In early March 2026, the U.S. Environmental Protection Agency (EPA) warned water and wastewater utilities to increase their cybersecurity readiness following heightened activity by foreign‑aligned cyber actors. The alert noted that Iranian‑affiliated groups have previously compromised internet‑exposed operational technology within U.S. water systems, in some cases forcing utilities to temporarily switch to manual operations. To reduce risk, the EPA urged utilities to limit OT exposure to the public internet, eliminate default passwords, implement multi‑factor authentication for remote access, and promptly report suspicious activity to CISA or the FBI. Additional guidance and technical assistance are available through EPA and federal cybersecurity programs focused on the water sector.
Complementing the alert, a new WaterISAC report details how attackers typically gain access and disrupt water utilities by exploiting weak credentials, phishing campaigns, and unpatched systems—often without sophisticated malware. The report explains how threat actors increasingly blend into normal operations by abusing trusted tools, cloud services, and identity‑based access, enabling larger‑scale disruptive campaigns. It also provides practical, utility‑specific recommendations aligned with WaterISAC’s 12 Fundamentals to help organizations strengthen defenses and improve resilience today, regardless of system size or maturity.