U.S. Water Utilities Face New Cybersecurity Funding and Regulatory Push
U.S. policymakers are advancing new cybersecurity measures for the water and wastewater sector, with separate federal and state initiatives aimed at improving defenses for under-resourced utilities. A bipartisan federal proposal, the FLOWS Act, would provide the Environmental Protection Agency with $50 million annually to help small and rural water systems modernize cybersecurity capabilities, digital monitoring, and operational technology support without requiring local cost sharing that often blocks access to federal aid.
In New York, state officials finalized what they describe as first-of-its-kind cyber mandates for public water systems and paired them with a $2.5 million grant program to support risk assessments and security upgrades. The rules establish enforceable requirements for drinking water and wastewater operators to create formal cybersecurity programs, identify risks, and implement technical safeguards for operational systems, reflecting broader concern that the water sector remains a comparatively weak point in U.S. critical infrastructure security.
Sources
Related Stories
New York Imposes Cybersecurity Requirements on Water and Wastewater Utilities
New York finalized **cybersecurity regulations** for water and wastewater organizations, requiring covered utilities to implement baseline protections and prepare for disruptive cyber incidents. The rules include **incident reporting**, **incident response and recovery planning**, mandatory cybersecurity training for certified operators, and designation of a cyber lead for larger utilities. Coverage applies to community water systems serving more than 3,300 people, with additional obligations for larger organizations, as state officials cited escalating threats to the sector and the need to act despite stalled federal mandates. The requirements also call for written **vulnerability management** procedures, stronger access controls such as **multi-factor authentication**, bans on default credentials, and segmentation of **operational technology** from IT and external networks; larger facilities must also conduct network monitoring and logging. To support compliance, the state launched a **$2.5 million grant program** and technical assistance effort, with funding available for cybersecurity evaluations and defensive upgrades. The measures were framed as a response to persistent targeting of water infrastructure, including campaigns linked to **China** and **Iran**, and as an effort to improve resilience and continuity of operations during cyberattacks.
3 days agoChinese State-Linked Cyber Intrusions Targeting US Water Utilities
Hackers associated with China have gained unauthorized access to the IT networks of hundreds of small and medium-sized water utilities and other critical infrastructure providers across the United States. These intrusions are believed to be part of a broader strategy to position Chinese actors to sabotage American water and power supplies in the event of a geopolitical conflict, particularly if tensions escalate over Taiwan. U.S. officials have been aware of this threat for over two years, and recent reporting has brought renewed attention to the scale and persistence of these cyber operations. The targeted utilities are often located in rural areas and small towns, which typically lack the cybersecurity resources and expertise of larger metropolitan systems. The operational technology (OT) systems that control water treatment and distribution are especially vulnerable due to their increasing automation and remote accessibility. The risk is compounded by a significant resource gap, as many of these utilities struggle to defend against sophisticated nation-state threats. Efforts to bolster defenses have included the launch of two non-profit initiatives aimed at supporting critical infrastructure operators, but these programs face their own limitations. One of the non-profits has paused its activities to recalibrate its approach, while the other is only able to provide assistance in a limited number of states due to resource constraints. The threat underscores the broader challenge of protecting critical infrastructure in the United States, where many essential services are managed by small organizations with limited budgets. The potential for cyber sabotage of water and power systems raises concerns about the resilience of civilian infrastructure in the face of international conflict. U.S. government agencies have issued warnings and guidance to utilities, but implementation of robust security measures remains inconsistent. The situation highlights the need for increased investment in cybersecurity for critical infrastructure, particularly in rural and underserved areas. The ongoing threat from Chinese-linked hackers demonstrates the strategic importance of water and power utilities as potential targets in modern cyber warfare. The exposure of these vulnerabilities has prompted calls for greater public-private collaboration and federal support. The risk is not limited to water utilities, as other sectors of critical infrastructure may face similar threats from state-sponsored actors. The revelations serve as a wake-up call for the urgent need to address cybersecurity gaps in essential services. The possibility of coordinated attacks on infrastructure during a geopolitical crisis could have far-reaching consequences for national security and public safety. The current state of preparedness among small utilities is insufficient to counter the scale and sophistication of the threat. The situation remains dynamic, with ongoing efforts to assess and mitigate the risks posed by foreign cyber actors.
5 months ago
US Cybersecurity Policy and Preparedness Efforts for Critical Infrastructure and Government Networks
U.S. lawmakers and agencies are advancing multiple efforts to sustain and strengthen cybersecurity capabilities, with some federal authorities at risk of lapsing if Congress fails to avert a government shutdown. Nextgov/FCW reported that the **Cybersecurity Information Sharing Act of 2015**—which provides liability protections to enable private-sector sharing of threat intelligence with the government—and the **National Cybersecurity Protection System** (a federal civilian network intrusion-detection and prevention capability) were both tied to Department of Homeland Security funding legislation and faced imminent expiration absent reauthorization. The same DHS legislative vehicle was also described as key to reauthorizing the **State and Local Cybersecurity Grant Program**, which has provided **$1B** to improve cybersecurity at state and local entities. In parallel, Congress is considering sector-specific measures to improve resilience in energy and utility environments, while the Department of Energy continues operational readiness exercises. Nextgov/FCW highlighted proposed legislation including the **Pipeline Cybersecurity Preparedness Act** (DOE-led programs to improve pipeline/LNG cybersecurity, information sharing, and incident response coordination) and the **Rural and Municipal Utility Cybersecurity Act** (expanding grant and technical assistance for smaller utilities, with **$250M** proposed for FY2026–2030 and protections for sensitive shared cyber information). Separately, Industrial Cyber reported on DOE’s annual **Liberty Eclipse** exercise on Plum Island, which uses an isolated grid environment to train utilities and partners to detect, respond to, and recover from simulated attacks including **ransomware** and stealthy compromise scenarios spanning IT/OT and real-time operations teams.
1 months ago