The U.S. Government Accountability Office (GAO) recently testified before lawmakers, raising alarms about significant cybersecurity vulnerabilities within the nation's vast drinking water and wastewater infrastructure. The federal watchdog warned that a combination of voluntary cybersecurity standards, aging operational technology, and fragmented federal oversight has left over 100,000 water systems across the country exposed to increasing cyber risks from foreign adversaries and criminal organizations. These systemic weaknesses could enable hackers to disrupt essential services relied upon by millions of Americans daily.
The scale of the challenge is substantial, encompassing nearly 170,000 systems that constitute one of the nation’s 16 critical infrastructure sectors. These facilities are responsible for managing drinking water delivery and wastewater treatment for both urban centers and rural communities. GAO investigators emphasized that even localized disruptions could have cascading effects, impacting hospitals, power generation facilities, emergency services, and other interconnected infrastructure.
A primary driver of this heightened risk is the ongoing technological transition within the water sector. Utilities are increasingly integrating internet-connected systems into their operations, which were traditionally isolated. While these systems enhance efficiency by allowing remote control of pumps, valves, and chemical treatment processes across distributed networks, the GAO cautioned that this convergence of operational technology and internet connectivity has simultaneously created new systemic vulnerabilities. This expansion of digital pathways offers more opportunities for attackers to access and potentially compromise critical infrastructure.
The GAO attributed this growing exposure to several factors, including chronic underinvestment, staffing shortages, and the prevalence of aging infrastructure. Many utilities continue to operate legacy systems that were designed before the advent of modern cybersecurity threats and are difficult to upgrade with contemporary protections. Concurrently, workforce gaps mean some operators lack sufficient cybersecurity expertise, and financial constraints often compel many systems to prioritize regulatory compliance for clean water over investments in digital security improvements.
Federal investigators also underscored the sector’s reliance on voluntary compliance as a critical weakness. Given that cybersecurity requirements are not uniformly mandated across the sector, implementation varies significantly among utilities. The GAO noted that some systems still struggle with fundamental cyber hygiene practices, such as routine software patching, robust password management, and securing remote access points. This inconsistency creates an uneven security posture across the nation's highly decentralized water network, presenting a broad attack surface for malicious actors.
The report documented real-world incidents that highlight these risks. In late 2023, an Iran-linked hacking group successfully breached a Pennsylvania water facility, temporarily forcing operators to halt automated systems and switch to manual operations. Other ransomware attacks have disrupted utilities in states including California, New Jersey, and Nevada, demonstrating how cyber incidents can rapidly translate into operational disruptions at the local level. The GAO further warned that nation-state actors, including groups linked to Iran and China, along with organized cybercriminal groups, have shown increasing capabilities to target U.S. infrastructure systems.
In response to earlier GAO recommendations, the Environmental Protection Agency (EPA) has initiated steps to enhance oversight. The agency completed a sector-wide risk assessment and developed a Water and Wastewater Systems Sector Risk Management Plan in January 2025. This plan identifies priority risks and outlines efforts to improve coordination among federal, state, and local partners in managing cybersecurity threats.
However, the GAO found that significant regulatory gaps persist. The EPA has acknowledged limitations in its legal authority to mandate cybersecurity assessments for certain drinking water and wastewater systems, particularly smaller utilities. While the agency has explored existing tools and voluntary frameworks, officials noted that current laws provide only limited ability to enforce cybersecurity protections across the entire sector. The watchdog agency has issued four key recommendations to bolster national preparedness, including the development of a comprehensive risk-informed cybersecurity strategy, improved assessment tools, and a full evaluation of federal legal authorities.
While the EPA has implemented or partially addressed several of these recommendations, the GAO concluded that a coordinated national framework is still essential to address the persistent structural weaknesses in the water sector’s cyber defenses. The agency ultimately warned that without stronger coordination, clearer authority, and more consistent security requirements, the nation’s water infrastructure will remain exposed to evolving cyber threats, jeopardizing public health and safety.
