The cyberthreat landscape to America’s water systems

By Scott Dewhirst

This is a lightly edited excerpt from testimony given at the U.S. Senate Committee on Environment and Public Works entitled, “Identifying and addressing cybersecurity challenge to protect America’s Water Infrastructure.”

Cyber threats to water systems have grown in recent years. According to Water ISAC, from April 2024 through March 2025, roughly 14 percent of water utilities responding to its quarterly incident survey reported experiencing at least one cybersecurity incident. This is an increase from about 11.5 percent of responding water systems during the same period the year before.

At the same time, cyber threats are becoming more frequent, more sophisticated, and more damaging, requiring ongoing and sustained investment by water utilities to manage risk.  As more water systems use internet-connected operational technology — such as industrial control systems — to remotely monitor and control pumps, valves, and chemical dosing, new cybersecurity challenges are introduced. While these technologies improve efficiency, they also turn operations that were once handled directly by humans into complex, interconnected cyber-physical systems. That shift introduces new vulnerabilities if systems are not properly secured, as is the case too often. 

In 2024, researchers identified more than 18,000 industrial control systems in the United States that were accessible from the internet. More than half of the devices linked to water and wastewater systems could be manipulated online without any authentication at all. Pro-Russia hacktivist groups have taken advantage of this widespread lack of basic security, targeting water and other critical infrastructure systems using simple, widely available tools. For example, in January 2024, an attack by a Russian hacktivist group claimed responsibility for manipulating human-machine interfaces, resulting in a water storage tank overflow and minor, temporary disruption of operations in a small Texas town.4 Just last month, a hacktivist group known as Infrastructure Destruction Squad claimed in a Telegram post that it had gained unauthorized access and compromised a Texas water treatment system.

Nation-state threats also pose a serious risk. In recent years, a Chinese-affiliated cyber group known as Volt Typhoon has been linked to long-term, stealthy intrusions into U.S. critical infrastructure networks. In one case, a combined electric and water utility discovered that the group had maintained access to its systems for approximately ten months before being detected.

These types of intrusions are especially concerning because they may be intended to enable future disruptive or destructive attacks. Utilities also face growing operational risks as disruptions in information technology systems increasingly cascade into operational technology environments, as demonstrated by the July 2024 CrowdStrike outage. Compounding these challenges, AI is reshaping the threat landscape system and increasing risk by enabling ransomware actors to enhance extortion tactics, making social engineering attacks more convincing and harder to detect, and enabling new modes of attack.  

These incidents demonstrate why water utilities of all sizes must remain vigilant against cyber intrusions. Without continued federal investment and support, many water systems will struggle to keep pace with these evolving threats, putting essential public health and safety services at risk. Tools Available for Cyber Preparedness As a large public water system, Fairfax Water employs a dedicated cybersecurity staff and leverages resources offered by federal and sector partners, including the Environmental Protection Agency (EPA), the Cybersecurity and Infrastructure Security Agency (CISA), and Water ISAC. 

Effective cyber defense depends not only on understanding best practices, but also on continuous and timely awareness of evolving threats. Founded in 2002 as an independent non-profit organization, Water ISAC plays a unique role in the sector’s cybersecurity preparedness by actively monitoring cyber threats and vulnerabilities affecting water and wastewater utilities. As one of more than two dozen Information Sharing and Analysis Centers across the nation’s critical infrastructure sectors, Water ISAC continuously collects, analyzes, and disseminates threat intelligence specific to the water sector, while also offering guidance on risk mitigation tools, best practices, and response actions that contribute to an all-hazards resiliency posture. 

The organization issues hundreds of cyber and physical security advisories each year, receives incident reports from utilities, conducts threat analysis, and provides alerts and briefings to help water systems detect and respond to emerging risks. 

In the past year, Water ISAC also helped provide support to mitigate threats to Arkansas City, Kansas, and the Boston Water and Sewer Commission when they experienced ransomware attacks.  Water systems today have access to a growing body of guidance and tools designed to improve cybersecurity preparedness.

Read the full testimony here.

View the full hearing here.

Scott Dewhirst is the deputy general manager of Engineering and Technology at Fairfax Water.

_{*The opinions expressed in this column are those of the author and do not necessarily reflect the views of EnergyPlatform.News.}