Cybersecurity Risks Rising for Water Utilities

In early March 2026, the U.S. Environmental Protection Agency (EPA) issued the following alert to ensure water system owners and operators take necessary steps to strengthen their utility's cybersecurity measures in light of activities in the middle east:

"Iranian government–affiliated and aligned cyber actors have previously demonstrated the ability to exploit internet‑exposed operational technology devices at U.S. water and wastewater systems, in some cases forcing temporary reversion to manual operations and causing operational impacts. EPA urges utilities to adopt a heightened security posture and promptly report suspicious activity to CISA and the FBI.

Mitigations

All drinking water and wastewater systems are strongly encouraged to implement the following mitigations immediately to enhance resilience against low-level cyberattacks:

• Reduce Operational Technology Exposure to the Public-Facing Internet 

• Replace All Default Passwords on Operational Technology Devices with Strong, Unique Passwords 

• Implement Multifactor Authentication for Remote Access to Operational Technology Devices 

Systems that outsource technology support may need to consult with their service providers for assistance with these mitigations. 

In addition to these immediate actions, drinking water and wastewater systems are encouraged to adopt the actions outlined in the CISA, EPA, and FBI Top Cyber Actions for Securing Water Systems Fact Sheet to further reduce cyber risk and improve resilience against malicious cyber activity.

If you have questions about any of the information in this alert, including assistance with the mitigation steps, submit a request to EPA’s Cybersecurity Technical Assistance Program for the Water Sector. Organizations are encouraged to report information concerning suspicious or criminal activity to FBI Internet Crime Complaint Center (IC3) at IC3.gov or to CISA via CISA’s Incident Reporting System."

Additionally, a new WaterISAC report breaks down the repeatable tactics these actors use to gain access, stay hidden, and cause disruption. This is often accomplished by exploiting weak credentials, using phishing emails, and taking advantage of unpatched systems rather than through sophisticated malware.

The report highlights how attackers increasingly abuse legitimate tools, cloud services, and trusted access to blend into normal operations, with a growing emphasis on identity based attacks and large scale disruptive campaigns. It also outlines practical, utility focused mitigations aligned with WaterISAC’s 12 Fundamentals to help organizations reduce risk right now.

Read the full report for a deeper look at real world tactics, recent incidents, and clear steps utilities can take to strengthen their defenses.

Want to turn these insights into practical knowledge you can use right away? We’ve got an easy place to start! 

Brush up on your cybersecurity knowledge, with our free, self-paced cybersecurity course.

In just one hour, course participants will learn about water sector threats, basic cybersecurity measures, incident response, system resilience, and valuable resources, with the goal of fostering a culture of cybersecurity within their organizations. 

Regardless of the size of the water system, this course empowers everyone, from field workers to office staff, to contribute to maintaining a reliable and resilient water system.

This course was developed with MassDEP funding through a partnership with UMass. The course content was created by Andrew Hildick-Smith. Please note that Massachusetts operators should take this version of the course.

All students will receive a 1-hour class certificate for their participation.

October is Cybersecurity Awareness Month

Cybersecurity is becoming increasingly critical for water and wastewater utilities as digital connectivity becomes more common. Now that more systems are linked than ever before, the threat of cyberattacks continues to grow. Staying informed and proactive is key so we’ve gathered a collection of resources designed to strengthen your cybersecurity awareness.

The list below includes guidance from U.S. EPA and CISA, training recordings, and tools to help utilities assess and improve their cybersecurity knowledge. Explore these links to strengthen your utility’s defenses and ensure the continued safety and reliability of our water systems.

Further Resources...

• Cybersecurity Trivia (docx) | U.S. EPA
• Spot The Phishing Email Test (docx) | U.S. EPA
• Is Your Utility Cyber Aware? | U.S. EPA
• Cybersecurity Assessments | U.S. EPA
• Incident Response Training | CISA
• Cybersecurity 101 Training for Water Systems Webinar Recording | U.S. EPA
• Cybersecurity Awareness Month 2023 Webinar Series | CISA
• Cyber Incident Reporting Factsheet | U.S. EPA
  • Report Cybersecurity Incident Here | CISA
• Sign Up for EPA Water Sector Alerts Here | U.S. EPA
• Basic Cybersecurity Measures for Water and Wastewater Systems in Massachusetts -Virtual Course | WaterOperator.org, MassDEP

Throughout October, EPA will host webinars to share sector-specific data and trends, providing tools, best practices, and training opportunities for water utilities, system operators, IT professionals, and local leaders.

Cybersecurity Tips for Water and Wastewater Utilities

October is Cybersecurity Awareness Month! The water sector can protect its infrastructure, maintain public trust, and ensure the safety and reliability of its services by prioritizing cybersecurity. U.S. EPA has provided some tips on how to avoid cybersecurity threats and keep your utility secure. These tips are outlined below:

​Passwords

Passwords should be at least 12 characters long, unique for each account, and complex. To make a secure password you should incorporate a mix of uppercase & lowercase letters, numbers, and special characters. 

If your passwords meet these criteria, they generally only need to be changed if they are compromised. It can be challenging to remember multiple passwords, so use a password manager to help.

Multi-factor Authentication (MFA)

MFA involves using multiple methods to verify a user’s identity, going beyond a simple login. Verification methods can include something you know, such as a password or PIN; something you are, like a fingerprint or facial scan; and something you have, like a key card or security token.

Phishing

Phishing occurs when criminals use fake emails or social media posts to trick users into clicking on malicious links, which can then install malware onto the system. 

To identify phishing attempts, ask yourself: Is it too good to be true? Does it request personal information? Does the sender’s email address match who they claim to represent? Are there any spelling or grammar errors?

If you detect a phishing attempt, report it to your IT manager or security team as quickly as possible. Do not click on any links, delete the email, and use the “Report Phishing” function in your email (if available.)

Update Software

Updating software, or patching, involves installing updates released by the manufacturer to close known vulnerabilities and provide the latest features. Enabling automatic updates ensures updates are installed as soon as they are released, though a system restart is usually required. If automatic updates aren’t possible, regularly check for updates manually and create a schedule to make this a habit.

Be cautious of fake update pop-ups that urgently demand downloads, as these can lead to malware. If you encounter such pop-ups, run a scan to check for malware.

By implementing these cybersecurity tips, you can significantly enhance your protection against cyber threats. Remember, staying informed and vigilant is key to safeguarding your utility.

Cybersecurity Threats: Lessons Learned from WaterISAC

In July of 2024, WaterISAC sent out an advisory to its members advising them to take caution when opening emails from seemingly "trusted" sources. This was sent after WaterISAC was made aware of a second phishing attempt against Maine water operators and well drillers that was disguised as an information verification form from Maine.gov. 

A screenshot of the attempted phishing email is shown below:

Now that phishing attempts are so common across the water sector, it is important to be vigilant when opening emails and clicking any links within. WaterISAC provided a list of lessons that can be learned from incidents like this, as well as resources to help water and wastewater systems get guidance on how to strengthen cybersecurity measures. These lessons and resources are shared below:

Lessons Learned

• Share Information on Threats. In these cases, state agencies quickly sent out a broadcast alert to targeted audiences warning of the phishing attempt.
• Open-Source Intelligence (OSINT).  There is a lot of information on the internet about our water systems. It is useful to know what public information is available. In some cases, detailed and sensitive information can be removed. In other cases, the information is intentionally part of the public record. Therefore, we need to be aware of this class of data so we are not fooled into trusting whoever has it because we believe only privileged sources have access to it.
• Practice Phishing Drills. Part of every utility’s cybersecurity awareness training should include regular phishing drills for staff. CISA has free resources to assist, such as, Teach Employees to Avoid Phishing.
• Not Sure, Call. If you are not sure that the source of an email is legitimate, call the supposed sender through previously established phone numbers to confirm the request’s validity.
• Fall for a Phish, Contact Your IT Department. If you realize after the fact that you fell for a phishing email, or you think you might have, call your information technology group to find out what to do. Everyone except the attacker, will be glad you did.

Additional Water and Wastewater Systems Sector Guidance Resources:

• Recognize and Report Phishing | CISA
• Cybersecurity Fundamentals for Water and Wastewater Utilities | WaterISAC
• Top Cyber Actions for Securing Water Systems | CISA
• Water and Wastewater Sector - Incident Response Guide | CISA
• CISA's Free Cyber Vulnerability Scanning for Water Utilities | CISA
• Water and Wastewater Cybersecurity | CISA

Water Security/ Emergency Response Guides

Water and wastewater utilities are responsible for taking action to protect their infrastructure, security practices should be incorporated into a utility's everyday business functions. Activities such as fence-cutting and lock-picking (often dismissed as harmless) may be indications of more serious threats to a water or wastewater system. Utilities must be prepared to respond to this type of threat, as well as a wide range of other emergencies, including natural disasters and cyberattacks. Improved security preparations provide for a more effective and efficient response from your utility.

We have 1,220 resources (and counting) on Water Security/ Emergency Response in our Documents Database that provide valuable information on this topic. You can search for documents like a Community Water System Emergency Response Plan template, U.S. EPA's Water Cybersecurity Assessment Tool (WCAT), and guides on hazard mitigation for natural disasters, and many other useful guides that will help you to deliver safe and clean water to utility customers. 

To access the wealth of knowledge on Water Security/ Emergency Response within our database just select "CATEGORY" in the dropdown then choose "Water Security/ Emergency Response." Once you make that selection, a second dropdown will appear where you can choose "HOST," “TYPE,” or “STATE” to narrow the search even further. If you have a specific search term in mind, use the “Keyword Filter” search bar on the right side of the screen.

This is part of our A-Z for Operators series.

Webinar Recording: Cybersecurity for Wastewater Operators

Watch this webinar recording to discover some of the most helpful cybersecurity resources and to learn how to use our search tools at WaterOperator.org to find additional resources and training events. This is the first webinar in our new series for wastewater operators!

The webinar answers questions such as:

• What is WaterOperator.org and how is it a useful tool for wastewater professionals?
• What are the best resources we have relating to cybersecurity in the water and wastewater sector?
• How can you find more cybersecurity resources and other similar resources on WaterOperator.org?

This free series will cover topics relevant to wastewater operators, including funding, asset management, compliance, and water quality. Upcoming events in the series include:

• Source Water Protection for Communities with Decentralized Wastewater (April 23)
• Funding Wastewater Infrastructure Projects (June 25)

Certificates of attendance for each session will be delivered upon request. Check with your certification body for acceptance criteria.

Here is the recording of the first webinar, held in February 2024. We cannot provide certificates of attendance for watching the webinar recording.

Resources and Tools to Help Secure Your Utility's Infrastructure

Infrastructure Security Month is held annually in November to promote the vital role of critical infrastructure and to remind us why it is important to strengthen the security and resilience of America's critical infrastructure. Below are some useful resources and tools to help your utility secure your infrastructure and increase resilience to natural disasters and malevolent acts that threaten the water sector.

Water Contaminant Information Tool (WCIT)
WCIT is a secure database containing information on priority contaminants of concern for drinking water and wastewater systems to help systems prepare for, respond to, and recover from contamination incidents.

Creating Resilient Water Utilities (CRWU)
CRWU initiative assists drinking water and wastewater utilities in building resilience to climate impacts.

Resilient Strategies Guide for Water Utilities
The Resilient Strategies Guide introduces drinking water, wastewater, and stormwater utilities to the adaptation planning process. Utilities can use the Guide to identify their planning priorities, vulnerable assets, potential adaptation strategies and available funding sources.

Incident Action Checklists for Water Utilities
These 12 checklist templates help with emergency preparedness, response and recovery activities. Incidents include wildfires, flooding, power outages, cybersecurity, and more. 

Federal Funding for Water and Wastewater Utilities in National Disasters (Fed FUNDS)
Fed FUNDS provides information tailored to water and wastewater utilities on federal disaster and mitigation funding programs from FEMA, USDA, EPA, HUD, SBA, and USBR.

EPA Mandates Cybersecurity Reporting for the Water Sector

Public water systems are increasingly at risk from cyberattacks that threaten public health. U.S. EPA has issued new guidance that states are required to evaluate and report on cybersecurity threats for systems that use industrial control systems or other operational technology.

“Cyberattacks against critical infrastructure facilities, including drinking water systems, are increasing, and public water systems are vulnerable," said EPA Assistant Administrator Radhika Fox. “Cyberattacks have the potential to contaminate drinking water.”

This expectation is outlined in a memo that interprets sanitary survey requirements, accompanied by a detailed guidance document aimed at state programs and technical assistance providers. It was released as part of the Biden administration's updated National Cybersecurity Strategy. 

U.S. EPA offers resources that can help water systems understand and address cyber vulnerabilities including this video on basic cybersecurity concepts that can be used by water systems as a part of an annual cybersecurity training program. Our database on WaterOperator.org also has resources on this topic, including this 56-page guide from WaterISAC on cybersecurity best practices to reduce exploitable weaknesses and attacks.

Defend Your Water System Against Drought

Many states across the United States are currently experiencing one of the worst droughts in American history. Some are even experiencing a "megadrought", meaning that they have been experiencing drought conditions for many years. Climate change also exacerbates drought conditions by increasing the average global temperature and causing irregular weather patterns. Westerns states such as California, Arizona, Montana, Nevada, New Mexico, and Idaho are experiencing some of the most extreme effects. Drought is particularly devastating because it is slow coming but its effects are widespread.

Increased drought conditions can result in:

• Loss of water pressure and supply 
• Poor water quality 
• Limited access to alternative water sources 
• Increased customer demand 
• Increased costs and reduced revenues 

For example, in Nevada, the drought has had disastrous impacts on Lake Mead, the largest water reservoir in the United States that currently provides water for over 20 million people across California, Nevada, Arizona, and some of Mexico. The reservoir is now at the lowest it has been since it was filled in 1937 and the situation is so extreme that the federal government is expected to declare an official Lake Mead shortage by the end of the summer. Drought can also negatively impact drinking water providers that rely on lakes because they can increase the number of algal blooms in freshwater. Algal blooms not only contain chemicals that are toxic to humans but large amounts of algae can also clog water filters and damage the water treatment process. 

A total of 31 states are currently experiencing moderate to severe drought across the country. Research also shows that the drought has become progressively worse over the past few decades. The U.S. Drought Monitor website has a feature that allows you to monitor the level of drought happening in your area.

Like most natural disasters, rural and low-income communities are often hit the hardest by drought conditions because of their lack of access to resources and infrastructure. Rural farmers are also greatly impacted by drought because of the lack of water available for irrigation, making it very difficult to support themselves. 

Droughts are a public health issue because they affect access to clean and safe drinking water. Practicing emergency response and preparedness is the best way to minimize severe impacts from drought. To avoid serious impacts from droughts, water utilities should:

1. Conduct observation and monitoring 
2. Practice planning and preparedness  
3. Predict and forecast 
4. Maintain good communication and outreach with customers 
5. Use interdisciplinary research and applications 

Resources for Drought Assessment and Resilience

Incident Action Checklist – Drought
This checklist from the U.S. EPA provides various ways for water and wastewater utilities to prepare for, respond to, and recover from a drought. 

10 Ways to Prepare for a Drought Related Water Shortage
This resource from the Rural Community Assistance Partnership lists ten ways to prepare your small water system for water shortages.

Small Water Systems and Rural Communities Drought and Water Shortage Contingency Planning and Risk Assessment
This report can be used to help strengthen your water shortage vulnerability assessments and risk scoring. 

Drought Contingency Plan for a Retail Public Water Supplier
This is a sample form that can be used as a model of a drought contingency plan for a retail public water supplier. 

Drought Management Plan A Template for Small Water Systems
This document outlines mitigation measures that water managers can take to greatly minimize the effects of drought. 

100 Water Saving Tips from “Water. Use it wisely.” 
Communicate some of these water-saving tips to your customers to help them conserve water during a drought. 

AWIA Section 2013 Compliance Check

Small community drinking water systems (CWSs) that serve between 3,301 and 49,999 must submit Risk and Resilience Assessment (RRA) certifications by June 30, 2021 and an Emergency Response Plan (ERP) by December 21, 2021 in order to stay in compliance with America’s Water Infrastructure Act (AWIA). Certification must be completed every five years and the ERP updated within six months of that recertification. You can confirm if your water system is impacted by the AWIA on the U.S. EPA website. 

In this era of unpredictability, it is increasingly important to adapt water systems to the ever changing and intensifying events that threats like climate change pose. Building a strong water resilience plan is the best way to prepare yourself and your community against these events. In order to stay ahead of the game, utilities should conduct an assessment to reduce risk, plan for and practice responding to emergencies, and monitor systems for contaminants. 

The AWIA does not require utilities to use any specific tools or methods when conducting these assessments. It does however require utilities to meet all requirements listed in Section 2013 and throughout the act. The U.S. EPA also has more information on how to certify your risk and resilience assessment and your emergency response plan. There is also more information on our website about how to complete your RRA and ERP, as well as information about the AWIA Small Systems Certificate Program.