Growing Cyber Risks Push EPA to Modernize Water Sector Security

Increasing cyberattacks on the nation’s critical infrastructure have prompted the Environmental Protection Agency (EPA) to expand cybersecurity resources to better secure water systems.

Cyberattacks on the critical infrastructure sectors have become more frequent and severe over the past few years, and “gaps in basic cybersecurity practices” have enabled bad actors to gain access to operating systems, EPA Office of Water Emergency Response and Cybersecurity Director David Travers told GovCIO Media & Research in a recent interview.

Travers said both information and operational technology networks need to be examined to prevent threat actors from moving laterally within an organization.

“We are seeing an increased focus in accessing and manipulating the operational technology networks. [Bad actors] are seeking a tactical advantage in a geopolitical context to either thwart U.S. engagement abroad or trigger cyberattacks,” Travers said.

Expanding Resources to Strengthen Cyber Resilience

EPA released new planning materials last month to bolster water and wastewater systems’ cyber response. The updated resources provide guidance by adding new incident response templates, revised vendor security evaluation criteria and updated best practices. The initiative is part of the EPA’s broader strategy, released at the beginning on President Donald Trump’s second administration, to modernize critical infrastructure and strengthen system resilience.

To further bolster critical infrastructure resilience, the EPA’s 2026 budget request included $10 million for a new competitive water sector cybersecurity grant program that will improve water and wastewater systems’ ability to “proactively mitigate” cyberattacks.

The agency is also proactively scanning equipment at water systems for vulnerabilities that could be exploited by bad actors. An EPA spokesperson told GovCIO Media & Research that the agency has “eliminated over 400 potential vulnerabilities” by notifying utilities and providing clear guidance on mitigating risks.

“We’re looking at these vulnerabilities within water systems and providing a mitigation plan to eliminate them,” said Travers. “Our response has evolved to focus on providing direct technical assistance to water utilities.”

Developing Partnerships to Democratize Resources

Smaller water systems may lack the technical resources to design and implement cybersecurity programs and often require assistance to protect utilities, Travers explained. He added that partnerships with industry and other federal agencies provide additional resources for smaller systems to increase cybersecurity efforts.

The EPA incorporated the Cybersecurity and Infrastructure Security Agency’s Secure by Design pledge into its cybersecurity procurement evaluation checklist, which now includes specific criteria for integrators and managed service providers that oversee and deliver IT services and products.

“Given that many water and wastewater systems rely on vendors and consultants for their IT/OT environments, this evaluation process empowers them to make risk-informed decisions regarding supplier cybersecurity practices,” an EPA spokesperson said in a statement to GovCIO Media & Research.