to effectively address these challenges.
- The installation of data logging equipment and smart meters in public water systems exposes them to potential cyberattacks, as highlighted by Phil Cope from Moody's Ratings.
- Katherine Ledesma emphasized that utilities of all sizes face unique challenges in defending against cyberattacks, including accessing the resources, tools, and expertise needed.
- The Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) of 2022, effective from 2026, will require water utilities to report significant cyber incidents and ransomware payments, enhancing national cyber incident visibility and response.
- Despite efforts to address cyber risks in the water sector, small systems often lack the technical and financial resources to implement mandated cybersecurity measures without grants or assistance, as indicated by industry officials.
