Water and wastewater utilities have become a growing target for cybercriminals and nation-state actors, highlighting the urgent need for stronger cybersecurity across the industry. As utilities continue integrating operational technology (OT), remote access systems, cloud connectivity, and smart infrastructure into daily operations, cybercriminals are increasingly exploiting vulnerabilities that can disrupt critical services and compromise public health.
The United States is home to more than 148,000 public water systems and over 23,000 wastewater treatment systems, many of which operate essential infrastructure with limited cybersecurity resources. This broad attack surface has made the sector an attractive target for increasingly sophisticated cyber campaigns.
Geopolitical Tensions Increase Cyber Risks
Recent geopolitical tensions have heightened these concerns. While comprehensive statistics for 2026 are still emerging, federal agencies have already warned of escalating cyber threats tied to the ongoing conflict involving Iran, Israel, and the United States. In April, the EPA, FBI, CISA, NSA, Department of Energy, and U.S. Cyber Command issued a joint cybersecurity advisory warning that Iran-affiliated Advanced Persistent Threat (APT) actors were actively targeting internet-facing OT devices, including Rockwell Automation and Allen-Bradley programmable logic controllers (PLCs) commonly used throughout the water sector. The advisory noted that several organizations across critical infrastructure sectors experienced operational disruptions and financial losses resulting from malicious manipulation of OT environments.
Federal agencies continue urging utilities to immediately review remote access configurations, remove internet exposure from OT devices where possible, strengthen authentication controls, and improve network segmentation between informational technology (IT) and OT systems. These warnings reinforce a growing reality that cybersecurity is no longer solely an IT concern; it is an operational reliability and public safety issue.
New Regulations Signal Higher Expectations
Regulators are also responding with stronger cybersecurity requirements for utilities. On July 22, 2025, New York Governor Kathy Hochul announced nation-leading cybersecurity regulations designed specifically to strengthen protections for water and wastewater systems. Portions of those regulations took effect this year and include requirements for operator cybersecurity awareness training, vulnerability assessments, incident response planning, and cyber incident reporting within 24 hours. Industry experts widely anticipate that other states will adopt similar requirements in the coming years as cybersecurity expectations continue to evolve.
These regulatory developments reflect a broader industry shift toward treating cybersecurity as an essential operational function, similar to safety, compliance, and asset reliability.
Artificial Intelligence Changes the Threat Landscape
The industry is also facing a rapidly changing threat of landscape driven by artificial intelligence (AI). In May 2026, the industrial cybersecurity firm Dragos reported an AI-assisted intrusion targeting Dragos reported on an AI-assisted intrusion involving multiple Mexican government organizations, including a municipal water utility. According to Dragos, attackers used Anthropic’s Claude and OpenAI GPT tools to accelerate reconnaissance, identify OT assets, and develop attack tooling against industrial systems. Researchers noted that the attackers themselves appeared to have limited OT expertise, highlighting how AI tools may significantly lower the barrier to entry for less experienced threat actors.
For utilities, this means cybersecurity preparedness must extend beyond technology alone. Employee awareness and operational discipline remain among the strongest defenses against modern threats.
Building a Strong Human Firewall
Understanding that a knowledgeable workforce is a safer workforce, U.S. Water is committed to strengthening its human firewall by providing cybersecurity awareness and phishing simulation training to every employee on a bi-weekly basis. The company also regularly communicates emerging cyber threats and best practices to its workforce to reinforce a culture of vigilance and accountability.
“Cybersecurity in the water sector is no longer optional, it is foundational to operational reliability and public trust,” said Ken Girkin, U.S. Water’s Manager of IT. “Threat actors are becoming more sophisticated, and the convergence of IT and OT systems means utilities must take a proactive, layered approach to cybersecurity. Continuous training, strong operational controls, and rapid response capabilities are critical to protecting critical infrastructure.”
Resources and Support For Utilities
Utilities are not alone in facing these challenges. Numerous federal and state resources are available to support cybersecurity readiness, including guidance and advisories from the EPA, CISA, FBI, and WaterISAC. Many organizations also offer free cybersecurity assessments, vulnerability scanning tools, incident response guidance, and training resources specifically designed for water and wastewater operators.
As a trusted operations and maintenance partner, U.S. Water works closely with clients to help strengthen operational resilience and support cybersecurity best practices within their facilities. While cybersecurity is a shared responsibility, U.S. Water’s operational teams understand the importance of maintaining secure remote access practices, following established cyber hygiene protocols, reinforcing workforce awareness, and supporting compliance with evolving regulatory expectations.
Through a combination of operational expertise, employee training, and ongoing collaboration with facility owners, U.S. Water remains committed to helping utilities safely and reliably deliver essential services in an increasingly complex threat environment.
Sources
- EPA, FBI, CISA, NSA Joint Cybersecurity Advisory Regarding Iranian Cyber Threats to Water Systems
https://www.epa.gov/newsreleases/epa-fbi-cisa-nsa-issue-joint-cybersecurity-advisory-water-system-regarding-iranian - New York Governor Kathy Hochul Announces New Cybersecurity Regulations for Water and Wastewater Systems
https://www.governor.ny.gov/news/governor-hochul-announces-new-nation-leading-cybersecurity-regulations-launches-grant-program - Cyber Readiness Institute, New York Approves Cyber Readiness Program for Wastewater Operators
https://cyberreadinessinstitute.org/news-and-events/new-york-approves-cyber-readiness-program-for-wastewater-operators/ - StateScoop, New York Issues Cybersecurity Regulations for Water and Wastewater Utilities
https://statescoop.com/water-wastewater-new-york-cybersecurity-regulations/ - Dragos Report on AI-Assisted OT Attacks Against Water Utilities
https://www.dragos.com/blog/ai-assisted-ics-attack-water-utility - EPA Water Sector Cybersecurity Information
https://www.epa.gov/waterutilityresponse/water-sector-cybersecurity - CISA Water and Wastewater Systems Sector Cybersecurity Resources
https://www.cisa.gov/topics/critical-infrastructure-security-and-resilience/critical-infrastructure-sectors/water-and-wastewater-systems-sector - Water Information Sharing and Analysis Center (WaterISAC)
https://www.waterisac.org/ - American Water Works Association (AWWA) Cybersecurity Guidance
https://www.awwa.org/resources-tools/water-knowledge/water-utility-cybersecurity - National Institute of Standards and Technology (NIST) Cybersecurity Framework
https://www.nist.gov/cyberframework