A patchwork of voluntary cybersecurity standards, aging infrastructure, and fragmented federal oversight has left over 100,000 drinking water and wastewater systems across the U.S. exposed to growing cyber risks, according to recent Government Accountability Office (GAO) testimony.
The federal watchdog warned lawmakers that systemic vulnerabilities in how the nation manages water-sector cybersecurity could allow foreign adversaries or criminal hackers to disrupt essential services that millions of Americans rely on daily.
The scale of the challenge is significant. GAO confirmed that the U.S. water sector includes nearly 170,000 systems and represents one of the nation’s 16 critical infrastructure sectors.
These facilities manage drinking water delivery and wastewater treatment across urban centers and rural communities alike.
Investigators warned that even localized disruptions could ripple outward, affecting hospitals, power generation facilities, emergency services, and other dependent infrastructure.
At the center of the risk is a broader technology transition occurring across the sector.
Water utilities are rapidly integrating internet-connected systems into operations that were once fully isolated.
These systems now allow remote control of pumps, valves, and chemical treatment processes, improving efficiency across widely distributed networks.
However, GAO cautioned that this convergence of operational technology and internet connectivity has created a systemic vulnerability, expanding the number of pathways through which attackers can reach critical infrastructure systems.
GAO attributed the growing exposure to a combination of underinvestment, staffing shortages, and aging infrastructure.
Many utilities still operate legacy systems that were designed before modern cybersecurity threats existed and are difficult to retrofit with updated protections.
At the same time, workforce gaps have left some operators without sufficient cybersecurity expertise, while financial constraints force many systems to prioritize regulatory compliance for clean water over digital security improvements.
Federal investigators also highlighted the sector’s reliance on voluntary compliance as a key weakness.
Since cybersecurity requirements are not uniformly mandated, implementation varies widely across utilities.
GAO noted that some systems continue to struggle with basic cyber hygiene practices, including software patching, password management, and securing remote access points—creating uneven protection across the country’s decentralized water network.
The report also documented real-world incidents that underscore these risks.
In late 2023, an Iran-linked hacking group successfully breached a Pennsylvania water facility, temporarily forcing operators to halt automated systems and shift to manual operations.
Other ransomware attacks have disrupted utilities in states including California, New Jersey, and Nevada, highlighting how cyber incidents can quickly translate into operational disruption at the local level.
GAO further warned that nation-state actors, including groups linked to Iran and China, along with cybercriminal organizations, have demonstrated increasing capability to target U.S. infrastructure systems.
These threats are not limited to water utilities alone, but the decentralized nature of the sector—combined with inconsistent cybersecurity maturity—creates a broad attack surface that is difficult to defend uniformly.
In response to earlier GAO recommendations, the Environmental Protection Agency (EPA) has taken steps to improve oversight.
The agency completed a sector-wide risk assessment and developed a Water and Wastewater Systems Sector Risk Management Plan in January 2025.
The plan identifies priority risks and outlines efforts to improve coordination across federal, state, and local partners in managing cybersecurity threats.
However, GAO found that significant regulatory gaps remain.
EPA has acknowledged limitations in its legal authority to require cybersecurity assessments for certain drinking water and wastewater systems, particularly smaller utilities.
While the agency has explored its existing tools and voluntary frameworks, officials noted that current laws provide only limited ability to mandate cybersecurity protections across the sector.
The watchdog agency has issued four key recommendations to strengthen national preparedness, including the development of a comprehensive risk-informed cybersecurity strategy, improved assessment tools, and a full evaluation of federal legal authorities.
While EPA has implemented or partially addressed several recommendations, GAO concluded that a coordinated national framework is still needed to address persistent structural weaknesses in the water sector’s cyber defenses.
GAO ultimately warned that without stronger coordination, clearer authority, and more consistent security requirements, the nation’s water infrastructure will remain exposed to evolving cyber threats.
In a system as large and decentralized as the U.S. water sector, the agency emphasized that only a unified, risk-based approach can close existing gaps and reduce the likelihood of disruptive attacks on essential services.
WATCH:
