Limiting Access to Cyber Support for Water Sector Leaves Communities Vulnerable

The Environmental Protection Agency (EPA) is trying to stem the tide of cyberattacks against the water sector. On August 19, the EPA held a webinar explaining the details of its new $9.5 million cybersecurity grant program for public drinking water systems. The initiative marks one of the first federal efforts to provide direct support to help water utilities protect themselves against cyber threats. The program is a good start but remains insufficient to address cybersecurity vulnerabilities across the sector.

America’s water utilities are under attack from Russian, Iranian, Chinese, and non-state actors. In 2024, the nation’s largest water utility, American Water, reported a cyberattack that disrupted operations. In 2023, Iranian hackers compromised the operations of multiple U.S. water utilities, forcing them to switch to manual controls. Russian hackers breached water facilities in Texas in April 2024, causing tanks to overflow, and are continuing to exploit weak defenses in industrial control systems to compromise U.S. critical infrastructure. Meanwhile, Chinese government hackers are probing U.S. water plants, according to the FBI.

Water Sector Vulnerability

Water is one of America’s most vulnerable critical infrastructure sectors. As FDD’s Center on Cyber and Technology Innovation senior director, Mark Montgomery, has noted, water utilities “operate with limited budgets and even more so, limited number of cybersecurity personnel and expertise.” A November 2024 report from the EPA’s Office of Inspector General found that nearly 100 drinking water systems serving 26.6 million people had critical or high-risk cybersecurity vulnerabilities. These included open internet portals, default passwords, and unpatched systems, making utilities easy targets for both cyber criminals and nation-states.

Attacks on water utilities could significantly disrupt daily life. A coordinated ransomware attack, for example, could exploit common vulnerabilities across multiple systems at once, cutting off water supply, treatment, and distribution. Beyond immediate service outages, disruptions would have ripple effects across other critical sectors such as agriculture and health care.

EPA’s New Grant Program Begins to Tackle Water Sector Challenges

The new EPA program takes a first step toward providing midsize and large water systems the resources they need to secure themselves. The grant will award six public water systems funds to increase their resilience.

Community water systems serving fewer than 10,000 people, meanwhile, cannot apply for the program. These smaller systems account for 90 percent of national systems and provide water to an estimated 46 million Americans. They are some of the most vulnerable utilities because they have small budgets and often lack in-house cybersecurity expertise.

The terms of the grant also do not guarantee that any projects will actually focus on fixing cyber vulnerabilities. While utilities can use the funds to develop cyber-incident response plans and purchase new cybersecurity tools, they can also use the money to physically harden systems against extreme weather or other natural hazards. Cyber progress therefore depends on the utilities applying with plans for cybersecurity — and EPA selecting those cyber-specific plans as grant recipients over other applicants.

For comparison, the State of New York’s new $2.5 million grant program will support cyber upgrades for utilities serving populations between 3,300 and 50,000. While EPA’s $9.5 million program is nearly four times as large as New York’s, the lack of cyber requirements, small number of projects, and limited eligibility scope could restrict its positive impact on increasing national infrastructure resiliency.

Utilities Need More Money and Cyber Boots on the Ground

The new funding opportunity is only a drop in the bucket of what is needed. To adequately tackle the widespread cyber challenges in the sector, EPA should establish a grant program focused exclusively on cybersecurity that can support a larger number of utilities.

But grants alone will not be enough. Washington should also prioritize support for smaller community water systems, which represent the majority of U.S. utilities and face the steepest resource gaps. As noted by Kevin Morley of the American Water Works Association, small and rural utilities need “boots on the ground” cybersecurity support, as a bipartisan group of lawmakers are proposing with the creation of a cyber circuit rider program. Without direct expertise and necessary funding, America’s water systems will remain dangerously exposed to cyber threats.

Sophie McDowall is a research associate at FDD’s Center on Cyber and Technology Innovation (CCTI), where Maria Riofrio is an intern. For more analysis from the authors and FDD, please subscribe HERE. Follow FDD on X @FDD and @FDD_CCTI. FDD is a Washington, DC-based, nonpartisan research institute focusing on foreign policy and national security.