The U.S. Environmental Protection Agency (EPA) has launched one of the first federal programs to directly help water utilities defend against cyber threats, unveiling a US$9.5 million grant initiative for public drinking water systems during an August 19 webinar. But the Foundation for Defense of Democracies (FDD) warns that restrictive eligibility rules and limited outreach risk leaving many utilities, particularly smaller and under-resourced ones, without access to the funds. With cyberattacks on water infrastructure escalating, FDD cautions that narrowing support could leave some of the nation’s most vulnerable communities exposed to digital threats.
“America’s water utilities are under attack from Russian, Iranian, Chinese, and non-state actors,” Sophie McDowall, FDD’s CCTI Research Associate, and Maria Riofrio, an intern, wrote in a recent FDD post. “In 2024, the nation’s largest water utility, American Water, reported a cyberattack that disrupted operations. In 2023, Iranian hackers compromised the operations of multiple U.S. water utilities, forcing them to switch to manual controls. Russian hackers breached water facilities in Texas in April 2024, causing tanks to overflow, and are continuing to exploit weak defenses in industrial control systems to compromise U.S. critical infrastructure. Meanwhile, Chinese government hackers are probing U.S. water plants, according to the FBI.”
The FDD authors recognize that water is one of America’s most vulnerable critical infrastructure sectors. “Attacks on water utilities could significantly disrupt daily life. A coordinated ransomware attack, for example, could exploit common vulnerabilities across multiple systems at once, cutting off water supply, treatment, and distribution. Beyond immediate service outages, disruptions would have ripple effects across other critical sectors such as agriculture and health care.”
The EPA program takes a first step toward providing midsize and large water systems with the resources they need to secure themselves. The grant will award six public water systems with funds to increase their resilience.
Community water systems serving fewer than 10,000 people, meanwhile, cannot apply for the program. These smaller systems account for 90 percent of national systems and provide water to an estimated 46 million Americans. They are some of the most vulnerable utilities because they have small budgets and often lack in-house cybersecurity expertise.
The terms of the grant also do not guarantee that any projects will actually focus on fixing cyber vulnerabilities. While utilities can use the funds to develop cyber-incident response plans and purchase new cybersecurity tools, they can also use the money to physically harden systems against extreme weather or other natural hazards. Cyber progress, therefore, depends on the utilities applying with cybersecurity plans, and the EPA selecting those cyber-specific plans as grant recipients over other applicants.
In comparison, the State of New York’s new $2.5 million grant program will support cyber upgrades for utilities serving populations between 3,300 and 50,000. While EPA’s $9.5 million program is nearly four times as large as New York’s, the lack of cyber requirements, small number of projects, and limited eligibility scope could restrict its positive impact on increasing national infrastructure resiliency.
As FDD’s Center on Cyber and Technology Innovation senior director, Mark Montgomery, has noted, water utilities ‘operate with limited budgets and even more so, a limited number of cybersecurity personnel and expertise.’ A November 2024 report from the EPA’s Office of Inspector General found that nearly 100 drinking water systems serving 26.6 million people had critical or high-risk cybersecurity vulnerabilities. These included open internet portals, default passwords, and unpatched systems, making utilities easy targets for both cyber criminals and nation-states.
“The new funding opportunity is only a drop in the bucket of what is needed. To adequately tackle the widespread cyber challenges in the sector, EPA should establish a grant program focused exclusively on cybersecurity that can support a larger number of utilities,” according to the FDD authors. “But grants alone will not be enough. Washington should also prioritize support for smaller community water systems, which represent the majority of U.S. utilities and face the steepest resource gaps.”
Kevin Morley of the American Water Works Association stressed that small and rural utilities need ‘boots on the ground’ cybersecurity support, a gap a bipartisan group of lawmakers hopes to fill with a proposed cyber circuit rider program. Without dedicated expertise and funding, he warned, the nation’s water systems will remain dangerously exposed to attack.
Earlier this month, the EPA and WaterISAC recognized that UASs (unmanned aerial systems), or drones, can pose significant threats to critical infrastructure, due to their accessibility, versatility, and potential for misuse. These threats can range from unauthorized surveillance, physical attacks, and even cyber attacks. Drones have revolutionized the critical infrastructure sector by enabling efficient and cost-effective inspections, reducing the need for manual labor and minimizing safety risks associated with hazardous environments, while providing real-time data and high-resolution imagery, allowing for more accurate monitoring and maintenance of infrastructure assets, leading to improved operational efficiency and reduced downtime.
