The Environmental Protection Agency unveiled new cybersecurity planning tools this week designed to protect America's 150,000 public water systems from cyberattacks that threaten access to safe drinking water for millions. The release comes as water infrastructure faces unprecedented digital threats, with over 300 systems already identified as critically vulnerable and attacks increasing in frequency and sophistication.
The timing reflects urgent reality: cyberattacks against water utilities have escalated dramatically, with Chinese hackers reportedly accessing systems for at least five years, Russia-affiliated groups actively targeting treatment facilities, and ransomware incidents forcing major utilities offline. A single-day disruption to US water systems could jeopardize $43.5 billion in economic activity while creating public health emergencies affecting entire regions.
"Strengthening cybersecurity for the US water sector is critically important because cyber resilience and water security are key to national security," said EPA Assistant Administrator for Water Jess Kramer. "Water systems across the country are facing cyberattacks that threaten the ability to provide safe water."
The new tools, such as templates for responding to incidents, checklists for emergency actions, and guidance for buying cybersecurity solutions, aim to address issues that inspections frequently uncover: default passwords on critical equipment, unsecured remote access points, networks that aren't separated, and operational technology linked to the internet that unauthorized users can access to alter water treatment processes.
Water infrastructure faces a complex threat landscape.
Recent incidents demonstrate the severity of risks. In October 2024, a cyberattack forced American Water, the nation's largest publicly traded water utility serving over 14 million people across 14 states, to disconnect billing systems and customer portals. While water quality and operations weren't directly affected, the breach highlighted how IT and operational technology vulnerabilities intersect in critical infrastructure.
The Arkansas City Water Treatment Facility switched to manual operations in September after a cybersecurity incident compromised digital controls. Facilities in Pennsylvania and Texas have faced attacks from Iran- and Russia-affiliated actors. CISA warnings identify pro-Russia hacktivist groups actively targeting industrial control systems within water utilities, often exploiting weak cyber hygiene practices.
A recent EPA assessment revealed troubling patterns: many water systems failed to change default passwords, didn't revoke access for former employees, used single login credentials for all staff, and operated unsecured Human Machine Interface devices visible to anyone with an internet connection and the device's IP address. These aren't sophisticated zero-day exploits—they're basic security failures enabling brute-force attacks using readily available tools.
Cole Dutton, a cybersecurity analyst within the EPA's Office of Water, explained the scope during a recent webinar: "What I have found in this year of discovery is that there is a general lack of asset awareness across the water sector." Many times when we've performed outreach notifications, the systems just did not know they had those devices internet-exposed."
The threat extends beyond technical vulnerabilities. Water utilities face chronic underfunding, legacy infrastructure built without cybersecurity considerations, and operational technology systems never designed for internet connectivity. Most concerning: roughly 97% of US water systems serve populations under 10,000—small, often rural utilities lacking dedicated IT staff or cybersecurity expertise, making them particularly vulnerable despite their critical local importance.
What do the new EPA tools provide?
The EPA's October 2025 release includes four key resources addressing the most pressing vulnerabilities:
Emergency Response Plan Guide for Wastewater Utilities: Updated guidance describing strategies, resources, plans, and procedures utilities can use to prepare for and respond to incidents—natural or man-made—that threaten life, property, or the environment. The guide emphasizes scalability, recognizing that emergency planning for a 500-person rural system differs dramatically from metro area utilities.
Cybersecurity Incident Response Plan Template: A new template helping drinking water and wastewater systems develop comprehensive plans specifically for cyber incidents. Unlike general emergency plans, this addresses unique challenges of digital attacks: how to maintain water safety when control systems are compromised, when to switch to manual operations, and how to communicate with regulators and customers without revealing vulnerabilities to active attackers.
Incident Action Checklists: Two new checklists requested by the water sector to help utilities prepare for, respond to, and recover from specific emergencies, including wildfires, power outages, floods, and cybersecurity incidents. These practical tools guide operators through immediate actions during crises when clear thinking becomes difficult.
Cybersecurity Procurement Checklist: This guide helps utilities include cybersecurity in their buying processes by checking the security practices of vendors and manufacturers before making purchases, instead of finding problems after the equipment is installed. This proactive approach addresses supply chain risks where third-party devices introduce vulnerabilities beyond utility control.
Why do water systems continue to be vulnerable?
The water sector faces unique cybersecurity challenges stemming from industry structure and technological evolution. Almost 60% of serious weaknesses in the technology used by water systems are linked to controller assets—like programmable logic controllers and variable frequency drives that control treatment processes and distribution. Over 90% of IT system vulnerabilities involve connectivity devices like VPNs and remote administration tools.
The rapid digitization of water treatment created attack surfaces that didn't exist decades ago. Many facilities leapt from manual operations to highly digital systems within years, introducing internet connectivity, remote monitoring, and automated controls without corresponding security infrastructure. Legacy equipment runs outdated software that manufacturers no longer support with security patches. Budget constraints mean many utilities defer cybersecurity investments in favor of immediate operational needs.
Outsourcing compounds complexity. Small utilities frequently contract IT management to third parties who may install equipment without properly securing it, leave default passwords unchanged, or fail to implement network segmentation. Dutton emphasizes this point: "The onus is not always on the water systems. Most water systems in the United States are small systems, small rural systems, and they don't have the in-house technical expertise."
Staffing presents another barrier. The water workforce faces retirement waves while struggling to attract younger workers with cybersecurity skills. According to recent assessments, many utilities lack even basic cybersecurity training for staff who interact with digital systems daily. This knowledge gap means well-intentioned employees can inadvertently introduce vulnerabilities through practices like clicking phishing emails or using weak passwords.
the national security dimension
Water infrastructure attacks aren't just public health threats—they're national security concerns. CISA and allied security agencies revealed in 2024 that Chinese state-sponsored hackers maintained access to US water sector networks for at least five years. These aren't opportunistic criminals seeking ransom. They're sophisticated adversaries potentially pre-positioning for future disruption during geopolitical conflicts.
The Cyber Army of Russia Reborn, linked to Advanced Persistent Threat 44 (also known as Sandworm), actively targets smaller water systems with weak cybersecurity postures. These attacks serve multiple purposes: immediate disruption, intelligence gathering about US infrastructure vulnerabilities, and potentially planting persistent access for future activation.
Water systems intersect with other critical infrastructure in ways that cascade failures across sectors. Major disruptions affect healthcare facilities unable to sterilize equipment, manufacturers requiring water for production, data centers needing cooling, and agricultural operations. The economic analysis estimating $43.5 billion at risk from a one-day disruption probably underestimates the total impact because it does not fully account for these cascading effects.
looking forward: compliance and collaboration
The EPA tools arrive as regulatory timelines converge. Water systems face Risk and Resilience Assessment recertification deadlines based on population served—systems with 100,000+ residents by March 31, 2025; 50,000-99,999 by December 31, 2025; and 3,301-49,999 by June 30, 2026. Emergency Response Plans must be recertified six months after RRA completion.
Additionally, the Cybersecurity and Infrastructure Security Agency's CIRCIA (federal cyber incident reporting) becomes effective May 2026, requiring covered entities, including water systems, to report substantial cyber incidents within specific timeframes. While regulatory details remain in development, utilities should begin preparing reporting procedures now rather than scrambling to implement compliance systems later.
The EPA emphasizes that tools alone won't secure water systems—ongoing collaboration between federal agencies, state regulators, utilities, vendors, and cybersecurity experts remains essential. The agency continues operating evaluation programs where utilities can request assessments identifying vulnerabilities and receive risk mitigation templates and provides resources through its Water Sector Cybersecurity Program, including the "Top 8 Cyber Actions for Securing Water Systems."
The challenge ahead involves not just implementing better practices but transforming water sector culture to recognize cybersecurity as foundational rather than optional. As Kramer noted, "Guarding against cyberattacks is central to this mission" of ensuring every American has access to clean and safe water.
The tools released this week provide frameworks that utilities desperately need. Whether they prove sufficient against adversaries already inside systems, already mapping infrastructure, and already preparing for potential large-scale disruption depends entirely on how quickly the sector can move from awareness to implementation—turning checklists into daily practice before the next headline incident forces reactive crisis management.
0 comments