Securing Our Water: Understanding the Water Cybersecurity Enhancement Act of 2025

Cyberattacks on public infrastructure are no longer hypothetical. From ransomware disabling city services to foreign actors probing utility networks, the risks are real and rising. Among the most vulnerable targets are our public water systems. Often underfunded, technologically fragmented, and encumbered by legacy systems, water utilities are easy pickings for determined attackers.

In recent years, a slew of incidents have highlighted these vulnerabilities. In October 2024, American Water experienced a cyberattack that took its MyWater account system offline for a week, temporarily preventing customers from accessing their accounts and making bill payments. A month before, the Arkansas City Water Treatment Facility fell victim to a cybersecurity incident that led to them having to switch to manual operations for a while.

In December 2023, in County Mayo, Ireland, a private group water scheme suffered a similar fate when an internet-connected controller used to maintain water pressure within the water system was accessed and taken offline by bad actors. And who could forget the time an attacker infiltrated the water system of a Florida city and attempted to inject a hazardous chemical level, by raising the concentration of sodium hydroxide (commonly called lye) in the water treatment system.

These are just the tip of the iceberg. In the last five years, there have been hundreds of attacks against water infrastructure.

Introducing the Water Cybersecurity Enhancement Act of 2025

Understanding the urgency, Senators Ruben Gallego and Tom Cotton introduced the Water Cybersecurity Enhancement Act of 2025, a bipartisan effort to arm water utilities with the training and tools needed to defend against and respond to cyber threats.

The Act seeks to boost the cyber resilience of community water systems by amending the Safe Drinking Water Act. It also aims to grow the Drinking Water Infrastructure Risk and Resilience Program, offering help and federal grants for cybersecurity training and developing resources.

This legislative move also addresses the growing concerns around water infrastructure security, particularly for systems that serve 3,300 or more residents. These agencies are already federally required to consider cybersecurity in their threat assessments and emergency response plans.

Senator Gallego said that adversaries understand the importance of secure access to water and are trying to undermine water security. "It is critical that we ensure our public water systems have the resources they need to prevent and respond to cyberattacks. That's exactly what this bipartisan, commonsense bill does."

"Cyberattacks on public infrastructure are a growing threat, and our water systems are no exception. This bipartisan bill will strengthen our ability to protect essential services and support local water utilities in building stronger cyber defenses," added Senator Cotton.

Key Provisions and Funding Mechanisms

The bill proposes several key updates:

• Extension of Grant Funding: The Act revises Section 1433(g) of the Safe Drinking Water Act to extend the window for federal grants from 2026 through 2031, a five-year span to sustain support.
• Expanded Eligibility of Funds: Utilities can now use grant funds to cover cybersecurity training courses, buy instruction books and materials, and improve their prevention and response capabilities.
• Focus on Practical Security Measures: By calling on the local water plants to proactively assess and respond to cyber threats, the bill finds alignment with risk-based approaches long advocated by security experts.

This funding is critical for small and medium-sized utilities, which often lack the dedicated IT and security resources to withstand sophisticated cyberattacks.

The Implications for Community Water Systems

The direct beneficiaries of the Water Cybersecurity Enhancement Act will be community water systems, especially those serving populations of 3,300 or more, who are already obligated under federal law to complete risk assessments. However, perhaps the change most worth mentioning is how the bill democratizes access to cybersecurity resources.

Smaller, more rural networks have limited funds and outdated infrastructure. Without dedicated cybersecurity personnel or sufficient IT budgets, these networks are disproportionately vulnerable. The grants in this bill can act as a bridge, funding staff training, technical support, and more robust incident response planning.

Also, the law promotes a shift in mindset. Rather than reacting to a failure after it happens, water utilities are incentivized to think resilience-first, based on continuous risk assessment and proactive mitigation.

The Role of Cybersecurity Training and Resources

While technology plays a vital role in defending against cyber threats, training and awareness will always be the foundation of any robust cybersecurity strategy. That's why this bill emphasizes funding "training programs relating to protecting public water systems from and responding to cyberattacks, and for other purposes."

In terms of other resources, the American Water Works Association (AWWA) has long provided utilities with cybersecurity planning resources, including a Cybersecurity Risk Management Guidance framework and an Assessment Tool that generates customized security recommendations based on each utility's technology profile.

When paired with federal funding, these tools are particularly valuable, enabling widespread adoption. The Act encourages utilities to integrate such resources into day-to-day operations.

Arming staff members with the correct information and equipment reduces mistakes, detects anomalies earlier, and improves incident response. From preventing phishing to SCADA system hardening, training transforms vulnerabilities into dynamic defense lines.

Strengthening National Resilience through Legislation

The Water Cybersecurity Improvement Act of 2025 is a milestone in the United States' thinking about the cybersecurity of its water infrastructure. Investing in education, technical assistance, and long-term planning directly meets threats to one of our most critical public utilities.

As threats grow more intelligent and complex, the country's response must become more agile, inclusive, and cooperative. Cybersecurity is not just an IT issue; it's a public safety issue.

With a flood of new cyber threats, being prepared is key, and this Act brings much-needed strength to the front lines of the US water infrastructure. But there is still work to be done.

However, there are robust cybersecurity solutions that help protect critical infrastructure. These include:

Data Security

Robust data security practices help protect sensitive information at every stage of its lifecycle. This includes tools and strategies for:

• Data protection controls access and usage, such as data loss prevention, classification, and digital rights management.
• Digital risk protection that covers brand protection, social media monitoring, account takeover prevention, and early detection of data leaks.
• Email security & anti-phishing to defend these organizations against email compromise and phishing threats, securing communications and brand reputation.
• Secure file transfer to facilitate safe and efficient sharing and collaboration between and within the company.

Infrastructure Protection

Securing underlying systems is equally vital. Infrastructure protection solutions help entities find, assess, and respond to vulnerabilities before malefactors can exploit them. This includes:

• Vulnerability management,  including scanning, application security testing, integrity monitoring, and threat detection.
• Offensive security, such as penetration testing, red teaming, and security assessments, to identify weaknesses and strengthen defenses.

Together, these capabilities help critical infrastructure entities build resilient security strategies that can adapt to risk, support compliance, and protect these vital systems. 

Editor’s Note: The opinions expressed in this and other guest author articles are solely those of the contributor and do not necessarily reflect those of Fortra.