New report finds water and waste utilities most exposed to email security threats

A new cybersecurity analysis from Red Sift warns that the U.S. water and waste sector faces the highest level of email security risk among critical infrastructure industries, with more than half of companies lacking adequate protection against phishing and spoofing attacks.

The report reviewed 840 U.S. organizations across the water/waste, chemical, and energy sectors and found that 42% do not have strong email authentication in place. But water and waste utilities performed worst:

• 52% of water and waste companies remain unprotected

• Only 23% have fully enforced DMARC policies

• 20% have no DMARC policy at all

• 32% are still in monitoring mode

Notable entities reviewed include American Water and the Boston Water and Sewer Commission.

By comparison, 35.7% of chemical companies and 44.5% of energy companies have adopted full enforcement of DMARC, a key protocol used to block domain spoofing.

Red Sift’s findings come amid increasing regulatory scrutiny from CISA, the NIS2 Directive, and sector-specific cybersecurity compliance requirements. As cyber threats escalate—from criminal groups to nation-state actors—the report warns that email vulnerabilities could disrupt essential services, compromise supply chains, and erode public trust.

The chemical sector’s exposure is especially concerning given its reliance on hazardous materials and complex supply chains, while the energy sector continues to be a prime target for sophisticated cyberattacks.

Red Sift emphasizes that for critical infrastructure providers, DMARC is no longer just a brand-protection measure but “the cornerstone of operational security” needed to safeguard essential services nationwide.