States, Congress struggle with cybersecurity at water utilities; federal warnings intensified.

January 2, 2024
1 min read

Key Points:

  • Water utilities are increasingly becoming a target for cyberattacks.
  • U.S. security officials are warning about hackers gaining control of water supply systems.
  • States and Congress are grappling with how to improve cybersecurity in the water sector.
  • Funding and expertise are lacking for most water utilities to invest in cybersecurity measures.

Water utilities in the United States are facing increasing threats from cyberattacks, with hackers aiming to gain control of water supply systems. U.S. security officials have warned of the potential for hackers to shut down pumps or contaminate drinking water by targeting automated equipment. Iran and other geopolitical rivals, such as China, are viewed as potential threats to water utilities.

Several states have taken action to enhance cybersecurity in the water sector, but advocates argue that the sector lacks the money and expertise needed to invest in robust cybersecurity measures. Water utilities face challenges in funding cybersecurity initiatives when they are already grappling with aging infrastructure and compliance costs.

In 2021, the federal government reported five attacks on water authorities over two years, including ransomware attacks and an attack by a former employee. State governments have responded by passing legislation to increase cybersecurity scrutiny, but efforts have been met with pushback. Private water companies argue that stricter regulatory standards are needed to boost public confidence in tap water safety, while public authorities are concerned that the legislation will pave the way for privatization.

Some states have applied for federal cybersecurity grants from a $1 billion program established by the 2021 infrastructure law. However, water utilities will face competition for these funds from other utilities, hospitals, police departments, schools, and local governments.

Despite the urgency to improve cybersecurity in the water sector, Congress has yet to take comprehensive action. Existing regulations under the Safe Drinking Water Act are largely voluntary and have resulted in minimal progress, according to experts. Smaller water and electric utilities are particularly vulnerable to cyberattacks due to the lack of resources and access to cybersecurity support.

Efforts to address this issue have included partnerships between water utilities and private cybersecurity companies, such as Dragos Inc. Dragos offers free access to its online support and software for detecting vulnerabilities and threats for utilities with less than $100 million in revenue. This kind of support is critical, given that many water utilities lack the resources to invest in cybersecurity measures.

Latest from Blog

EU push for unified incident report rules

TLDR: The Federation of European Risk Management Associations (FERMA) is urging the EU to harmonize cyber incident reporting requirements ahead of new legislation. Upcoming legislation such as the NIS2 Directive, DORA, and