Have there been confirmed cyberattacks on US water utilities?

Yes. EPA and CISA have documented multiple confirmed incidents, including intrusions targeting operational technology systems. Specific cases have been publicly reported involving utilities in several states.

Can a cyberattack change what comes out of my tap?

A successful attack on operational technology systems could theoretically affect treatment processes. However, most documented incidents have targeted business systems rather than OT networks. Physical safeguards and manual overrides provide additional layers of protection.

Are utilities required to tell customers about cyberattacks?

Customer notification requirements depend on whether the incident affected water quality or service. Incidents that trigger public health concerns require notification; IT-only incidents may not.

SCADA (Supervisory Control and Data Acquisition) refers to computer systems that monitor and control industrial processes, including water treatment and distribution. These systems are a primary target in water sector cyberattacks.

Where can I find official advisories about water utility cybersecurity?

CISA and EPA both publish water sector cybersecurity advisories on their official websites.

Utilities & Records·5 min read·2026-05-01

Cyberattacks on Water Utilities: What It Means for Official Records

cybersecurityutility incidentsrecordsEPA reporting

Key Takeaways

1
EPA and CISA have both flagged increasing cybersecurity threats to drinking water infrastructure.
2
A cyberattack does not automatically affect water quality — but it can disrupt monitoring and recordkeeping systems.
3
Utilities are required to report significant incidents to EPA and to notify customers under certain conditions.
4
Water Utility Report displays official records as submitted — it cannot independently verify real-time operational status.

Over the past several years, federal agencies have documented a growing number of cybersecurity incidents targeting water and wastewater utilities. These incidents raise questions about operational continuity and recordkeeping integrity. Here is what the official record landscape looks like.

What federal agencies have reported

EPA and CISA have issued multiple advisories since 2021 documenting cyberattacks on water sector systems, including intrusions into operational technology (OT) networks that control treatment processes. The America's Water Infrastructure Act (AWIA) of 2018 requires utilities serving more than 3,300 people to conduct risk and resilience assessments and certify emergency response plans.

How incidents affect records

A cyberattack on a utility's business systems (billing, communications) is generally separate from operational technology that controls treatment. However, incidents affecting SCADA systems or monitoring networks can disrupt automated data collection. If monitoring is interrupted, utilities may have gaps in their official sampling records during the incident period.

Water Utility Report displays official monitoring records as submitted to EPA and state agencies. Records reflect what utilities have reported through normal compliance channels — not real-time operational status. If a utility experiences an incident affecting recordkeeping, gaps may appear in historical data.

Reporting requirements

The Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) of 2022 established new federal incident reporting requirements. Utilities must notify EPA and CISA of significant cyber incidents. Customer notification obligations depend on whether the incident affected water quality or service delivery.

What this does not mean

A cyberattack on a utility does not necessarily mean water quality was affected.
Water Utility Report cannot verify real-time operational status of any utility.
Official records are compliance data — not a real-time security status dashboard.

What to check next

Monitor your utility's official communications and local news for incident notifications.
Check your utility's violation and monitoring records on Water Utility Report for any reporting gaps.
Review EPA and CISA advisories for sector-wide guidance.

Frequently Asked Questions

Sources

Last updated: 2026-05-01 · Water Utility Report

Utilities & Records

Utility Records vs. Your Home's Tap Water: Why They Can Differ

5 min

Utilities & Records

Water Reuse and AI Growth: How Demand Pressures Show Up in Utility Records

5 min

Related Guides

How to Read a Water Quality Report Without Getting Lost

Browse AllWater Research & Analysis

Check Your Water

Enter your ZIP code to find your utility and see what's been detected in your area.

ZIP Lookup