Cybersecurity Risks Rising for Water Utilities In early March 2026, the U.S. Environmental Protection Agency (EPA) issued the following alert to ensure water system owners and operators take necessary steps to strengthen their utility's cybersecurity measures in light of activities in the middle east: "Iranian government–affiliated and aligned cyber actors have previously demonstrated the ability to exploit internet‑exposed operational technology devices at U.S. water and wastewater systems, in some cases forcing temporary reversion to manual operations and causing operational impacts. EPA urges utilities to adopt a heightened security posture and promptly report suspicious activity to CISA and the FBI. Mitigations All drinking water and wastewater systems are strongly encouraged to implement the following mitigations immediately to enhance resilience against low-level cyberattacks: Reduce Operational Technology Exposure to the Public-Facing Internet Replace All Default Passwords on Operational Technology Devices with Strong, Unique Passwords Implement Multifactor Authentication for Remote Access to Operational Technology Devices Systems that outsource technology support may need to consult with their service providers for assistance with these mitigations. In addition to these immediate actions, drinking water and wastewater systems are encouraged to adopt the actions outlined in the CISA, EPA, and FBI Top Cyber Actions for Securing Water Systems Fact Sheet to further reduce cyber risk and improve resilience against malicious cyber activity. If you have questions about any of the information in this alert, including assistance with the mitigation steps, submit a request to EPA’s Cybersecurity Technical Assistance Program for the Water Sector. Organizations are encouraged to report information concerning suspicious or criminal activity to FBI Internet Crime Complaint Center (IC3) at IC3.gov or to CISA via CISA’s Incident Reporting System." Additionally, a new WaterISAC report breaks down the repeatable tactics these actors use to gain access, stay hidden, and cause disruption. This is often accomplished by exploiting weak credentials, using phishing emails, and taking advantage of unpatched systems rather than through sophisticated malware. The report highlights how attackers increasingly abuse legitimate tools, cloud services, and trusted access to blend into normal operations, with a growing emphasis on identity based attacks and large scale disruptive campaigns. It also outlines practical, utility focused mitigations aligned with WaterISAC’s 12 Fundamentals to help organizations reduce risk right now. Read the full report for a deeper look at real world tactics, recent incidents, and clear steps utilities can take to strengthen their defenses. Want to turn these insights into practical knowledge you can use right away? We’ve got an easy place to start! Brush up on your cybersecurity knowledge, with our free, self-paced cybersecurity course. In just one hour, course participants will learn about water sector threats, basic cybersecurity measures, incident response, system resilience, and valuable resources, with the goal of fostering a culture of cybersecurity within their organizations. Regardless of the size of the water system, this course empowers everyone, from field workers to office staff, to contribute to maintaining a reliable and resilient water system. This course was developed with MassDEP funding through a partnership with UMass. The course content was created by Andrew Hildick-Smith. Please note that Massachusetts operators should take this version of the course. All students will receive a 1-hour class certificate for their participation. March 24, 2026 By Katelyn McLaughlin Emergency Response, Security, Water News cybersecurity, wastewater system cybersecurity, water system cybersecurity 0 0 Comment Read More »
October is Cybersecurity Awareness Month Cybersecurity is becoming increasingly critical for water and wastewater utilities as digital connectivity becomes more common. Now that more systems are linked than ever before, the threat of cyberattacks continues to grow. Staying informed and proactive is key so we’ve gathered a collection of resources designed to strengthen your cybersecurity awareness. The list below includes guidance from U.S. EPA and CISA, training recordings, and tools to help utilities assess and improve their cybersecurity knowledge. Explore these links to strengthen your utility’s defenses and ensure the continued safety and reliability of our water systems. Further Resources... Cybersecurity Trivia (docx) | U.S. EPA Spot The Phishing Email Test (docx) | U.S. EPA Is Your Utility Cyber Aware? | U.S. EPA Cybersecurity Assessments | U.S. EPA Incident Response Training | CISA Cybersecurity 101 Training for Water Systems Webinar Recording | U.S. EPA Cybersecurity Awareness Month 2023 Webinar Series | CISA Cyber Incident Reporting Factsheet | U.S. EPA Report Cybersecurity Incident Here | CISA Sign Up for EPA Water Sector Alerts Here | U.S. EPA Basic Cybersecurity Measures for Water and Wastewater Systems in Massachusetts -Virtual Course | WaterOperator.org, MassDEP Throughout October, EPA will host webinars to share sector-specific data and trends, providing tools, best practices, and training opportunities for water utilities, system operators, IT professionals, and local leaders. October 1, 2025 By Katelyn McLaughlin Emergency Response, Security, Technology cybersecurity, water system cybersecurity 0 0 Comment Read More »