Since March 2024 when the Environmental Protection Agency (EPA) sent a letter to all U.S. governors alerting them of the need to increase the cyber security of water-sector critical infrastructure against cyber threats, those facilities have increased their cybersecurity, but not enough, say water security experts.

The U.S. has 155,000 public water systems and 17,000 wastewater systems that have been “squarely in the crosshairs” of those who want to disrupt critical infrastructure—including water and wastewater systems—as part of geopolitical tensions or military conflict, said Jennifer Lyn Walker, the director of infrastructure cyber defense at the Water Information Sharing and Analysis Center (WaterISAC).

Attackers have noticed the water sector and are using sophisticated tools to target critical vulnerabilities and products that many utilities use to attack water and wastewater facilities, according to Walker. “The (water) sector has experienced notable cyber-threat activity over the last year and a half, with some perpetrated by a variety of threat actors with differing motivations,” said Walker who added, during 2024 “we tracked approximately 100 incidents from direct member reports.”

While WaterISAC—which provides the water and wastewater sectors with data, facts, case studies, and analysis on water security—has not received reports of a cyber attack that endangered human life through the water environment, it has been tracking more and more cyber incidents and events at water and wastewater utilities, according to Walker.

The majority of the incidents and events consisted of what Walker calls “commodity threats,” which are incidents such as phishing, malware and ransomware attacks that impact everyone, said Walker, who, along with Alec Davison, the all-hazards risk analyst for WaterISAC, presented on the topic at the U.S. Senate on April 9, 2025 as part of the Water Policy Conference hosted by Association of Metropolitan Water Agencies.

Threat actors include those sponsored by nation states; opportunistic cyber criminals; ransom-ware groups; and insider threats usually by disgruntled employees, said Walker.

In addition, some cyber attacks are conducted for no more than “a publicity stunt” that attracts attention on social media, Walker said. “Unfortunately, there are utilities that still believe ‘I’m just a little old waterway’ sort of utility, so why should I care about cybersecurity,” she said. The fact is the water sector has “way too many exposure points.”

To counter that, water utilities do not have to become expects at cybersecurity, but they do have to be aware of, and recognize, that cyber security is the responsibility of all water-utility staff, Walker said, adding “it’s important to have at least a high level of awareness, and acceptance that there are nation-state actors that desire to disrupt critical services and the safety and security of those services.”

There are resources to help water utilities increase cybersecurity, according to Walker, including from the National Rural Water Association (NRWA) that has entered into a formal collaboration effort with WaterISAC to educate rural utilities about both cyber and physical security threats.

“The collaboration hopes to increase resilience efforts among some of the country’s smallest and often overlooked utilities, including 25,000 NRWA members that serve populations of 3300 or fewer,” Walker said. Under the collaboration NRWA members have access to WaterISAC’s resources including WaterISAC’s weekly security and resilience update; regular threat briefings; the organization’s resource center and security conference, she said.

Furthermore, there are even more cybersecurity resources from the EPA, and the American Water Works Association, but due to the lack of awareness and the lack of technical support to even put such resources into practice, small utilities are not able to use those resources, according to Walker.

In addition to cyber threats, from 2023 to 2024 physical attacks on water-sector facilities has increased by 105 percent, according to Davison, who spoke on physical dangers targeting water utilities.

“The physical security threat landscape facing the water and wastewater sector today is increasingly complex, volatile and dynamic,” and “could be ideological, grievance based, financially motivated or something else,” Davison said, who added, that has resulted in “A growing range of threat actors who perceive disruptive physical attacks on infrastructure services as a viable strategy for achieving their aims.”

The attacks have included threats of contamination and poisoning of water supplies, as well as arson attacks, bombs at water utilities, equipment tampering and numerous sabotage incidents at sewage pump stations, fire hydrants, and wastewater manholes; ballistic attacks against water infrastructure, primarily at water towers; bomb threats; and of drones flying over utilities, according to Davison.

Related to drones flying over utilities, there have been incidents involving suspicious individuals photographing or videoing utilities that could be probing or doing some type of operational surveillance or other additional threat activity, said Davison, who added it is not just infrastructure assets at risk, utility employees in the field are facing increasing security risks.

There has been an “anti-capitalist, anti-elite, anti-government” attitude that has produced threats to utility workers, because those workers are being viewed as representatives of the government, and that resulted in online threats to utility workers by individuals who espouse this type of ideology, he said.

What it all means is the U.S. remains in a heightened threat environment driven by multiple international and domestic factors that can include emerging technologies, overseas conflict, and political polarization, and the heightened threat environment is driving the increased risk to the water sector, according to Davison.

Click here to access WaterISAC’s Resource Center.