Whitehouse cited Russia, China, Iran and North Korea as countries linked to increasingly aggressive cyber activity targeting U.S. infrastructure, including drinking water and wastewater utilities. He noted that nearly 170,000 water systems operate nationwide and that many are adopting more digital and automated technologies that improve efficiency but also increase exposure to cyber risk.
“According to GAO, many of these facilities have already faced digital breaches, but without more incident reports, it is impossible to know the full scale of the threat we face,” Whitehouse said in a press release.
The senator pointed to documented cyber incidents since 2023 involving small municipal water systems in Texas, Pennsylvania, and Massachusetts, as well as multiple attacks on Rhode Island municipal facilities over the past six years that resulted in “hundreds of thousands of dollars in losses.” While none of the known incidents caused major service disruptions, Whitehouse warned that a successful attack disabling even a single water facility could have far-reaching consequences.
Whitehouse also highlighted an EPA survey showing that fewer than 25% of water and wastewater utilities conduct annual cyber risk assessments, calling the statistic evidence that the sector is unprepared for coordinated attacks.
He argued that utilities often delay cybersecurity investments in order to maintain service levels and manage costs, but stressed that physical infrastructure upgrades and cyber protections must advance together. “This is not an either or,” Whitehouse said.
Looking ahead, Whitehouse acknowledged that the Infrastructure Investment and Jobs Act provided more than $50 billion for water infrastructure, including expanded eligibility for cybersecurity projects, but said additional action is needed. He concluded by calling for expanded EPA authority and greater federal support to modernize both the physical and digital systems that underpin safe and reliable water service.
