Cybersecurity Risks Rising for Water Utilities

In early March 2026, the U.S. Environmental Protection Agency (EPA) issued the following alert to ensure water system owners and operators take necessary steps to strengthen their utility's cybersecurity measures in light of activities in the middle east:

"Iranian government–affiliated and aligned cyber actors have previously demonstrated the ability to exploit internet‑exposed operational technology devices at U.S. water and wastewater systems, in some cases forcing temporary reversion to manual operations and causing operational impacts. EPA urges utilities to adopt a heightened security posture and promptly report suspicious activity to CISA and the FBI.

Mitigations

All drinking water and wastewater systems are strongly encouraged to implement the following mitigations immediately to enhance resilience against low-level cyberattacks:

• Reduce Operational Technology Exposure to the Public-Facing Internet 

• Replace All Default Passwords on Operational Technology Devices with Strong, Unique Passwords 

• Implement Multifactor Authentication for Remote Access to Operational Technology Devices 

Systems that outsource technology support may need to consult with their service providers for assistance with these mitigations. 

In addition to these immediate actions, drinking water and wastewater systems are encouraged to adopt the actions outlined in the CISA, EPA, and FBI Top Cyber Actions for Securing Water Systems Fact Sheet to further reduce cyber risk and improve resilience against malicious cyber activity.

If you have questions about any of the information in this alert, including assistance with the mitigation steps, submit a request to EPA’s Cybersecurity Technical Assistance Program for the Water Sector. Organizations are encouraged to report information concerning suspicious or criminal activity to FBI Internet Crime Complaint Center (IC3) at IC3.gov or to CISA via CISA’s Incident Reporting System."

Additionally, a new WaterISAC report breaks down the repeatable tactics these actors use to gain access, stay hidden, and cause disruption. This is often accomplished by exploiting weak credentials, using phishing emails, and taking advantage of unpatched systems rather than through sophisticated malware.

The report highlights how attackers increasingly abuse legitimate tools, cloud services, and trusted access to blend into normal operations, with a growing emphasis on identity based attacks and large scale disruptive campaigns. It also outlines practical, utility focused mitigations aligned with WaterISAC’s 12 Fundamentals to help organizations reduce risk right now.

Read the full report for a deeper look at real world tactics, recent incidents, and clear steps utilities can take to strengthen their defenses.

Want to turn these insights into practical knowledge you can use right away? We’ve got an easy place to start! 

Brush up on your cybersecurity knowledge, with our free, self-paced cybersecurity course.

In just one hour, course participants will learn about water sector threats, basic cybersecurity measures, incident response, system resilience, and valuable resources, with the goal of fostering a culture of cybersecurity within their organizations. 

Regardless of the size of the water system, this course empowers everyone, from field workers to office staff, to contribute to maintaining a reliable and resilient water system.

This course was developed with MassDEP funding through a partnership with UMass. The course content was created by Andrew Hildick-Smith. Please note that Massachusetts operators should take this version of the course.

All students will receive a 1-hour class certificate for their participation.