Cyberattacks increasingly threaten America’s water and wastewater systems, operators and experts told a Senate panel on Feb. 4.
“Cyberincidents” have increased over the past 18 months since the issuance of a Government Accountability Office report in August 2024 that found that 14 percent of the nation’s 170,000 water and wastewater systems—nearly 24,000—had reported at least one cyberincident during the previous three months, up from 11.5 percent during the same period the year before.
These pose a glaring risk to Americans, water utility managers told a Senate Environment and Public Works Committee hearing, especially to those who tap into small water districts that fall below federal cybersecurity compliance standards and do not have the resources to thwart increasingly sophisticated ransomware and cyberattacks.
“The vast majority of water and wastewater systems in this country serve communities of 10,000 people or less,” said Matt Odermann, executive board member of the North Dakota Rural Water Systems Association. “We have the same responsibility as large water utilities to deliver safe drinking water every second of every day.
“The difference for us is scale. Small systems operate with limited staff, limited revenue, and limited technical capacity. Most do not have in-house cybersecurity personnel. Protecting small systems must be a national security priority.
“With the right balance of partnership, practical guidance, and resources, we can strengthen cybersecurity across America’s water infrastructure not through fear, but through collaboration and resilience.”
Odermann was speaking on behalf of the National Rural Water Association, which represents 31,000 small water utilities across the country.
D. Scott Simonton, professor at the Marshall University Institute for Cyber Security, and Scott Dewhirst, deputy general manager at Fairfax Water in Fairfax, Virginia, also suggested ways that Congress can assist water providers in enhancing “basic cyberhygiene.”
Recommendations include upgrading multi-factor authentication, segmentation, vendor oversight, incident response, secure remote access, log-in protocols, micro-credential training, risk mitigation tools, and best practice standards.
Simonton said “a circuit rider-style cybersecurity program” for rural utilities, modeled after the Department of Agriculture’s Technical Assistance Program and using staffers, students, and volunteers to physically check water infrastructure, has proven cost-effective for small operations.
Marshall University’s Institute for Cyber Security trains and works with 14 National Guard cyberunits, according to him.
“We help ensure cybersecurity is integrated into the system design, not added after the fact,” he said. “These engagements demonstrate what works: practical, repeatable assistance delivered where operators actually work.”
Simonton also called on water and wastewater systems that serve fewer than 3,300 taps to voluntarily adopt Safe Drinking Water Act requirements even though they fall below the population threshold for mandating compliance.
Recommendations
Dewhirst, speaking on behalf of the Association of Metropolitan Water Agencies, which represents 50,000 larger water systems nationwide, said it will take money and monitoring to bolster cybersecurity for municipal utilities.
Under 2021’s Bipartisan Infrastructure Law, at least $50 billion has been authorized for the Environmental Protection Agency to allocate to mid-size and large water system infrastructure, infrastructure resilience, and sustainability programs, but “these programs have received minimal funding,” he said.
“Congress should commit to providing adequate funding to help water systems meaningfully invest in the software upgrades … [and] security personnel, and enhance threat detection and monitoring procedures,” Dewhirst said.
He called for “targeted grant funding for cyberresilience, ensuring that state and local governments are well-resourced, and mapping out implementable minimum federal cybersecurity standards.”
Federal agencies should coordinate more closely with the Water Information Sharing and Analysis Center, a nine-member, nonprofit board representing metropolitan and regional utilities, according to him. Lawmakers should create a “water risk and resiliency organization” composed of cyberexperts and water system operators modeled after the North American Electric Reliability Corp., he said.
“This organization would work in partnership with the [Environmental Protection Agency] to ensure water systems of all sizes secure themselves against cyberthreats while avoiding the unworkable one-size-fits-all mandates,” Dewhirst said.
Odermann recommended five principles that Congress and federal regulators should follow when working with small, rural water operations.
“First, lead with assistance, not enforcement,” he said. “Adoption is stronger when cybersecurity is delivered as support, not primarily as a compliance obligation.
“Second, fund any mandate. Cybersecurity requires hardware, software, training, and staff time for small systems. Even $1,000 can be a barrier.
“Third, focus on foundational controls. Many systems struggle more with phishing, weak passwords, and legacy equipment, rather than nation-state threats.”
Fourth, Odermann advised water managers to “rely on established, trusted partners.”
“Guidance delivered through organizations that utilities already rely on is more likely to be implemented,” he said.
“And fifth, recognize diversity. A system serving 800 people with two employees cannot be treated the same as a large utility.”
Friends Read Free
Copy
Facebook
Tweet
