The U.S. water system is facing significant challenges from aging facilities, increasing demand, and emerging cyber threats. As cyberattacks on water utilities escalate – particularly from state actors like Russia or Iran – the vulnerabilities of these systems become more apparent, and their increasing reliance on digital systems make them susceptible to cyber intrusions, elevating the risk of service disruptions, public health scares, and economic damage. This report outlines the key threats to water infrastructure, the potential consequences of cyberattacks, and the need for enhanced cybersecurity measures.
The U.S. water system is an extensive and intricate network designed to deliver safe, dependable, and affordable drinking water to hundreds of millions of people. It also has the responsibility of managing wastewater and supporting hydropower, agricultural irrigation, flood control, and industries like oil, gas, and mining.
This network is increasingly strained by growing populations, aging infrastructure, extreme weather events, and regulatory shortcomings, and while authorities grapple with public health risks, water utilities face financial constraints such as rising consumer prices and unmet investment needs. Western states are also in conflict over water rights as drought and overuse deplete rivers, reservoirs, and aquifers.
Water access is crucial to every sector of the U.S. economy: power generation requires vast amounts of water for cooling, as do the technology and manufacturing industries. Agriculture consumes very large volumes of water, as do extractive industries such as mining, refining, and fracking. U.S. per capita water consumption ranks among the highest globally – more than double that of other industrialized countries like Germany, Japan, and the United Kingdom.
Power generation was the largest drain on U.S. water resources (accounting for 41% of withdrawals) though almost all of that water was recycled and thus not “consumed,” whereas the second largest, irrigation, represents around 37% and paradoxically consumes nearly seventeen times as much water as power generation (through evaporation or other losses). Public consumption accounts for 1%, while mining and industry makes up 6%.
States with economies heavily tied to agriculture are particularly dependent on reliable water supplies which makes them especially vulnerable to drought. California, the U.S’s largest food producing-state, uses about three-quarters of its freshwater for agriculture. Drought between 2020-2022 caused the driest three years in California’s history, resulting in nearly 20,000 job losses and over $3 billion in economic losses.
There are over 148,000 of independent systems that comprize the decentralized network that the water supply relies on, with around 50,000 classified as “community water systems.” These are permanent and operate year-round, but their pattern of use is disparate: a mere 9% percent of community water systems supply water to nearly 80% of the population, while the remaining 91% serve communities with fewer than 10,000 residents.
Collectively, the U.S. relies on over two million miles of pipelines to transport the 39 billion gallons of water consumed daily by the public. Approximately 60% of this water supply comes from surface water sources, while the remaining 40% is drawn from groundwater aquifers.
U.S. drinking water is among the safest and most reliable in the world, providing clean and inexpensive water on demand to hundreds of millions of people. Yet, many experts say that challenges to both safety and affordability have been increasing as the nation’s infrastructure ages and cyber threats proliferate.
Drinking water and wastewater systems are an attractive target for cyberattacks because they are a lifeline to critical infrastructure sectors, but often lack the resources and technical capacity to adopt rigorous cybersecurity practices.
This winter, a Russian military-affiliated hacking group infiltrated a Texas water-treatment plant, causing a system malfunction that forced a water tank to overflow and escalating concerns about the network security of similar U.S. facilities. The breach occurred at a water facility in Muleshoe near the New Mexico border, and is the first known case perpetrated by Russia (joining Iran and China on the list of countries linked to similar incidents this year). Researchers are pointing towards “Sandworm“, a hacking operation tied to Russia’s military intelligence directorate (GRU). Drinking water in the municipalities nearby was not affected, but there were related hacking attempts reported in other Texas towns.
Moreover, there were further similar Russian-originated activities tracked by researchers also tied to water system compromises in a French dam and Polish water utilities. Russia has been using these attacks as a tool of signaling in the international arena and is likely to double down on them in all NATO countries. In June, Russian hackers targeted a wastewater treatment plant in Indiana, prompting plant managers to send maintenance personnel to investigate the suspicious activity.
Russia is not the only country that has sponsored attacks on US water system: as the conflict in the Middle East heats up, Iranian actors are expanding their geographic scope to include attacks on Albania, Bahrain and the USA. They also increased their collaboration, enabling greater specialization and effectiveness. In response, the U.S. Treasury Department announced sanctions against six Iranian officials from the IRGC Cyber-Electronic Command for their role in cyber attacks on U.S. soil. The officials – members of the hacker group Cyber Av3ngers – disabled Unitronics‘ programmable logic controllers (PLC) at a booster station operated by the Municipal Water Authority of Aliquippa, Pennsylvania, in the attack. PLCs control pumps and valves in U.S. water and wastewater infrastructure and have been exploited in past destructive cyberattacks. The hackers appear to have targeted the PLCs because Unitronics is an Israeli company. The group also targeted ten water treatment stations in Israel around the time of its attack on Aliquippa.
According to our assessment, Iran is now more likely than ever to use its cyber capabilities to attack critical infrastructure, especially in countries deemed supportive to USA and Israel, and on infrastructure important for international commerce. Furthermore, Iran can direct hacktivists into preparing further attacks.
Chinese hackers have been mainly focusing on the defense industrial base, successfully compromising the networks of contractors to the Pentagon’s U.S. Transportation Command 20 times in a single year, while many other incursions have probably never been found. As we have warned in an earlier report, given the increasingly assertive Chinese posturing, it was likely that Beijing’s hacker’s were trying to position themselves in a way it could try to paralyze U.S. critical infrastructure in case of an eruption of conflict between the two countries over the issue of Taiwanese or Philippine waters. An attempt to induce societal panic in their adversary in case of conflict is an ainherent part of Chinese military doctrine and targeting of critical infrastructure on Guam could affect U.S. military operations in significant way.
Cyberattacks are hitting water and wastewater systems throughout the United States, and “water facilities must improve their defenses against the threat”, US national security adviser Jake Sullivan said in a letter sent to state officials.
The latest annual threat assessment from the U.S. intelligence community identified Chinese and Russian cyber operations working to compromise critical infrastructure as a national security threat, and warned that Beijing and Moscow are almost certainly capable of launching cyber attacks that could disrupt critical infrastructure.
In June, Finnish authorities issued a national security warning notice to staff after two break-ins to water treatment facilities in southern Finland. Later that month, another two water infrastructure sites in Tampere were broken into – a water tower and pressurizing station. Tampere is the second largest city area in Finland, and is a major hub for defense industries: Russia repeatedly threatened Finland after it joined NATO, while Sweden continues to suffer a mysterious series of railway sabotage near the border with Russia.
Nature of Cyber Threats
Water infrastructure is increasingly reliant on Supervisory Control and Data Acquisition (SCADA) systems, which control and monitor water treatment plants, distribution networks, and wastewater facilities. While these systems improve efficiency and responsiveness, they are also vulnerable to cyberattacks, such as:
Potential Impacts
The consequences of a successful cyber attack on water infrastructure can be severe:
The potential for sabotage is quite clear – and according to reports, the security of many network management systems is not up to date. The well-publicized attacks on critical infrastructure (like SolarWinds and Colonial Pipeline) or Russian attacks on the Czech national railway carrier also exposed the cyber vulnerabilities of the U.S. and E.U. private sector with dramatic implications for national security.
In an effort to reduce costs, streamline operations, and enhance performance, water utilities are increasingly turning to remote network management systems to monitor and control their infrastructure. Since these systems nearly always need to be connected to the internet, they are vulnerable to advanced cyber threat actors.
The Russian campaign presents a significant proliferation risk for new cyberattack concepts and methods. As researchers note, continued advancements and in-the-wild use of the group’s information technology (IT) and OT cyberattack capabilities have also likely lowered the barrier of entry for other state and non-state actors to replicate and develop their own cyber attack programs.
The US military highlights the pivotal role of non-kinetic effects and defense against such effects in future conflicts. The potential for massive cyberattacks by advanced state actors like Russia, China or Iran looms large, threatening to disrupt critical infrastructure or the internet-powered amenities that underpin modern life. U.S. documents emphasize that cyber warfare extends far beyond networks and cybersecurity issues, yet neither governments nor businesses are adequately prepared to confront this emerging threat.