Water regulators intensify measures as majority of water utility companies overlook cyber security measures
State-affiliated cyber threat groups are posing a significant threat to water utilities in the U.S. and U.K., according to recent reports. While specific groups remain unnamed, references to "nation-state groups" suggest government-linked actors are targeting critical infrastructure.
The attacks, which include ransomware and intrusions aimed at disrupting water treatment, billing systems, and operational technology (OT) systems, have led to operational disruptions and public safety risks. Among the state-linked groups involved are Volt Typhoon, linked to China, and Cyber Av3ngers, associated with the Islamic Revolutionary Guard Corps in Iran, as well as groups from Russia.
To counter these threats, several measures are being implemented. At the state level, New York, for example, has proposed regulations requiring utilities serving at least 50,000 customers to adopt cybersecurity policies mandating multi-factor authentication (MFA), data masking, access controls, separation of OT and IT systems, and incident response plans with defined timelines for reporting cyber incidents to authorities. Utilities must also appoint chief information security officers (CISOs) who report annually on cybersecurity readiness. Operator awareness is emphasized as a critical defense layer, with training to detect suspicious activity and follow security protocols.
On a federal level, the U.S. Environmental Protection Agency (EPA) has been urged by the Government Accountability Office (GAO) to address the sector’s cybersecurity risks. However, proposed EPA budget cuts for 2026 pose concerns about federal support for cybersecurity, especially in small and rural utilities. European countries, on the other hand, are focusing on strict security standards and coordinated incident reporting to strengthen resilience among essential services, including water utilities, under the NIS2 Directive.
Operators of digital dams and water management infrastructures must also ensure compliance with regulations such as EPA, FEMA, and data privacy laws like California’s CCPA, balancing public safety and data protection while mitigating cyber risks.
The EPA has taken over 100 enforcement actions against community water systems since 2020 and plans to increase future inspections. Protecting the nation's drinking water is a priority for the EPA, as stated by EPA Deputy Administrator Janet McCabe in the announcement about the planned inspections.
In an urgent meeting in March, White House and EPA officials spoke with state environmental and health officials regarding updated plans to defend water utilities against attack. The plan to protect water utilities is part of a larger federal effort that includes the Cybersecurity and Infrastructure Security Agency and the National Security Agency.
CISA officials noted during the RSA Conference that 95% of the 150,000 water utilities across the country don't have a cybersecurity professional on staff. Chris Walcutt, CSO of DirectDefense, has highlighted this issue and works with the American Water Works Association on addressing these problems.
The growing cyber threat landscape in the water sector necessitates increased protection. These combined efforts aim to bolster defenses and ensure the safety of water utilities in the U.S. and U.K.
- The rising threat of ransomware and intrusions targeting water utilities, attributed to state-affiliated groups such as Volt Typhoon and Cyber Av3ngers, has prompted the implementation of cybersecurity measures.
- In response to these threats, New York has proposed regulations mandating cybersecurity policies in utilities, which include requiring multi-factor authentication, data masking, access controls, separating OT and IT systems, incident response plans, and annually reporting cybersecurity readiness to authorities.
- The EPA, upon urging from the Government Accountability Office, is addressing the water sector's cybersecurity risks, but proposed budget cuts for 2026 raise concerns about federal support, particularly for small and rural utilities.
- The growing cyber threat landscape in the water sector necessitates increased protection, with efforts being made by federal agencies such as the Cybersecurity and Infrastructure Security Agency and the National Security Agency to bolster defenses and ensure the safety of water utilities.
