America’s water and wastewater utilities rely on the Environmental Protection Agency for cybersecurity support and guidance. With the EPA’s funding on the Trump Administration’s chopping block, America’s water sector may be left to fend for itself — at the worst possible time.
By Shannon Pierson, Senior Fellow of Public Interest Cybersecurity, UC Berkeley Center for Long-Term Cybersecurity
The Environmental Protection Agency (EPA) is the federal government’s designated lead for managing cyber risk and ensuring the cyber resilience of America’s water and wastewater infrastructure.
But just as cyber threats to the US water system are escalating(opens in a new tab) — led by state-backed hacking groups in Iran, Russia, and China pre-positioning (opens in a new tab)themselves within water system networks to disrupt services or damage facilities in the event of a geopolitical conflict with the US — the EPA’s ability to respond to these efforts is being threatened by budget cuts.
In March 2025, EPA Administrator Lee Velden pledged(opens in a new tab) to slash agency spending by 65 percent, a move that could gut the EPA’s ability to carry out its mandates for cybersecurity support and enforcement of standards compliance. The Trump Administration’s proposed budget cuts come at a time when America’s water sector is experiencing unprecedented strain from increased targeting by state-sponsored hacking groups, cybercriminal ransomware gangs, and hacktivists — in addition to issues arising from aging infrastructure and rising water demands.
The EPA’s Cyber Role in the Water Sector
The EPA has served as the sector risk management agency (SRMA)(opens in a new tab) for the water sector since 2013; the agency is responsible for leading efforts to safeguard the integrity and reliability of drinking water, including by protecting critical assets, systems, and networks from cyber threats.
As part of its management of water and wastewater facilities, the EPA:
- Provides and facilitates technical cybersecurity assistance and evaluations;
- Offers guidance to facilities for building out their cyber programs;
- Provides federal funding(opens in a new tab) for cybersecurity improvements; and
- Enforces and certifies compliance with Section 1433 of the Safe Drinking Water Act (SDWA), which requires community water systems serving more than 3,300 people to (1) conduct risk and resilience assessments and (2) create emergency response plans addressing cyber incidents.
Water systems’ compliance with these regulations tends to be poor. In March 2024, the EPA issued an “enforcement alert(opens in a new tab)” claiming that 70 percent of the water systems inspected by the agency since 2023 were in violation of the cybersecurity standards established in SDWA’s Section 1433.
Although the second Trump Administration is looking to cut funding to the EPA and offshore responsibility for critical infrastructure cybersecurity onto states, the certification responsibilities under Section 1433 cannot currently be delegated to state authorities under the existing law.
The EPA has tried to expand its cybersecurity oversight of the water sector but has faced resistance. For example, in March 2023, the agency attempted to require states to submit cybersecurity audits of water systems, but the rule was withdrawn following legal challenges from Missouri, Arkansas, Iowa, and several major water associations, which argued that the EPA was overstepping its legal authority.
A Sector in Crisis
The US water sector consists of a vast series of networks of over 152,000 privately and publicly owned water systems. These include more than 50,000 community water systems that deliver safe, reliable drinking water to households year-round, as well as16,000 wastewater facilities that provide treatment services for hundreds of millions of Americans.
Yet most water utilities, particularly those serving small communities, are under-resourced and have suffered from decades of underinvestment. They often lack the funding necessary to modernize their aging facilities and legacy technology, let alone hire cybersecurity personnel or invest in developing stronger cybersecurity capabilities.
As a result, only 20 percent(opens in a new tab) of US water and wastewater systems maintain basic levels of cyber hygiene. A March 2024 EPA report(opens in a new tab) revealed pervasive cybersecurity failures across the sector, including widespread failures to change default passwords, revoke access for former employees, conduct adequate risk and resilience assessments, or develop emergency response plans for cyber incidents. Some utilities even relied on shared login credentials for all staff, increasing the risk that a stolen password could compromise important systems.
These risky cybersecurity practices threaten America’s water supply, the lifeblood of our communities, economy, and public health systems. Many critical industries cannot function without a steady supply of water. For example, healthcare facilities like hospitals and medical clinics depend on a reliable water supply for instrument sterilization and medical treatments. These facilities can experience total operational failure in under two hours without access to water, cutting off care for sick patients.
Even brief disruptions in the water sector can create ripple effects across critical sectors, resulting in major financial losses nationwide. The US Water Alliance estimates(opens in a new tab) that a single day of downtime in US water service could result in $43.5 billion in lost economic activity and a $22.5 billion decline in GDP.
A single day of downtime in US water service could result in $43.5 billion in lost economic activity and a $22.5 billion decline in GDP.
Cyberattacks on water utilities are known to cause operational disruptions, ranging in severity from business operation interruptions to more serious (but rare) incidents that threaten water delivery to communities. At the milder end of the impact spectrum, cyber incidents can lead to outages in water utilities’ phone and business systems, causing customer call center shutdowns, customer appointment rescheduling(opens in a new tab), and restricted access to billing systems and payment platforms(opens in a new tab). More significant impacts can force utilities to revert to manual operations, which are slower, introduce human error, and are more costly.
The most severe cyber incidents in the water sector involve disruptions to operational technology (OT), the systems and sensors that control and regulate equipment for physical processes like water treatment and distribution. These include programmable logic controllers (PLCs), human-machine interfaces (HMIs), and supervisory control and data acquisition (SCADA) systems — technologies engineered for functionality and reliability, often without consideration for cybersecurity.
Many of these systems were built and deployed decades ago, when cyber threats were far less sophisticated. They often lack the security features found in modern operating systems, making them far more challenging to secure. Additionally, OT systems, unlike IT systems, cannot frequently update software and or install security patches because such upkeep must be scheduled during specific maintenance windows to ensure service availability and minimize operational downtime. As a result, vulnerabilities within these systems can be left unpatched for months or years.
Nation-state Actors are Targeting US Water Infrastructure
Water utilities are embedded in the supply chains of every other critical infrastructure sector. This interdependence, and utilities’ general unpreparedness, make water systems low-hanging fruit for cybercriminals and nation-state actors intent on making a profit, sowing chaos by causing disruptions, or strategically pre-positioning themselves to harm Americans.
Attacks by malicious actors on U.S. water systems are not just hypothetical. Recent attacks showcase how dangerous it can be when malicious actors can manipulate the systems controlling our water supply. For example, In 2023, an attack(opens in a new tab) by a pro-Iran hacking group compromised and took offline an internet-enabled controller used to maintain water pressure for a private group water scheme in Ireland, leaving 160 households without water for two days. And in 2024, a Russia-affiliated hacktivist group remotely accessed the SCADA system at a water utility in Muleshoe, Texas in 2024(opens in a new tab), causing a water tank to overflow for approximately 40 minutes.
Water systems are low-hanging fruit for cybercriminals and nation-state actors.
The latest threat emanates from Volt Typhoon(opens in a new tab), a Chinese state-sponsored hacking group that targets US critical infrastructure, including water utilities. Microsoft security researchers discovered Volt Typhoon in 2023, although some speculate(opens in a new tab) that these hackers’ activity dates back to 2021 or earlier.
CISA, NSA, and FBI assess(opens in a new tab) that the group is prepositioning itself via covert living off the land (LOTL) techniques within water system IT networks to facilitate lateral movements to OT assets and cause service disruptions and/or facility damage in the event of a geopolitical conflict with the US.
In 2024, the EPA warned that cyberattacks on the US water system by threat actors from Iran, Russia, and China had reached levels requiring stronger enforcement measures, and that protective actions are vitally necessary. With EPA funding on the chopping block for the Trump Administration, the agency’s capacity to proactively respond to these threats is at risk.
The EPA is Imperfect but Indispensable to the Cybersecurity of the Water Sector
The EPA still has improvements to make on its oversight of water sector cybersecurity. A report(opens in a new tab) from the EPA’s Office of Inspector General, which provides oversight of the EPA in its role as an SRMA, found that the EPA did not have a system in place for water utilities to report cyber incidents directly to their agency, instead relying upon CISA to supply this type of information. The agency also lacks formal policies and procedures for coordinating with CISA and other federal, state, and local entities on emergency response, security planning, and mitigation strategies.
However, these shortcomings do not justify defunding the EPA’s cybersecurity work in the water sector. The cyber threats facing water systems are growing, and weakening the agency at a time of heightened risk will only exacerbate the sector’s vulnerability. Oversight is already being weakened. In January, EPA Inspector General Sean O’Donnell was dismissed, casting doubt on whether the agency’s SRMA duties will continue to be effectively monitored for performance.
The EPA is the agency best positioned to continue and expand federal cybersecurity support for the nation’s critical water systems. The EPA offers sector-specific expertise and is home to field experts who understand the balance of cybersecurity with other water sector priorities. For over 50 years, the agency has been stewarding relationships with public and private actors throughout a decentralized water sector — relationships it leverages to meaningfully improve their collective cybersecurity posture.
If we’re serious about defending water infrastructure from cyber threats, we need to give the EPA the resources it needs to do its job — and do it well.
About the Author
Shannon Pierson serves as the Senior Fellow of Public-Interest Cybersecurity at UC Berkeley’s Center for Long-Term Cybersecurity, where she conducts flagship research on defending low-resource organizations like nonprofits, municipalities, and schools from cyber attacks. Shannon also organizes the annual Cyber Civil Defense Summit, a mission-based gathering of cybersecurity academics, policymakers, White House officials, hackers, and industry experts working to protect the nation’s critical infrastructure from cyber attacks. She previously worked on Meta’s Integrity, Investigations, and Intelligence (i3) team and has consulted for Microsoft and other major technology companies. She has also conducted cybersecurity policy research at leading think tanks and research institutions, including the Helmholtz Center for Information Security, the German Marshall Fund, the Wilson Center, and the University of Cambridge’s Centre for Technology & Democracy.
