Water is critical for community life. Individuals and key facets of our communities alike require water to function – think hospitals, military bases, and foundational community hygiene capabilities. As states move to take on more of a leadership role in cybersecurity and protecting local critical infrastructure from digital risks, securing water and wastewater utilities will be crucial.
As states move to take on more of a leadership role in cybersecurity and protecting local critical infrastructure from digital risks, securing water and wastewater utilities will be crucial.
In the last year, numerous nation-state groups have targeted US critical infrastructure, including the water and wastewater sector. The recent China-backed Salt and Volt Typhoon campaigns against a broad range of US critical infrastructure, including water utilities, exemplify the specific and tangible cybersecurity threats we face as a nation. Last year, Iranian-backed cyberattacks on small water utilities outside of Pittsburgh, Pennsylvania also prompted higher scrutiny of water security by states and Congress. As global geopolitical tensions rise, these concerns become increasingly pertinent.
Amidst these rising threats, in 2024, the Environmental Protection Agency (EPA) warned of widespread cybersecurity vulnerabilities in our water utilities, finding that over 70% of inspected systems were in violation of Section 1433 of the Safe Drinking Water Act and thus needed to increase their focus on core security requirements. At the June 2025 Cyber Civil Defense Summit in Washington, DC, Brandon Carter of the EPA pointed out that many utilities still lack the resources to address these vulnerabilities.
How did our water systems become so vulnerable? The reality is that because water utilities are dependent on local political will to raise rates, these vital functions are chronically underfunded – particularly in communities with scarce overall resources. This leaves the provision of cyber knowledge and resources in water and wastewater facilities well below what cybersecurity expert Wendy Nather termed the “cyber poverty line.”
The reality is that because water utilities are dependent on local political will to raise rates, these vital functions are chronically underfunded – particularly in communities with scarce overall resources.
National Rural Water Association (NRWA) CEO Matt Holmes made the need for immediate help in this area explicit at the Cyber Civil Defense Summit. According to Holmes, 52% of full-time water operators surveyed said they planned to retire within 10 years – leaving a critical workforce gap that could further jeopardize the security of our systems.
This problem is large in scope – there are more than 145,000 active public water systems in the US, and more than 97% serve small or rural populations. But there is good news, too. The building blocks of support are in place, and many lessons have been learned about how to effectively address these gaps.
This piece is part of an Aspen Digital series of perspectives on the evolving space of intergovernmental cyber policy, including challenges and best practices for building state, local, tribal and territorial capacity and how governments can collaborate effectively.