GAO sounds alarm on cybersecurity gaps across US water networks
GAO sounds alarm on cybersecurity gaps across US water networks
Publish Date: 2026-05-28 09:19:00
Source Domain: smartwatermagazine.com
Those risks are no longer theoretical. Ransomware attacks, in which malicious software locks an organisation out of its own computer systems until a ransom is paid, have already hit water and wastewater facilities in California, New Jersey and Nevada, forcing workers to temporarily run systems by hand. In November 2023, an Iran-affiliated hacking group targeted multiple organisations, including a water system in Pennsylvania, where staff had to halt pumping at one station and revert to manual operations. As recently as April 2026, the Environmental Protection Agency and the Cybersecurity and Infrastructure Security Agency issued a joint advisory warning that Iran-affiliated groups were continuing to target technologies commonly used in water and wastewater facilities.
Ransomware attacks, in which malicious software locks an organisation out of its own computer systems until a ransom is paid, have already hit water and wastewater facilities
Despite the persistence of these threats, the sector faces serious structural obstacles to improving its defences. Many water facilities were built long before today’s threat environment existed, and their ageing operational technology systems are often incompatible with modern security protocols. Upgrading them requires capital investment that smaller and lower-capacity systems cannot easily afford. Workforce shortages compound the problem. So does a straightforward question of priorities: meeting regulatory requirements for safe and clean water competes directly with spending on cybersecurity.
A lack of what the GAO calls “basic cyber hygiene” is widespread. Changing default passwords, keeping operating systems up to date, maintaining clear separation between administrative and operational networks: these fundamental precautions are not consistently in place across the sector, according to staff at the Cybersecurity and Infrastructure Security Agency interviewed by investigators.
