The U.S. Senate Environment and Public Works Committee has held a hearing to examine escalating cybersecurity threats facing U.S. drinking water and wastewater systems and to explore ways to strengthen sector-wide resilience amid increasing digitalization.
The hearing, chaired by Shelley Moore Capito (R-W.Va.), brought together cybersecurity experts, utility leaders, and rural water advocates to discuss vulnerabilities across systems of all sizes, from small rural utilities to large metropolitan providers.
The hearing followed a period of limited congressional action on water sector cybersecurity, even as utilities face growing digital risks. The session was designed to give senators an opportunity to hear directly from water sector stakeholders about cybersecurity challenges and to consider policy approaches aimed at strengthening resilience across systems of varying size and capacity.
The session was designed to give senators an opportunity to hear directly from water sector stakeholders about cybersecurity challenges
In her opening statement, Capito emphasized that water infrastructure has become an increasingly attractive target for malicious cyber actors linked to geopolitical adversaries. “Over the last several years, we have seen a broad trend of entities linked to our geopolitical adversaries, such as Iran, China and Russia, using cyberattacks to target our critical water infrastructure,” she said.
Capito noted that there are approximately 170,000 water and wastewater utilities nationwide, many of which face significant challenges related to legacy systems, workforce shortages, and limited cybersecurity expertise. “A one-size-fits-all mandate from the federal government will likely be overly burdensome and unworkable, particularly for our smaller systems,” she said, calling for flexible solutions tailored to system size and capacity.
Sheldon Whitehouse (D-R.I.), the committee’s ranking member, echoed concerns about the sector’s exposure, warning that all utilities are vulnerable regardless of scale. “All water utilities without adequate cyber security are at risk, regardless of size,” Whitehouse said in prepared remarks.
Whitehouse cited reported cyber incidents affecting water systems in several states and emphasized that the true scope of the threat remains unclear due to limited incident reporting. “According to an EPA survey, less than 25 percent of our water and wastewater utilities perform annual cyber risk assessments,” he said. “Clearly, we are not ready.”
Witnesses highlighted the uneven cybersecurity posture across the water sector and stressed the importance of technical assistance, workforce development, and trusted intermediaries
Witnesses highlighted the uneven cybersecurity posture across the water sector and stressed the importance of technical assistance, workforce development, and trusted intermediaries. Dr. D. Scott Simonton of Marshall University’s Institute for Cyber Security described efforts to develop scalable, “plug-and-play” cybersecurity frameworks that can be deployed by small utilities lacking in-house expertise. “They provide that expertise,” Simonton said of dedicated cybersecurity circuit riders. “They basically become consultants to the various utilities [and] provide the expertise that they don’t already have.”
Matt Odermann of the North Dakota Rural Water Systems Association underscored the capacity constraints facing rural systems, noting that small utilities are often responsible for meeting the same regulatory requirements as large cities with far fewer resources. He described the Circuit Rider Program as “single-handedly the most successful, built-up program that I see in our state,” adding that a cybersecurity-focused expansion would likely see significant participation.
Scott Dewhirst of Fairfax Water, testifying on behalf of the Association of Metropolitan Water Agencies, highlighted the growing sophistication of cyber threats and the potential consequences of a major disruption. He warned that a successful attack on operational technology could undermine public confidence and have significant economic impacts, while emphasizing the need for sustained federal investment and information sharing.
In her closing remarks, Capito emphasized that cyber incidents affecting water systems can have lasting consequences beyond immediate service disruptions, particularly in rural communities. She stressed that attacks on smaller systems should not be minimized and called for improved data collection on cyber incidents to better understand how attacks occur, identify trends, and inform future prevention and resilience efforts across the water sector.
Committee leaders from both parties agreed that strengthening cybersecurity for water systems will require continued collaboration between utilities, federal agencies, and sector partners, balancing oversight with practical support to protect public health and maintain reliable service nationwide.
