Understanding the Cybersecurity Risks Flooding the Water and Wastewater Systems Sector

US critical infrastructure has historically been a prime target for threat actors due to the significant and far-reaching consequences of cyberattacks. Today, ongoing geopolitical tensions and escalating global conflict have pushed cybersecurity risks to new heights. Nation-state backed cybercriminal groups have become persistent and strategic adversaries of critical infrastructure, targeting these organizations to maximize disruption, create geopolitical pressure, and undermine public trust.

The Water and Wastewater Services (WWS) sector, which includes drinking water systems and wastewater treatment utilities, is particularly vulnerable to nation-state attacks. As within other critical infrastructure sectors, owners and operators in the WWS are well versed in emergency response planning and safety protocols. However, aging infrastructure and the large operational footprint of entities within the WWS—with more than 150,000 public water systems of various sizes in the US alone—present unique risks to owners and operators of WWS systems. These risks can be compounded by the lack of a comprehensive regulatory framework requiring baseline cybersecurity standards for the WWS. To defend against these sophisticated and growing nation-state attacks, WWS organizations should prioritize their cyber maturity and resilience.

Cyber Threats to the WWS

Threat actors who once targeted only the websites of WWS organizations have pivoted to compromising the underlying operational systems and software that control core operations, significantly increasing the potential impact of their attacks. A joint international advisory published in May 2024 by global enforcement agencies warned of a growing threat from nation-state-backed cybercriminals targeting small-scale operational technology (OT) systems across critical infrastructure, including the WWS. Amid escalating geopolitical tensions, global agencies have placed critical infrastructure organizations on high alert, warning that nation-state backed threat actors are targeting vulnerable networks deemed to be of “strategic interest.”

Threat actors target the software and digital technology water plants rely on to cause significant disruptions and potentially restrict access to water. In December 2024, the Environmental Protection Agency (EPA) and the Cybersecurity and Infrastructure Security Agency (CISA) issued a joint fact sheet detailing a common WWS vulnerability within internet-exposed Human Machine Interfaces that malicious actors can exploit to gain control of operating systems.

Beyond the highly disruptive nature of these attacks, a general lack of cybersecurity hygiene across the sector has left it exposed to targeted threats. Worsening the problem, the WWS is highly fragmented, with most providers serving small towns operating with limited resources and budgets, making it challenging to implement comprehensive cybersecurity measures. According to the EPA, in 2024, nearly 70% of water utilities inspected by federal officials were found in violation of basic cybersecurity standards, such as changing default passwords or having proper offboarding procedures in place.

Legal Challenges

Despite the unique threats facing the WWS, the development of comprehensive federal cybersecurity regulation for the sector remains elusive. This is due in part to limitations in the enabling statutory authority of the EPA, the lead federal agency tasked with overseeing the safety of the nation’s water systems.

Under the Safe Drinking Water Act (SDWA), the EPA is authorized to protect public health and safety by regulating the nation’s public drinking water supply. Although the statute carves out a minimal role in overseeing and promoting cybersecurity for public water systems, [1] the law does not explicitly authorize the EPA to impose baseline cybersecurity requirements across the sector, as other federal regulators are able to. For example, federal regulators in the energy industry have explicit authority to issue rules related to the security of electric power and pipeline systems. [2] Those regulators have leveraged their authority to develop mandatory cybersecurity requirements that are subject to a compliance and enforcement framework that brings with it the potential for civil financial penalties for noncompliance.

Despite the EPA lacking such clear authority, it previously attempted to more directly oversee the cybersecurity posture of entities in the WWS. In 2023, the EPA issued a memorandum clarifying its interpretation that existing legal authority allows it to evaluate the cybersecurity practices of operational technology systems during the mandatory sanitary reviews that are routinely conducted by state authorities, but have not historically addressed cybersecurity controls. However, the EPA withdrew the memorandum after it was challenged in federal court by attorneys general of various states, who argued that the EPA had exceeded its statutory authority and failed to follow fundamental administrative rulemaking requirements. The EPA has since continued to promote cybersecurity guides, tools, and the adoption of more robust cybersecurity controls, but on a voluntary basis.

Best Practices to Mitigate Cyber Risks

While nation-state threat actors are highly sophisticated, ensuring fundamental cybersecurity practices are in place can significantly reduce the impact of their cyberattacks. Given the growing threat landscape, WWS organizations should consider taking action to strengthen their cybersecurity protections. Implementing the following recommendations can help WWS organizations reduce cyber risk, enhance resilience, and prepare for future challenges:

• Implement Foundational Cybersecurity Practices for All Employees: Establish clear baseline requirements across the workforce, including, but not limited to, the use of strong passwords, multi-factor authentication (MFA), and regularly scheduled cybersecurity training. Review and enforce access management policies to ensure that employees have access only to the systems and databases necessary for their roles. Standard onboarding and offboarding processes are also vital to improving cyber hygiene.
• Ensure Systems and Networks Are Secure: Keep all software up to date and apply security patches as soon as they are released to reduce known vulnerabilities. Additionally, implement IP allowlisting to restrict access only to authorized users and systems.
• Develop and Regularly Test an Incident Response Plan: WWS organizations should have thorough incident response, business continuity, and disaster recovery plans in place. These plans should be tested through simulation exercises involving all relevant stakeholders and then reviewed and updated at least annually to account for organizational changes and evolving threats.
• Protect Operational Technology: Actively monitor the OT environment to identify suspicious user behavior or unauthorized access, enabling faster detection and response. Networks should also be segmented into distinct zones to control traffic between OT and information technology (IT) networks, reducing the chance of threat actors moving laterally should a breach occur. If outside vendors have access to the OT network, assess their cybersecurity practices to limit risks introduced by third parties.
• Conduct Regular Assessments: Cybersecurity gap and vulnerability assessments help organizations identify protection deficiencies and areas for improvement. Findings should be prioritized and addressed as a part of the overall cybersecurity strategy to enhance resilience.

WWS organizations may consider engaging outside cybersecurity counsel to direct some of these activities to, among other things, help establish and maintain attorney-client privilege.

The current geopolitical climate adds complexity to a constantly evolving cyber threat landscape, and the WWS must be prepared for increasingly targeted attacks on US critical infrastructure. Though recent proposed legislation seeks to address cybersecurity issues in the WWS, gaps remain. Without mandatory requirements, WWS entities are placed in a position of voluntarily choosing to adopt cybersecurity controls and implement practices that could compete with other priorities, potentially creating challenges for the continued cybersecurity investment required to stay ahead of escalating threats.

With federal legislation and regulation lagging behind emerging threats, waiting for mandates and obligations may not be a viable strategy. Proactively implementing even basic cybersecurity practices can significantly reduce risk and help prevent widespread and severe disruptions.

Jeffrey Veltri, who contributed to this Insight, is a senior managing director in FTI Consulting’s cybersecurity practice with decades of experience in federal law enforcement—including high-profile investigations, national security, and cybersecurity risk management.