U.S. Water Systems should Strengthen Cybersecurity in light of Middle East Activity

EPA Office of Water Emergency Response and Cybersecurity sent this bulletin at 03/03/2026 11:38 AM EST

U.S. Water Systems should Strengthen Cybersecurity in light of Middle East Activity

The U.S. Environmental Protection Agency (EPA) is issuing this alert to encourage water system owners and operators across the country to take deliberate and meaningful steps to strengthen cybersecurity in light of activities in the middle east and the potential for U.S. critical infrastructure to be targeted. Iranian government–affiliated and aligned cyber actors have previously demonstrated the ability to exploit internet‑exposed operational technology devices at U.S. water and wastewater systems, in some cases forcing temporary reversion to manual operations and causing operational impacts. EPA urges utilities to adopt a heightened security posture and promptly report suspicious activity to CISA and the FBI.

Mitigations

All drinking water and wastewater systems are strongly encouraged to implement the following mitigations immediately to enhance resilience against low-level cyberattacks:

Reduce Operational Technology Exposure to the Public-Facing Internet

Replace All Default Passwords on Operational Technology Devices with Strong, Unique Passwords

Implement Multifactor Authentication for Remote Access to Operational Technology Devices

Systems that outsource technology support may need to consult with their service providers for assistance with these mitigations.

In addition to these immediate actions, drinking water and wastewater systems are encouraged to adopt the actions outlined in the CISA, EPA, and FBI Top Cyber Actions for Securing Water Systems Fact Sheet to further reduce cyber risk and improve resilience against malicious cyber activity.

Conclusion

If you have questions about any of the information in this alert, including assistance with the mitigation steps, submit a request to EPA’s Cybersecurity Technical Assistance Program for the Water Sector. Organizations are encouraged to report information concerning suspicious or criminal activity to FBI Internet Crime Complaint Center (IC3) at IC3.gov or to CISA via CISA’s Incident Reporting System.

Stay connected with the Office of Water Emergency Response & Cybersecurity at EPA

Subscriber Services:
Manage Subscriptions | Unsubscribe All | Help