An emerging threat to public drinking water supplies is drawing increased attention in Washington, DC and Lansing.
The threat of cyberattacks has implications for the safety and security of these water supplies. International tensions are also cause for concern. Members of Congress and the Michigan Legislature are proposing solutions.
What’s the threat?
Most water and wastewater systems in the U.S. rely on operational technology and IT systems to operate. This makes the systems vulnerable to cyberattacks.
The threat has recently increased. In April, the EPA, the FBI, the Cybersecurity and Infrastructure Security Agency (CISA), and the National Security Agency (NSA) issued a joint advisory warning to U.S. organizations, including those in the water sector, of an urgent and ongoing Iranian-affiliated cybersecurity threat.
According to the U.S. EPA, cyberattacks against community water systems have been “increasing in frequency and severity across the country. Based on actual incidents, we know that a cyberattack on a vulnerable water system may allow an adversary to manipulate operational technology, which could cause significant adverse consequences for both the utility and drinking water consumers. Possible impacts include disrupting the treatment, distribution, and storage of water for the community, damaging pumps and valves, and altering the levels of chemicals to hazardous amounts.”
In 2024, the U.S. Government Accountability Office described potential harms from cyberattacks on water systems as including “drinking water with unsafe levels of bacteria or chemicals.” Nations, cybercriminals, and others have targeted some of the nearly 170,000 U.S. water systems, which are increasingly automated.
EPA stated that its inspectors identified “alarming” cybersecurity vulnerabilities at drinking water systems across the country — for example, some water systems failed to change default passwords, used single logins for all staff, or failed to curtail access by former employees. In November 2024, EPA’s Office of Inspector General found that 9% of the public drinking water systems it scanned had critical or high-priority cybersecurity vulnerabilities. In August 2021, a ransomware attack on a California water and wastewater system was discovered after the ransomware variant had been in the system for about 1 month. ·A July 2021 ransomware attack on a water and wastewater system in Maine forced officials to run the system manually until the computer was restored using local control. A March 2021 ransomware attack focused on a Nevada water and wastewater facility’s SCADA system and backup systems. A September 2020 ransomware attack affected files within a system at a New Jersey water and wastewater facility. In a March 2019 attack at a Kansas facility, a former employee used unrevoked credentials to remotely access a facility computer and threatened drinking water safety.
GAO identified the following vulnerabilities:
- Water systems may contain hundreds of diverse components, making it difficult to properly map and keep operational technologies updated with security patches.
- Attackers may use IT networks to steal data or to move within the network to access operational systems.
- IT and operational networks may not be properly separated, allowing attackers to access the operational systems and disrupt critical processes.
Despite the risks, many communities have not made vulnerability assessments because of the need to allocate limited budget resources to the basic services that are clearly required by law.
Legislative and Administrative Initiatives
Members of Congress have proposed cybersecurity legislation designed to protect the water sector. The chief proposed Congressional water systems security legislation, H.R. 2594, proposes the establishment of a Water Risk and Resilience Organization (“WRRO”) to develop risk and resilience requirements for the water sector. The requirements would “provide for the cyber resilient operation of a covered water system and the cyber resilient design of planned additions or modifications to a covered water system.”
EPA has established a Cybersecurity center on its website, to provide information and resources to water utilities. In conjunction with the Association of State Drinking Water Administrators, EPA has also developed a cybersecurity brief for states, as well as a list of funding sources for conducting assessments.
Michigan’s Approach
In Michigan, the Department of Environment, Great Lakes, and Energy (EGLE) coordinates with the Michigan Cyber Command Center on prevention and response to cybersecurity incidents. As at the federal level, some best practices for the prevention of these incidents are voluntary. For example, the state declares that cybersecurity assessments analyzing system vulnerabilities, threats, and security measures to enhance overall cybersecurity resilience are not mandated by the Safe Drinking Water Act, “but they are highly recommended.” In 2024, EGLE launched an initiative to establish “a comprehensive strategy that bolsters operators’ resilience against both online and offline threats to water systems.”
Proposals for Michigan
State Representative Reggie Miller has introduced legislation requiring public drinking water supplies to have security measures in place to thwart cyberattacks and a risk-based cybersecurity and resilience program. Flow Water Advocates has contacted Rep. Miller to express support for her legislation.
