Facebook
Twitter
LinkedIn
EmailWater is critical for community life. Individuals and key facets of our communities alike require water to function – think hospitals, military bases, and foundational community hygiene capabilities. As states move to take on more of a leadership role in cybersecurity and protecting local critical infrastructure from digital risks, securing water and wastewater utilities will be crucial.
As states move to take on more of a leadership role in cybersecurity and protecting local critical infrastructure from digital risks, securing water and wastewater utilities will be crucial.
In the last year, numerous nation-state groups have targeted US critical infrastructure, including the water and wastewater sector. The recent China-backed Salt and Volt Typhoon campaigns against a broad range of US critical infrastructure, including water utilities, exemplify the specific and tangible cybersecurity threats we face as a nation. Last year, Iranian-backed cyberattacks on small water utilities outside of Pittsburgh, Pennsylvania also prompted higher scrutiny of water security by states and Congress. As global geopolitical tensions rise, these concerns become increasingly pertinent.
Amidst these rising threats, in 2024, the Environmental Protection Agency (EPA) warned of widespread cybersecurity vulnerabilities in our water utilities, finding that over 70% of inspected systems were in violation of Section 1433 of the Safe Drinking Water Act and thus needed to increase their focus on core security requirements. At the June 2025 Cyber Civil Defense Summit in Washington, DC, Brandon Carter of the EPA pointed out that many utilities still lack the resources to address these vulnerabilities.
How did our water systems become so vulnerable? The reality is that because water utilities are dependent on local political will to raise rates, these vital functions are chronically underfunded – particularly in communities with scarce overall resources. This leaves the provision of cyber knowledge and resources in water and wastewater facilities well below what cybersecurity expert Wendy Nather termed the “cyber poverty line.”
The reality is that because water utilities are dependent on local political will to raise rates, these vital functions are chronically underfunded – particularly in communities with scarce overall resources.
National Rural Water Association (NRWA) CEO Matt Holmes made the need for immediate help in this area explicit at the Cyber Civil Defense Summit. According to Holmes, 52% of full-time water operators surveyed said they planned to retire within 10 years – leaving a critical workforce gap that could further jeopardize the security of our systems.
This problem is large in scope – there are more than 145,000 active public water systems in the US, and more than 97% serve small or rural populations. But there is good news, too. The building blocks of support are in place, and many lessons have been learned about how to effectively address these gaps:
1) Expand education and information-sharing
Education efforts should reinforce the relevance of cybersecurity threats to water utilities for local communities continually juggling competing priorities. As with personal security, it is easy to fall into the trap of thinking “why me?” when it comes to being a target. But the truth is that nation-state actors have shown a propensity to target small, rural and seemingly “non-priority” locations, and we know that cyber tools often ensnare entities well beyond their intended target.
Education efforts should reinforce the relevance of cybersecurity threats to water utilities for local communities continually juggling competing priorities.
Efforts to raise awareness around the threats to local communities must continue. This includes resource and information-sharing among providers, exemplified by WaterISAC’s resource center, as well as with broadened public awareness through campaigns like Take9.
We should also continue to invest in new and innovative models of information-sharing. For example, in Massachusetts a group of community water systems successfully piloted a grant-funded shared service provider model to prioritize and share information about digital risks to water and wastewater provision at the municipal level.
2) Build on-the-ground technical assistance programs via trusted partners
At the Cyber Civil Defense Summit, leaders from across the water-serving community were in broad consensus that the primary lesson learned in servicing water infrastructure entities across the US is that trust is paramount. Centralized public awareness campaigns and corporate programs will see greater uptake in communities with trusted integrators in the loop.
Fortunately, there are programs successfully building this trust and thus the “first mile” of service provision. The NRWA Circuit Rider Program has provided free hands-on training and technical assistance to small, rural water systems since its establishment in 1980 and in November of 2024 added cyber-specific resources to the program, with a particular focus on pilots in Oregon and Vermont. Programs like the Consortium of Cybersecurity Clinics and DEF CON Franklin are connecting water utilities across the country with volunteer cyber assistance at no cost.
3) Scale technical assistance by creating centralized technical support capacity
Addressing gaps in operational technology, information technology, preparation and response efforts requires support from a broad coalition of groups. Centralized services can facilitate delivery of these services, lessening the cybersecurity burden for individual water utilities and other critical infrastructure systems and ensuring they can continue their work securely and without disruption.
Needs vary, but models for success exist. For instance, the Cyber Resilience Corps, which just completed its first year of operations, aggregates volunteer services – including the aforementioned DEF CON Franklin, university-based cyber clinics, and state cyber corps programs – into one platform. The initiative is helping us understand how such programs are combining forces to provide effective support to the water sector and will ultimately provide a template for nationwide cyber assistance solutions.
Addressing gaps in operational technology, information technology, preparation and response efforts requires support from a broad coalition of groups.
And we can look beyond our borders to the Cyber Defense Assistance Collaborative (CDAC) for an example of successful consolidation and delivery of cyber defense assistance in Ukraine – with resounding results.
Industry also has an important role to play in providing capacity, such as the Dragos Community Defense Program (CDP), which currently provides free access to Dragos Platform software to small US- and Canada-based water utilities. We should also look to the guidance on baseline security standards released by the American Water Works Association (AWWA) to build a shared foundation of technical support.
With growing attention paid to how we map and inventory community needs, particularly in small and rural communities, scalable solutions are increasingly becoming a reality.
With growing attention paid to how we map and inventory community needs, particularly in small and rural communities, scalable solutions are increasingly becoming a reality.
Based on the lessons learned in support of small, rural water providers, we envision a world where local efforts to educate and provide hands-on assistance continue to expand. When supported by an increase in centralized technical assistance capabilities, this work has the potential to scale to meet the core needs of our communities and combat threats posed to critical water utilities throughout the US.
This piece is part of a Aspen Digital series of perspectives on the evolving space of intergovernmental cyber policy, including challenges and best practices for building state, local, tribal and territorial capacity and how governments can collaborate effectively.
READ MORE
Explore insights from our team and contributors on intergovernmental cyber policy.
Beyond the Beltway
Amidst changes in the threat and policy landscape, we convened experts on evolving roles in state and local cybersecurity efforts.
The Limits of Risk-Informed Planning for State and Local Cyber Readiness
A shift to risk-informed planning may hinder cyber readiness as state and local governments assess their evolving digital threats.
