Cybersecurity of the Municipal Water Sector: Background and Issues for Congress

Cyberattacks pose a threat to the more than 324 million individuals in the United States who regularly receive water from water systems. These cyberattacks include incidents where an adversary manipulates a system’s operational technology, which could result in the disruption of potable water supplies or in damage to physical infrastructure. Local drinking water systems are considered a type of critical infrastructure (CI), and such systems have been included in broader federal efforts to improve CI cybersecurity. Wastewater systems are grouped with water systems as a type of CI. Water and wastewater systems are a potentially attractive target for cyberattacks, as such systems provide “lifeline” services but may lack resources or technical capacity to adopt stringent cybersecurity practices. Since at least 2002, Congress and the executive branch have taken steps to improve the U.S. municipal water sector’s resilience to malicious acts, such as cyberattacks. Congressional attention to water system cybersecurity, including deliberations related to the efficacy and efficiency of federal efforts, has continued in the 119th Congress. Federal efforts to address water system cybersecurity generally have involved requirements for larger systems and technical and financial assistance for smaller systems. In 2002, Congress first amended the Safe Drinking Water Act (SDWA; codified at 42 U.S.C. §§300f et seq.) to require community water systems serving more than 3,300 individuals to assess risks that could disrupt the provision of a safe and reliable water supply and prepare plans to address such risks. In 2018, the America’s Water Infrastructure Act (AWIA; P.L. 115-270) revised these provisions to require such systems to conduct risk-and-resilience assessments. These water systems are required to assess their vulnerabilities to natural hazards in addition to malevolent acts. As a part of their assessment, systems are required to evaluate the resilience of their current physical infrastructure, including “electronic, computer, or other automated systems (including the security of such systems)” and their management practices, as well as their financial capacity to respond to these risks. Risk-and-resilience assessments and emergency response plans are voluntary for small water systems. Congress has established several SDWA assistance programs to support the development of systems that supply safe and reliable water, including cybersecurity improvements. Key federal coordination authorities for CI security and resilience (CISR) policy date to the late 1990s. Some federal coordination authorities are subject to review under Executive Order 14239, announced on March 18, 2025. One of these is National Security Memorandum 22 (NSM-22), “Critical Infrastructure Security and Resilience,” published in 2024. NSM-22 provides specific CISR policy guidance and designates 16 CI sectors, one of which is the “Water and Wastewater Systems” sector, for which the U.S. Environmental Protection Agency (EPA), as the Sector Risk Management Agency (SRMA), is delegated most coordination authorities. NSM-22 reaffirms the 16 CI sectors designated by earlier presidential directives and tasks federal agencies to provide CI risk assessments and plans for risk mitigation on an accelerated timeline. As a SRMA, EPA has undertaken a range of activities to support water systems’ and wastewater systems’ efforts to address cybersecurity threats. EPA’s activities also have included providing technical assistance to water systems and providing cybersecurity assessments. In May 2025, EPA announced a reorganization of the agency’s functions. EPA’s announcement included that the agency will be “elevating issues of cybersecurity” and indicated that some of EPA’s office roles may change. Reported cyber incidents at water systems have raised questions about the adequacy of existing approaches to address water sector cybersecurity. Efforts to improve water sector cybersecurity generally center on addressing the resilience of individual water systems to such threats and/or addressing federal agency coordination in supporting water system cybersecurity. Several organizations have highlighted factors specific to the water sector that challenge the adoption of practices to mitigate the risk of cyberattacks. Others have questioned EPA’s use of other SDWA authorities to address cybersecurity. Congressional interest in water sector cybersecurity has continued in recent Congresses, with some Members proposing legislation taking various approaches to reduce cybersecurity risks. The 118th Congress held hearings and introduced legislation regarding water sector cybersecurity. In the 119th Congress, some Members have introduced a range of bills that propose adding programs (e.g., circuit rider programs targeted to rural systems) intended to improve cybersecurity or reauthorizing appropriations for existing technical and financial assistance programs. Other proposals seek to establish a different regulatory framework to address water sector cybersecurity. Approaches to improving water and wastewater system cybersecurity may vary depending on what threat they are addressing. Deliberations regarding these proposals raise a number of considerations for policymakers and stakeholders.