In 2023, the hacker group “Cyber Av3ngers” linked to Iran targeted the water system of a town in Pennsylvania. In 2024, Russian-state-sponsored cybercriminals went after several water systems in Texas.
In March that same year, U.S. intelligence agencies warned that Volt Typhoon, linked to China, had breached multiple critical infrastructure systems, including drinking water, in the U.S. and its territories.
Water is not only vital to sustain the lives of millions of Americans but central to its national economy.
But this is not the only reason why cyber warfare is being waged on the sector. A lack of modernization, chronic underinvestment, and outdated infrastructure make water a low-risk-high-reward price in the cybercriminal underground.
On May 20, the U.S. Environmental Protection Agency (EPA) announced the findings of recent inspections shockingly revealing that 70% of inspected water systems in the U.S. have critical cybersecurity vulnerabilities and do not comply with the Safe Drinking Water Act.
- Show Full Guide
EPA, FBI, and CISA Issue Water Cybersecurity Warnings
The EPA warned that attacks on national water systems have increased in frequency and damage. The situation has reached high levels of concern, and the EPA says that additional action is now “critical”.
Some of the weaknesses identified by the EPA reveal a concerning gap in cybersecurity basic knowledge, such as the use of default passwords that have not been updated or single logins that can easily be compromised.
EPA called all water providers to reduce their exposure to the public internet, change default passwords immediately, and conduct an inventory of operational technology (OT) and information technology (IT) assets and systems, among other things detailed in the CISA, EPA, FBI fact sheet “Top Cyber Actions for Securing Water Systems”.
Eric Knapp, CTO of OT at OPSWAT, a cybersecurity organization focused on protecting critical infrastructure, told Techopedia that CISA and other U.S. government agencies discovered that hackers’ access extended to the power grids, communications systems, and water supplies for military bases within the U.S. and abroad, showing an even more dire need for these water utilities to improve their cyber resilience.
“Water systems remain vulnerable for a few reasons, including outdated legacy systems, the use of interconnected networks, limited resources, and even a lack of enforced regulations.”
Water Suffers Cyber Threats and Risks Due to Decades of Security Neglect
Tom Kellermann, SVP of Cyber Strategy at Contrast Security, a security and development company helping organizations deploy secure code, spoke to Techopedia about the issue.
“The safety of the U.S. water supply is in jeopardy. Rogue nation states are frequently targeting these critical infrastructures, and soon we will experience a life-threatening event.”
In September 2023, the EPA Drinking Water Infrastructure Needs Survey and Assessment (DWINSA) found that the U.S. needs to spend $625 billion in the next 20 years to ensure water services across the nation.
The funds requested by the EPA would go to rehabilitating pipelines and infrastructure, reducing the potential of contamination, and works for storage systems, water rights, and wells. No funds are detailed in the survey to strengthen cybersecurity postures.
The EPA may also be asking for more than it will receive. Despite investing $7.5 billion in September 2023 and nearly $6 billion so far in 2024, the Biden-Harris administration has fallen short of funding water resilience by billions of dollars.
Roger Grimes, Data-Driven Defense Evangelist at KnowBe4, a security awareness training company, spoke to Techopedia about gaps in water funding.
“No water treatment plant spends even 5% of their IT resources to mitigate those two huge problems. This isn’t a secret. It’s a mass delusion that we all understand.”
The State of Infrastructure and OT-IT Systems in the U.S.
Every four years the American Society of Civil Engineers releases the Report Card for America’s Infrastructure. While the next one is expected in 2025, the 2021 report reveals a concerning state of water infrastructure.
The drinking water sector got a C- and was described as “aging and underfunded”. Half of all maintenance works are reactive and done only once water systems fail. The Sanitation U.S. infrastructure, on the other, is in a worse situation with a score of D+.
Because water and sanitation systems are usually connected, an OT/IT cyber attack could potentially devastate drinking water through contamination.
John Price, former Counterintelligence and Security Consultant for the British Army and currently CEO of SubRosa, a cybersecurity and risk advisory firm based in Cleveland, Ohio, spoke to Techopedia about the state of U.S. water.
“The infrastructure and IT systems of many American water providers are often outdated and lack the necessary cybersecurity measures to withstand modern threats.”
Worst-Case Scenario: Water-Sanitation Cyberattack in the U.S.
Many in the cybersecurity industry can not shake the feeling that a massive cybersecurity incident will be needed for real change to occur. Price spoke about this issue.
“The worst-case scenario for a cyberattack on U.S. water and sanitation systems would likely involve a multi-faceted disruption causing widespread contamination and service interruption.”
Price explained that if hackers were to gain control over the operational technology that manages water treatment and distribution, they could alter chemical dosing levels to create health hazards or shut down pumps to halt water supply entirely.
“Such an attack could lead to health emergencies, civil unrest, and significant economic impacts as communities struggle to manage without one of their most critical resources,” Price added.
IT and Cybersecurity Funding Absent in Budgets
Price explained that historically, there has been low cybersecurity investment in public utility sectors compared to other critical infrastructure sectors. Many systems still rely on legacy technology that does not support newer security practices, making them vulnerable to cyberattacks.
“Efforts are ongoing to assess and improve these systems, but progress varies widely across regions and depends heavily on available funding and prioritization,” Price said.
Price added that the works to fix vulnerabilities demand substantial investment.
“Given the scale of overhaul needed, it is likely that water providers will require both federal and state investments to implement necessary cybersecurity and infrastructure upgrades.”
This financial burden could potentially be passed on to consumers through higher water and sanitation service prices. Federal grants or subsidies might be needed to buffer these costs to ensure that essential water services remain affordable for all citizens.
The Most Vulnerable States: California, Texas, New York
Environmental issues such as drought or storms capable of causing damage, population numbers, regional activities (such as agriculture), and the condition of OT-IT infrastructure are all factors that contribute to U.S. water resilience. However, these conditions are not equal for every state, with some more vulnerable to attacks than others.
Naturally, states with higher populations have the most need for water infrastructure investment. The EPA´s survey found that California and Texas combined account for almost a quarter of the total investment of $625 billion identified by the EPA´s DWINSA.
Additionally, medium-sized water systems which only represent approximately 12% of the country’s total, are in crisis as they require 44% of the total financing.
Besides California and Texas (who need $144.77 million combined), states like New York ($35.15 billion) and Florida ($26.75 billion) top the list alongside Pennsylvania — already targeted by attackers — Illinois, North Carolina, Washington, and others.
“States that would suffer most from disruptions in water services include those in agricultural hot zones like California and the Midwest, where water demand is high for crop irrigation,” Price said.
Additionally, drought-stricken areas such as parts of Texas and the Southwest are particularly vulnerable because they have limited water sources and rely heavily on consistent water supply.
“Large metropolitan areas, particularly those with aging infrastructure like New York or Chicago, would also face significant challenges due to the high population density and the massive scale of potential impact.”
The Bottom Line
While predicting which water systems will be targeted by cyberattacks next is impossible, cybersecurity concepts can help identify those most at risk.
The age and overall health of the infrastructure play a crucial role. Outdated equipment combined with a lack of cybersecurity awareness creates significant vulnerabilities. Water systems connected to sanitation systems pose an even higher risk.
A cyberattack on these systems could disrupt critical sanitation processes, leading to potential contamination events. Additionally, water systems linked to critical infrastructure, government functions, agriculture, and large populations are prime targets for attackers seeking widespread disruption.
By analyzing these factors, high-value assets can be identified. These systems should be prioritized for robust cybersecurity measures to protect them from potential attacks.