The federal government needs to invest more money — but not apply more regulations — to help the more than 170,000 water and sewer systems across the country protect against the rising threat of cyber attacks.
That's what water and wastewater experts told the Senate Environment and Public Works Committee Wednesday as the panel convened for a hearing on "Identifying and Addressing Cybersecurity Challenges to Protect America's Water Infrastructure."
Cyber threats pose a growing concern, and credit risk, for issuers across all sectors, including in the water and sewer space.
In 2024, nearly 70% of water utilities were found to be in violation of basic cybersecurity standards such as changing default passwords, according to the Environmental Protection Agency. Committee ranking member Sen. Sheldon Whitehouse, D-R.I., said Rhode Island facilities, including a large wastewater system, have faced at least six attacks in the last few years.
"Since 2023, Russian, Iranian and Chinese actors have attacked municipal water systems in Texas, Pennsylvania and Massachusetts, and have tested the security capabilities of countless other systems," Whitehouse said. "They're always probing."
Whitehouse floated the idea that utilities should be required to get cyber insurance. That's something that many utilities are already doing, said Matt Odermann, past-president of the North Dakota Rural Water Systems who was testifying on behalf of the National Rural Water Association.
Insurance "is definitely driving some organizations to strengthen their cyber defenses, because if you're a higher risk you pay a higher premium," Odermann said. "As far as dictating that in law or regulation, I don't know how that would play out."
In rural areas, "even modest rate increases can force low-income households to choose between water service and other basic necessities," Odermann said. "Federal cybersecurity efforts should focus on technical assistance, training, and targeted investments that strengthen system capacity over time, while enhancing security without undermining affordability or reliability."
Federal technical assistance is among a top request from the experts, noted committee Chair Sen. Shelley Moore Capito, R-W.Va.
"You're not expecting the one- and two- and three-person utility to be able to meet this challenge on their own; they need this assistance," Capito said.
Systems already face $1.2 trillion of needed water infrastructure investment over the next two decades, said Scott Dewhirst, from Fairfax Water who represented Association of Metropolitan Water Agencies at the hearing.
Dewhirst suggested Congress establish a governing body like the North American Electric Reliability Corporation that is comprised of cyber experts and system operators to help develop and enforce cybersecurity requirements for systems.
"I think a model like that is worth a conversation to understand how we can make that work for all the different sized systems across the country," Dewhirst said. "It doesn't prescript things, it's more of an outcome-based approach," with larger systems having more responsibilities than smaller ones.
"These threats are evolving, they're changing quickly," he said. A governing body "would allow us to move quickly and not have to wait upon another congressional action to change the law or a standard."
Dewhirst also recommended Congress expand federal grant programs aimed at bolstering water system cyber security and renew a pair of EPA grant programs that fund resilience to cyber threats which are set to expire this year.
