UPDATING

A new Government Accountability Office report is warning that America’s water infrastructure is becoming increasingly vulnerable to cyberattacks as aging treatment systems connect to internet-enabled technology faster than many utilities are able to secure them.

The report said hackers linked to foreign governments and criminal organizations are capable of targeting operational systems that control pumps, valves, chemical treatments and water distribution at drinking water and wastewater facilities across the United States. 

The GAO warned that the convergence of once-isolated industrial systems with modern internet-connected networks had “increased the ability of online attackers to reach critical operational systems.”

“Threat actors, such as state-sponsored hackers or criminal groups, are increasingly capable of carrying out cyberattacks on water and wastewater systems,” the report stated.

GAO said in the report that a successful cyberattack “could lead to service disruptions that harm public health or the environment,” while also creating ripple effects for hospitals, energy plants and other critical sectors that rely on water systems to operate.

The report highlighted a growing list of cybersecurity incidents. For example, in late 2023, an Iran-affiliated hacking group breached a Pennsylvania water system, forcing workers to temporarily stop pumping operations and manually operate parts of the facility. 

Federal agencies later issued a 2026 advisory warning that Iran-linked groups were targeting technologies commonly used in American water systems. 

Ransomware attacks also struck utilities in California, New Jersey and Nevada, disrupting computer systems and forcing some operations to temporarily run manually.

GAO said many utilities remained poorly equipped to defend against increasingly sophisticated cyber threats because of outdated infrastructure, staffing shortages and limited budgets. 

According to the report, many systems were “designed before today’s heightened cyber risk environment,” while aging operational technology systems were “often incompatible with modern IT security protocols.” 

The agency also warned that some facilities still lack basic cybersecurity standards. 

“A lack of basic cyber hygiene — actions to improve online security such as changing default passwords and keeping operating systems up to date — was a significant challenge,” the report stated.

The agency said the Environmental Protection Agency has taken some steps to improve oversight after a previous GAO review found significant shortcomings in federal water-sector cybersecurity planning. 

EPA completed a sector-wide cybersecurity risk assessment and developed a risk management plan earlier this year. 

Despite this, GAO cautioned that many cybersecurity efforts remained voluntary and cautioned that proposed reductions to programs at the Cybersecurity and Infrastructure Security Agency could weaken federal support for utilities seeking assistance.

The report also said EPA identified gaps in its legal authority to require cybersecurity assessments for certain wastewater systems and smaller drinking water utilities, raising concerns about uneven protection standards across the country’s nearly 170,000 water and wastewater systems.

GAO concluded that “for a sector as large and decentralized as the water sector, a risk-informed strategy is essential” as cyber threats against critical infrastructure continued to evolve.