Our drinking water systems are more connected than ever, and more exposed to risks
Our drinking water systems are more connected than ever, and more exposed to risks
Publish Date: 2026-06-10 15:46:00
Source Domain: federalnewsnetwork.com
Using an unordered list, summarize the following article with between 4 and 8 key points. Terry Gerton When people think about cybersecurity threats, we know water systems are not the first thing that comes to mind, but your new report for GAO suggests that they really should be. What’s changed in the time that you’ve been watching this issue that really makes it so urgent now?
Dave Hinchman You know, I think that’s a really fascinating question. When we think about water, it’s something we take for granted, but the water sector is one part of the national infrastructure of resources. This is electricity transportation. And since 2003, GAO has reported on the cybersecurity threat to that infrastructure. Of those areas, water is certainly one of them, but in the last couple of years, the water sector’s become increasingly reliant on connected technology. They have remote valves or remote pipes that control these massive sprawling infrastructure networks. And all of those points of access, of electronic access, are potential vulnerabilities to a bad actor.]]>
Terry Gerton The water systems that we are talking about, safe water and water treatment, drinking water and water-treatment systems, are not managed by the federal government. They’re managed by localities, counties, all kinds of different constituencies out there. How much does that complicate this issue?
Dave Hinchman That’s probably the single biggest complexity to this. To your point, there are 170,000 owner-operators of water and water treatment facilities around the country. And all of them, as you point out, it’s a mix of private operators, some municipal ones, and of all those things, none of them are required to do things, most things that the federal government says. We have a very sort of, I guess, cooperative relationship with the Environmental Protection Agency, which is the lead agency for the water sector. And so they do have some legislative authority to require people to do things, but for the most part they really try to convince these owner operators that there are things they need to do. And because they can’t make them do it, sometimes those things don’t happen. And that’s part of the challenge.
Terry Gerton Now we’ve set up a description of a system that’s really complicated, has lots of players and it has very little in terms of guardrails or enforcement mechanism. Let’s come back to that cyber threat. What really does a cyber threat look like when you’re thinking about a water treatment facility?
Dave Hinchman So to me, a cybersecurity threat is a bad actor, whether it’s a criminal who wants to exploit ransomware and try to blackmail an owner or operator for money or a nation state who’s really trying to wreak havoc on our infrastructure. But it’s some bad actor coming in and impacting the ability to deliver safe, clean water to the tap in my house. They can do this by accessing control valves, by accessing treatment tanks, by accessing storage tanks and any failure in that point where we’re stopping the provision of this water. That’s what worries us. It’s such a simple thing as we mentioned. It is something we take for granted, but it’s something that’s very vulnerable and very easy to stop to a dedicated person with ill intent.
Terry Gerton And GAO has been flagging these sorts of vulnerabilities, as you’ve said up front for a long time. We’ve talked about the complexity of this system. What does it take to begin to close some of these vulnerabilities?
Dave Hinchman The first thing is you need to understand the threat. One of the things when we did our report, we recommended that EPA conduct a risk assessment of the sector, which they did, which we thought was great. We recommended that they put in place a risk-informed cybersecurity strategy, which we think was also great. But I think one of the challenges is that we still don’t really understand the federal government’s role that they’re going to play in nationwide cybersecurity. The new administration came out with a cyber security strategy this spring, fantastic. No one really knows what the implementation of that strategy looks like from the administration’s perspective. We’re all still waiting on that guidance. But I think there’s also the challenge that the current administration has said that they’re going to take a step back and really ask states and local municipalities to take a much greater role in the security of the nation’s infrastructure. And I think that’s something that no one really knows how to do. It’s not the historic government role. And so there’s still a lot of sorting out that needs to happen. But that’s to get back to your original question, if that’s how we approach this, we need to understand the roles and expectations. But then we also need to figure out the resources and the workforce and the strategy about how we’re going to go about making these water systems safer.
Terry Gerton Dave Hinchman is a director in the information technology and cybersecurity team at GAO. Mr. Hinchman, let’s talk about resources because fixing these cybersecurity gaps isn’t free, but these water treatment plants are funded through tax revenue. So how do states, localities get their heads around how much they wanna charge for water, which is really a, certainly a public good, maybe even an individual right to have clean drinking water. So you have to make it affordable and yet you have to fund these improvements. How do localities and providers think about that balance?]]>
Dave Hinchman I don’t know that anyone has a good answer for that, but I think I’ll take that actually a step higher. Most of the nation’s water infrastructure is incredibly dated. Lots of equipment is getting to end of life. That older equipment is increasingly complicated to meet with advanced cybersecurity protection. So there’s an issue also of how do we upgrade the infrastructure, which again also is GAO has reported for decades as something that impacts our bridges, our roadways, our rail lines. It’s something that’s really something that spreads across the country into every aspect of life. But for the water sector, there is an issue of how do we upgrade the equipment and how do you manage that part with finding better cybersecurity protections that we can attach to those systems so that we get to the end game, which is safe, secure drinking water and water treatment processes.
Terry Gerton You also talked about workforce. What are the workforce challenges that you’re seeing here?
Dave Hinchman So nationwide, we really struggle to understand what the nation’s cybersecurity workforce looks like and what it needs to be. It’s a huge issue. Cybersecurity is an ever-growing part of our everyday lives and the banking apps we use on our phone. Anything we do. And so to understand what we need, you need to do a needs assessment to figure out where we need staff. And then you have to find those people. And I think one of the things the government also struggles with is making sure that we have properly qualified people to fill all these positions across the country, both within the federal government and also in the private sector.
Terry Gerton I don’t think a lot of kids are sitting around the dinner table telling their parents they want to grow up and work at the water treatment plant, right?
Dave Hinchman Absolutely. And I think that’s one of the things is the government is trying to figure out how do we get into the educational process early and get people to build these skills so that when they enter the workforce, whether it’s after high school or after college, that they’re ready and willing to take on some of these roles across the nation.
Terry Gerton Let’s go back to the responsibility of EPA then at the center of government to at least try to create a system that incentivizes modernization of the infrastructure and the cybersecurity response. Where are you seeing them move forward and where do you want them to move forward faster.
Dave Hinchman So one of the things that EPA says is they don’t have the authority to go out and tell owner-operators to do things. It’s an interesting discussion. I’m not sure that we completely agree with EPA. We did recommend that they go in and they assess their authorities. And if they found those authorities lacking so that they could compel owner-operators to take certain actions, then they need to work with the administration and Congress to get those authorities. You know, as writ large, that’s a problem that a lot of these — EPA is called the sector risk management agency for the water sector, all of the government sector risk management agencies struggle with that same thing, that compelling owner operators to take actions. And we would encourage a whole of government approach to looking at this issue and making sure that these agencies have the authorities they need to address a threat that grows literally by the day and that we need to stay on top of and ahead of so that we can ensure that our infrastructure is safe and protected.
Terry Gerton This conversation so far has been principally about water and wastewater, and certainly that’s the focus of this report. But you mentioned up at the top of our conversation, the energy infrastructure, all sorts of other critical infrastructures that are like water. They’re distributed. They have lots of different owner-operators. Do you see parallels here in the wastewater that need to be applied across the infrastructure space?
Dave Hinchman Absolutely. This is a common story. One of the things in doing this report, it was great to focus on a sector I didn’t know a lot about and learned a lot about. It certainly has its own nuances and peculiarities. I think chief among them, the 170,000 owner operators that I mentioned, but so many of these other, what I’ll call resource sectors, like you mentioned, really struggle with the same things. How do they compel the owner operators in their sector to do things? How do the get in place or convince the owner-operators that this is something that will be good for you to do? Let’s figure out how to get it in place and how to get you the resources that you need for that.]]>
Terry Gerton Is this something that national legislation could address, that CISA, for example, could have a centralized control over, or are we just doomed to let every locality figure this out on their own?
Dave Hinchman I mean, so legislation is certainly a possibility, and that’s a decision for Congress to make if that’s something they want to tackle. From the CISA question, we’re still struggling to understand what the new CISA is really going to look like. One of the really successful things that CISA has had is local reps who worked with local municipalities to help them navigate some of these challenges. But that’s one of the areas that right now is slated for I think an over 50% budget cut in the latest budget proposal from the administration. And so No one really knows what that’s gonna look like. Obviously, the road to getting the budget passed is a very long one, and we’re not gonna know it later this year, but that’s certainly a cause for concern because we view that as a very successful program that CISA has had.
Terry Gerton If you are one of those 170,000 operators, hope is not a method here. Just hoping that you’re not going to be the one that gets targeted. What can those folks do in the short run to take some preventive action that maybe helps secure the systems?
Dave Hinchman So one thing is what we call basic cyber hygiene. It’s changing passwords. It’s putting two factor authentication. It’s putting together a plan so that when an attack happens, you know what to do. And it’s not some poor tech who’s sitting in the control room at 10:30 on a Friday night when the bad thing happens. And it is putting that plan into place and it’s training your staff to recognize cyber threats so that you’re not falling victim to emails or anything like that. And it’s really basic steps that sound almost laughable in the face of the threat, but which can make a difference to something that’s maybe perhaps a more casual attack on your system rather than something focused and heavy hitting.Copyright
© 2026 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
