Why It Matters
Foreign hackers and ransomware gangs have already forced American water utility workers to shut off automated systems and run critical infrastructure by hand. A GAO testimony delivered May 21 before the House Subcommittee on the Environment makes clear that the federal government's primary defense, the Environmental Protection Agency (EPA), still lacks the legal authority, the strategy, and in some cases the basic tools to protect the nation's nearly 170,000 drinking water and wastewater systems serving virtually every American community.
Background
The U.S. water sector was engineered for a different era. Its sprawling network of over 153,000 drinking water systems and 16,500 wastewater systems was designed to move water safely, not to fend off nation-state hackers or criminal ransomware syndicates. Many of those systems now run on aging operational technology that was installed before modern cybersecurity protocols existed, and they are often incompatible with them.
A January 2025 report from the Water Sector Cybersecurity Task Force said that many systems were designed before today's heightened cyber risk environment, and legacy operational technology is frequently impossible to retrofit with current security tools.
The vulnerabilities compound each other. Workforce shortages mean fewer trained eyes on system security. Budget constraints force operators to prioritize regulatory compliance for clean and safe water over cybersecurity investment. And a lack of basic cyber hygiene (things as simple as changing default passwords or keeping operating systems current) remains a persistent problem, according to the Cybersecurity and Infrastructure Security Agency (CISA) regional staff interviewed for the 2024 GAO report.
Current Attacks
The threat to drinking water infrastructure attacks is documented and ongoing. In November 2023, an Iran-affiliated hacking group breached multiple organizations, including a Pennsylvania water system. Workers were forced to temporarily halt automated pumping at a station and run operations manually. Around the same time, ransomware attacks struck water and wastewater systems in California, New Jersey, and Nevada, each time forcing staff to fall back on manual operations while computer systems were disrupted.
In April 2026, EPA and CISA jointly issued an advisory warning that water and wastewater utilities that Iran-affiliated groups were actively targeting technologies in common use across the sector. And the GAO's August 2024 report names China alongside Iran as state-sponsored actors with the capability and intent to carry out cyberattacks on water systems. Criminal ransomware groups add a separate, financially motivated layer of risk.
Because national-level reporting requirements for cyber incidents at water utilities are still under development, the full scope of attacks on the sector remains unknown.
Legal Issues
A Strategy With Gaps
For years, EPA had not performed the basic cybersecurity risk management steps that federal law and White House directives required of it as the designated Sector Risk Management Agency for water. The 2024 GAO report laid that out in four recommendations. Two of those have since been addressed. In January 2025, EPA published its "Water and Wastewater Systems Sector Risk Management Plan," satisfying GAO's recommendations that the agency conduct a formal water sector risk assessment and develop a risk-informed EPA water security strategy.
The Authority Gap
GAO's third recommendation calls on EPA to evaluate its existing legal authorities and seek any enhancements it needs from Congress or the administration. EPA conducted a review and found significant limitations in its ability to require action, particularly for wastewater systems governed by the Clean Water Act, and for certain categories of drinking water systems under the Safe Drinking Water Act. The problem was that EPA's legal review did not assess its authority specifically as the Sector Risk Management Agency for wastewater utilities under the Clean Water Act. GAO flagged that gap and said it will continue following up.
EPA's cybersecurity framework for the water sector is largely voluntary. It can encourage utilities to adopt better practices, but it cannot mandate them for large swaths of the sector. In March 2023, the EPA tried to interpret existing law to require cybersecurity assessments at drinking water systems, but it withdrew that interpretation seven months later after facing legal challenges.
An Unreviewed Tool
The fourth recommendation involves EPA's Vulnerability Self-Assessment Tool, known as VSAT, which water utilities use to evaluate their own cyber risks. GAO recommended that the tool be submitted for independent peer review and revised as needed. EPA agreed and planned to begin that review in February 2025, with completion by May 2025. As of the May 2026 testimony, GAO said it would review the results when available, suggesting the process has not been fully resolved.
Cyber Risks
As water cybersecurity threats are escalating, the federal resources dedicated to helping utilities manage them are being cut.
The Department of Homeland Security's fiscal year 2027 budget request for infrastructure assessments and related security efforts is approximately 58 percent of its fiscal year 2026 level. CISA's budget for stakeholder engagement (the work of helping utilities conduct vulnerability assessments and access risk management support) is proposed at roughly 65 percent less than its fiscal year 2026 level.
GAO warned directly in the testimony that these reductions "may limit the federal government's ability to support water and wastewater systems" in resilience planning and cybersecurity work.
The cuts come as the Trump administration is also conducting a broader review of critical infrastructure protection policy. Executive Order 14239, signed March 18, 2025, directed a review of National Security Memorandum 22 (the Biden-era directive that required EPA to assess water sector risk and evaluate its legal authorities) within 180 days. As of May 2026, no modifications to NSM-22 have been publicly proposed or issued.
The Bottom Line
GAO has designated cybersecurity of critical infrastructure as a high-risk area requiring focused attention from both Congress and the executive branch, one of nine such areas on its high-risk list. The water sector sits within that designation, alongside 15 other critical infrastructure sectors. The testimony delivered before the House Committee on Science, Space, and Technology's Subcommittee on the Environment, led by chairman Scott Franklin (R-FL) and ranking member Gabe Amo (D-RI), makes the case that the gap between the threat for water systems and the federal response has not closed nearly fast enough.
Access the Legis1 platform for comprehensive political news, data, and insights.