A Government Accountability Office report warns that foreign-linked hackers and criminal groups are increasingly capable of targeting drinking water and wastewater systems that many utilities are not prepared to defend.
By yourNEWS Media Newsroom
Foreign government-linked hackers and criminal organizations pose a growing threat to U.S. drinking water and wastewater systems, according to a new Government Accountability Office report warning that many utilities remain unprepared for cyberattacks on critical infrastructure.
According to Just the News, the watchdog report said water facilities across the country are increasingly exposed as older operational systems are connected to modern, internet-enabled networks. Those systems can control pumps, valves, chemical treatment processes and water distribution functions that communities rely on for safe drinking water and sanitation.
The GAO said the shift from isolated industrial controls to connected digital systems has “increased the ability of online attackers to reach critical operational systems.”
“Threat actors, such as state-sponsored hackers or criminal groups, are increasingly capable of carrying out cyberattacks on water and wastewater systems,” the report stated.
The agency warned that a successful attack could disrupt basic services and create risks extending beyond water utilities. According to the report, a cyberattack “could lead to service disruptions that harm public health or the environment,” while also affecting hospitals, power plants and other sectors that depend on reliable water service.
The report pointed to several recent incidents showing how exposed some systems have become. In late 2023, an Iran-affiliated hacking group breached a water system in Pennsylvania, forcing workers to temporarily halt pumping operations and manually operate parts of the facility.
Federal agencies later issued a 2026 advisory warning that Iran-linked groups were targeting technologies widely used in U.S. water systems.
Ransomware attacks have also affected utilities in California, New Jersey and Nevada, disrupting computer networks and forcing some operations to shift temporarily to manual controls.
The GAO said many facilities face serious obstacles in defending against cyber threats. The report cited aging infrastructure, limited staffing and budget constraints as major challenges, especially for smaller utilities.
Many systems, the report said, were “designed before today’s heightened cyber risk environment.” The GAO also said aging operational technology systems are “often incompatible with modern IT security protocols,” making it difficult for utilities to adopt modern protections.
Basic cybersecurity practices remain inconsistent across the sector, the agency said.
“A lack of basic cyber hygiene — actions to improve online security such as changing default passwords and keeping operating systems up to date — was a significant challenge,” the report stated.
The Environmental Protection Agency has taken steps to strengthen federal oversight since a previous GAO review found significant gaps in water-sector cybersecurity planning. The EPA completed a sector-wide cybersecurity risk assessment and developed a risk management plan earlier this year.
Still, the GAO said many cybersecurity efforts remain voluntary. The report also warned that proposed reductions to programs at the Cybersecurity and Infrastructure Security Agency could reduce federal assistance for utilities seeking help.
The report said the EPA has identified limits in its legal authority to require cybersecurity assessments for some wastewater systems and smaller drinking water utilities. The GAO said that raises concerns about uneven protections across the nation’s nearly 170,000 drinking water and wastewater systems.
The watchdog concluded that stronger planning is needed because of the size and decentralized structure of the sector.
“For a sector as large and decentralized as the water sector, a risk-informed strategy is essential,” the GAO said, warning that cyber threats against critical infrastructure continue to evolve.