In Brief:
- Nation-states and cyber criminals alike have targeted water facilities in the U.S. with cyber attacks. The most severe concern is that a malicious actor could try to disrupt water access or make it unsafe by altering chemical balances.
- Last year, New Hampshire began funding a new program to help local water facilities discover their vulnerabilities and boost their cybersecurity.
- The New Hampshire program provides equipment, software and guidance to help water systems take small but impactful steps to improve defenses.
Americans’ access to clean drinking water is at risk from cyber attacks launched by nation-states and criminals alike.
In 2024, then-FBI director Christopher Wray warned that Chinese government-backed hackers were targeting U.S. water utilities’ IT systems, hoping to be able to disrupt operations in the event of an international conflict. That same year, a group reportedly associated with Iran’s Islamic Revolutionary Guard Corps hacked devices in use at several small U.S. water utilities to post anti-Israel messages on employee computer screens. And again that same year, a suspected ransomware attack forced an Arkansas City, Kan.-based water treatment facility to switch to manual operation.
Only 20 percent of the nation’s water and wastewater systems “have even basic levels of cyber protection,” according to a March press release from U.S. Sen. Catherine Cortez Masto from Nevada. The water sector is not a consolidated industry, dominated by a handful of large companies; instead, it includes numerous, diverse organizations, many of them small and with limited staff or resources.
So what can states do to help?
New Hampshire is a rural state with many very small water systems, and they often lack IT staff or cyber know-how. Some of these water systems are so small they only serve 50 residents or are run entirely by volunteers who contract out for operational technology and IT services. Often, their cybersecurity is deeply lacking.
The state and its partners discovered just how big the problem is when they started evaluating water systems for cyber vulnerabilities.
“A lot of what we noticed with the water systems here in New Hampshire, regardless of size, was an absence of basic cyber hygiene,” says state Chief Information Security Officer Ken Weeks.
Putting Cybersecurity on Tap
Water operators often use SCADA (supervisory control and data acquisition) systems to control pumps, valves and other equipment and to read information from sensors detailing water pressure, flow and other information. But in many cases, New Hampshire water systems’ SCADA control boxes were directly exposed to the Internet, with little protection — sometimes they used only easily guessable default passwords and no firewalls, Weeks says. That’s a demonstrated risk: In 2024, Iran-linked attackers hacked programmable logic controllers at water facilities in various states, simply by using the devices’ default passwords.
Adding to New Hampshire’s troubles was the fact that many operators used their personal devices to remotely connect to the SCADA boxes. That meant that if operators accidentally downloaded malware in the course of their personal browsing, that malware could transfer to the water system.
For these water systems, “Security only existed through obscurity,” Weeks says. And the team knew that wouldn’t last. Bots are always scanning the Internet looking for vulnerabilities to exploit. “We knew it was a matter of when, not if, one of these systems would get hit.” In fact, evaluating water systems revealed that some already had malware on them, which the state removed.
After discovering these issues, New Hampshire took a multipronged approach to addressing them. The state contracted a company to provide free employee training that explains cyber risks and how to secure SCADA systems and other devices used by water systems.
The state also contracted with a nonprofit, the Overwatch Foundation, to help New Hampshire channel federal cyber grants into protecting public water systems. Overwatch began reaching out to water facilities in 2024, offering an assessment of the facilities’ vulnerabilities to cyber attacks and a package of free cyber services. Those included firewalls that many were missing and designated smartphones or tablets that operators could use instead of accessing equipment remotely from personal devices. The nonprofit also helps water systems move to a more secure email system protected by multifactor authentication, adopt more secure password practices and more. It offers up to three years of assistance.
Cyber criminals are opportunistic, so just taking a few key steps can give water facilities enough security that attackers pass them by in favor of an easier target, says Overwatch Foundation Director Alyssa Rosenzweig.
Between January 2024 and October 2025, the organization assessed 40 municipal community water systems for vulnerabilities and provided devices or other supports to 30 systems, she says. Weeks expects cybersecurity assessments of water systems to wrap up by 2028, while work to help fix the uncovered issues will take longer.
The effort has focused first on small, rural and sensitive systems, including a water system used to cool the state’s nuclear reactor, Weeks says. This year, the Overwatch Foundation will work to reach some bigger cities.
But the fate of the effort could depend on the federal government renewing the State and Local Cybersecurity Grant Program (something currently being mulled in Congress) or on finding other funding streams, Weeks says.
Weeks describes the free cybersecurity training and the Overwatch-provided free services as the “carrot” part of the state’s efforts to get water systems better cybersecurity. Sticks are likely coming too, Weeks says, with the state’s Department of Environmental Services considering making basic cybersecurity a requirement for water systems, and lawmakers separately drafting a bill to require the same.
