{"id":229566,"date":"2026-06-10T15:46:00","date_gmt":"2026-06-10T19:46:00","guid":{"rendered":"https:\/\/testing.news-you-need.com\/index.php\/2026\/06\/10\/our-drinking-water-systems-are-more-connected-than-ever-and-more-exposed-to-risks\/"},"modified":"2026-06-10T15:50:10","modified_gmt":"2026-06-10T19:50:10","slug":"our-drinking-water-systems-are-more-connected-than-ever-and-more-exposed-to-risks","status":"publish","type":"post","link":"https:\/\/testing.news-you-need.com\/index.php\/2026\/06\/10\/our-drinking-water-systems-are-more-connected-than-ever-and-more-exposed-to-risks\/","title":{"rendered":"Our drinking water systems are more connected than ever, and more exposed to risks"},"content":{"rendered":"

Our drinking water systems are more connected than ever, and more exposed to risks<\/a><\/p>\n

https:\/\/federalnewsnetwork.com\/cybersecurity\/2026\/06\/our-drinking-water-systems-are-more-connected-than-ever-and-more-exposed-to-risks\/<\/a><\/p>\n

Publish Date: 2026-06-10 15:46:00<\/a><\/p>\n

Source Domain: federalnewsnetwork.com<\/a><\/p>\n

Author: <\/a><\/p>\n

Using an unordered list, summarize the following article with between 4 and 8 key points. Terry Gerton When people think about cybersecurity threats, we know water systems are not the first thing that comes to mind, but your new report for GAO suggests that they really should be. What\u2019s changed in the time that you\u2019ve been watching this issue that really makes it so urgent now?
\nDave Hinchman You know, I think that\u2019s a really fascinating question. When we think about water, it\u2019s something we take for granted, but the water sector is one part of the national infrastructure of resources. This is electricity transportation. And since 2003, GAO has reported on the cybersecurity threat to that infrastructure. Of those areas, water is certainly one of them, but in the last couple of years, the water sector\u2019s become increasingly reliant on connected technology. They have remote valves or remote pipes that control these massive sprawling infrastructure networks. And all of those points of access, of electronic access, are potential vulnerabilities to a bad actor.]]><\/p>\n

Terry Gerton The water systems that we are talking about, safe water and water treatment, drinking water and water-treatment systems, are not managed by the federal government. They\u2019re managed by localities, counties, all kinds of different constituencies out there. How much does that complicate this issue?
\nDave Hinchman That\u2019s probably the single biggest complexity to this. To your point, there are 170,000 owner-operators of water and water treatment facilities around the country. And all of them, as you point out, it\u2019s a mix of private operators, some municipal ones, and of all those things, none of them are required to do things, most things that the federal government says. We have a very sort of, I guess, cooperative relationship with the Environmental Protection Agency, which is the lead agency for the water sector. And so they do have some legislative authority to require people to do things, but for the most part they really try to convince these owner operators that there are things they need to do. And because they can\u2019t make them do it, sometimes those things don\u2019t happen. And that\u2019s part of the challenge.
\nTerry Gerton Now we\u2019ve set up a description of a system that\u2019s really complicated, has lots of players and it has very little in terms of guardrails or enforcement mechanism. Let\u2019s come back to that cyber threat. What really does a cyber threat look like when you\u2019re thinking about a water treatment facility?
\nDave Hinchman So to me, a cybersecurity threat is a bad actor, whether it\u2019s a criminal who wants to exploit ransomware and try to blackmail an owner or operator for money or a nation state who\u2019s really trying to wreak havoc on our infrastructure. But it\u2019s some bad actor coming in and impacting the ability to deliver safe, clean water to the tap in my house. They can do this by accessing control valves, by accessing treatment tanks, by accessing storage tanks and any failure in that point where we\u2019re stopping the provision of this water. That\u2019s what worries us. It\u2019s such a simple thing as we mentioned. It is something we take for granted, but it\u2019s something that\u2019s very vulnerable and very easy to stop to a dedicated person with ill intent.
\nTerry Gerton And GAO has been flagging these sorts of vulnerabilities, as you\u2019ve said up front for a long time. We\u2019ve talked about the complexity of this system. What does it take to begin to close some of these vulnerabilities?
\nDave Hinchman The first thing is you need to understand the threat. One of the things when we did our report, we recommended that EPA conduct a risk assessment of the sector, which they did, which we thought was great. We recommended that they put in place a risk-informed cybersecurity strategy, which we think was also great. But I think one of the challenges is that we still don\u2019t really understand the federal government\u2019s role that they\u2019re going to play in nationwide cybersecurity. The new administration came out with a cyber security strategy this spring, fantastic. No one really knows what the implementation of that strategy looks like from the administration\u2019s perspective. We\u2019re all still waiting on that guidance. But I think there\u2019s also the challenge that the current administration has said that they\u2019re going to take a step back and really ask states and local municipalities to take a much greater role in the security of the nation\u2019s infrastructure. And I think that\u2019s something that no one really knows how to do. It\u2019s not the historic government role. And so there\u2019s still a lot of sorting out that needs to happen. But that\u2019s to get back to your original question, if that\u2019s how we approach this, we need to understand the roles and expectations. But then we also need to figure out the resources and the workforce and the strategy about how we\u2019re going to go about making these water systems safer.
\nTerry Gerton Dave Hinchman is a director in the information technology and cybersecurity team at GAO. Mr. Hinchman, let\u2019s talk about resources because fixing these cybersecurity gaps isn\u2019t free, but these water treatment plants are funded through tax revenue. So how do states, localities get their heads around how much they wanna charge for water, which is really a, certainly a public good, maybe even an individual right to have clean drinking water. So you have to make it affordable and yet you have to fund these improvements. How do localities and providers think about that balance?]]><\/p>\n

Dave Hinchman I don\u2019t know that anyone has a good answer for that, but I think I\u2019ll take that actually a step higher. Most of the nation\u2019s water infrastructure is incredibly dated. Lots of equipment is getting to end of life. That older equipment is increasingly complicated to meet with advanced cybersecurity protection. So there\u2019s an issue also of how do we upgrade the infrastructure, which again also is GAO has reported for decades as something that impacts our bridges, our roadways, our rail lines. It\u2019s something that\u2019s really something that spreads across the country into every aspect of life. But for the water sector, there is an issue of how do we upgrade the equipment and how do you manage that part with finding better cybersecurity protections that we can attach to those systems so that we get to the end game, which is safe, secure drinking water and water treatment processes.
\nTerry Gerton You also talked about workforce. What are the workforce challenges that you\u2019re seeing here?
\nDave Hinchman So nationwide, we really struggle to understand what the nation\u2019s cybersecurity workforce looks like and what it needs to be. It\u2019s a huge issue. Cybersecurity is an ever-growing part of our everyday lives and the banking apps we use on our phone. Anything we do. And so to understand what we need, you need to do a needs assessment to figure out where we need staff. And then you have to find those people. And I think one of the things the government also struggles with is making sure that we have properly qualified people to fill all these positions across the country, both within the federal government and also in the private sector.
\nTerry Gerton I don\u2019t think a lot of kids are sitting around the dinner table telling their parents they want to grow up and work at the water treatment plant, right?
\nDave Hinchman Absolutely. And I think that\u2019s one of the things is the government is trying to figure out how do we get into the educational process early and get people to build these skills so that when they enter the workforce, whether it\u2019s after high school or after college, that they\u2019re ready and willing to take on some of these roles across the nation.
\nTerry Gerton Let\u2019s go back to the responsibility of EPA then at the center of government to at least try to create a system that incentivizes modernization of the infrastructure and the cybersecurity response. Where are you seeing them move forward and where do you want them to move forward faster.
\nDave Hinchman So one of the things that EPA says is they don\u2019t have the authority to go out and tell owner-operators to do things. It\u2019s an interesting discussion. I\u2019m not sure that we completely agree with EPA. We did recommend that they go in and they assess their authorities. And if they found those authorities lacking so that they could compel owner-operators to take certain actions, then they need to work with the administration and Congress to get those authorities. You know, as writ large, that\u2019s a problem that a lot of these \u2014 EPA is called the sector risk management agency for the water sector, all of the government sector risk management agencies struggle with that same thing, that compelling owner operators to take actions. And we would encourage a whole of government approach to looking at this issue and making sure that these agencies have the authorities they need to address a threat that grows literally by the day and that we need to stay on top of and ahead of so that we can ensure that our infrastructure is safe and protected.
\nTerry Gerton This conversation so far has been principally about water and wastewater, and certainly that\u2019s the focus of this report. But you mentioned up at the top of our conversation, the energy infrastructure, all sorts of other critical infrastructures that are like water. They\u2019re distributed. They have lots of different owner-operators. Do you see parallels here in the wastewater that need to be applied across the infrastructure space?
\nDave Hinchman Absolutely. This is a common story. One of the things in doing this report, it was great to focus on a sector I didn\u2019t know a lot about and learned a lot about. It certainly has its own nuances and peculiarities. I think chief among them, the 170,000 owner operators that I mentioned, but so many of these other, what I\u2019ll call resource sectors, like you mentioned, really struggle with the same things. How do they compel the owner operators in their sector to do things? How do the get in place or convince the owner-operators that this is something that will be good for you to do? Let\u2019s figure out how to get it in place and how to get you the resources that you need for that.]]><\/p>\n

Terry Gerton Is this something that national legislation could address, that CISA, for example, could have a centralized control over, or are we just doomed to let every locality figure this out on their own?
\nDave Hinchman I mean, so legislation is certainly a possibility, and that\u2019s a decision for Congress to make if that\u2019s something they want to tackle. From the CISA question, we\u2019re still struggling to understand what the new CISA is really going to look like. One of the really successful things that CISA has had is local reps who worked with local municipalities to help them navigate some of these challenges. But that\u2019s one of the areas that right now is slated for I think an over 50% budget cut in the latest budget proposal from the administration. And so No one really knows what that\u2019s gonna look like. Obviously, the road to getting the budget passed is a very long one, and we\u2019re not gonna know it later this year, but that\u2019s certainly a cause for concern because we view that as a very successful program that CISA has had.
\nTerry Gerton If you are one of those 170,000 operators, hope is not a method here. Just hoping that you\u2019re not going to be the one that gets targeted. What can those folks do in the short run to take some preventive action that maybe helps secure the systems?
\nDave Hinchman So one thing is what we call basic cyber hygiene. It\u2019s changing passwords. It\u2019s putting two factor authentication. It\u2019s putting together a plan so that when an attack happens, you know what to do. And it\u2019s not some poor tech who\u2019s sitting in the control room at 10:30 on a Friday night when the bad thing happens. And it is putting that plan into place and it\u2019s training your staff to recognize cyber threats so that you\u2019re not falling victim to emails or anything like that. And it\u2019s really basic steps that sound almost laughable in the face of the threat, but which can make a difference to something that\u2019s maybe perhaps a more casual attack on your system rather than something focused and heavy hitting.Copyright
\n \u00a9\u00a02026 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.<\/p>\n

<\/p>\n","protected":false},"excerpt":{"rendered":"

Our drinking water systems are more connected than ever, and more exposed to risks https:\/\/federalnewsnetwork.com\/cybersecurity\/2026\/06\/our-drinking-water-systems-are-more-connected-than-ever-and-more-exposed-to-risks\/…<\/p>\n","protected":false},"author":1,"featured_media":229567,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/federalnewsnetwork.com\/wp-content\/uploads\/2023\/03\/Cybersecurity_Water_77940-scaled.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[24,31],"class_list":["post-229566","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-cybersecurity","tag-exploit"],"_links":{"self":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/229566"}],"collection":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=229566"}],"version-history":[{"count":1,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/229566\/revisions"}],"predecessor-version":[{"id":229568,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/229566\/revisions\/229568"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/229567"}],"wp:attachment":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=229566"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=229566"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=229566"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}