Senate EPW hearing spotlights cybersecurity gaps in U.S. water systems, witnesses urge targeted help
February 05, 2026 | Environment and Public Works: Senate Committee, Standing Committees - House & Senate, Congressional Hearings Compilation, Legislative, Federal
This article was created by AI summarizing key points discussed. AI makes mistakes, so for full details and context, please refer to the video of the full meeting. Please report any errors so we can fix them. Report an error »
WASHINGTON — Senate Environment and Public Works members on Wednesday heard officials and cybersecurity experts warn that U.S. drinking water and wastewater systems face growing cyber threats while many small and rural utilities lack the staff and funding to defend themselves.
"There are approximately … 170,000 water and wastewater utilities across the country," Chair Capito said in opening remarks, framing the hearing on threats to public health and daily life. Witnesses from Marshall University, the National Rural Water Association and the Association of Metropolitan Water Agencies described a mix of technological vulnerabilities, workforce shortages and limited access to federal resources.
Why it matters: Utilities increasingly rely on SCADA, programmable logic controllers and internet‑connected monitoring, witnesses said, but many small systems fall below regulatory population thresholds and lack dedicated IT or cybersecurity personnel. Dr. Scott Simonton, a Marshall University cybersecurity fellow, testified that operators commonly face exposed remote access interfaces, default or shared PLC credentials and legacy vendor‑managed equipment that cannot be patched. "These issues show up consistently, but not because operators lack commitment, but they lack capacity to deal with some of these issues," Simonton said.
What witnesses recommended: All three witnesses urged expanding practical technical assistance and funding rather than imposing one‑size‑fits‑all mandates.
- Circuit‑rider cyber teams: Simonton and Matt Orteman of the National Rural Water Association recommended a circuit‑rider model—teams or consultants that travel or remotely support multiple small utilities—built on existing state association relationships. "The circuit rider program is single‑handedly the most successful built up program that I see in our state," Orteman said of North Dakota’s model.
- Expand Water ISAC and grant funding: Scott Dewhurst of the Association of Metropolitan Water Agencies emphasized the role of Water ISAC, the sector’s information‑sharing and analysis center, and said it has no dedicated federal grant funding. He and other witnesses urged Congress to appropriate money to known grant programs and to reauthorize the EPA mid‑size and large drinking water infrastructure resilience program, which witnesses said has been authorized at $50 million but not appropriated at that level and is set to expire in FY2026.
- Tailored, outcome‑based standards: Dewhurst proposed a Water Risk and Resiliency Organization (WRRO), modeled on the energy sector’s NERC, to develop adaptable, outcome‑based standards that would set higher expectations for more connected systems while remaining implementable for smaller utilities.
Incidents, reporting and response: Witnesses said ransomware and criminal attacks are more common than destructive, nation‑state operations but that the sector lacks consistent reporting. Orteman estimated attempted probes or phishing reach many systems daily, even if most attempts do not cause service interruptions. Utilities and senators pressed for better incident data and urged operators to have cyber incident response plans. Dewhurst said Water ISAC and contracts with third‑party responders are key tools to coordinate response and share anonymized lessons learned.
Funding and workforce: Senators and witnesses highlighted workforce gaps in rural areas and recommended scalable training—Simonton described "stackable micro‑credentials" for operators—and internships and apprenticeships as recruitment tools. Members also discussed whether cyber insurance might incentivize improvements but cautioned that mandates must be funded to be achievable for small systems.
Legislative context and next steps: Senators referenced pending bills and proposals—the Water Infrastructure Resilience and Sustainability Act to reauthorize EPA grant programs (noted by Sen. Blunt Rochester and Sen. Curtis) and legislative proposals to fund Water ISAC and provide EPA with additional tools (several senators including Sen. Markey discussed his related bill). Committee members may submit written questions for the record; Capito set a deadline for questions and witness written responses, and adjourned the hearing.
The hearing record noted gaps in sector data and repeated calls for Congress to fund technical assistance, expand trusted information‑sharing mechanisms, and design standards that account for the diversity of U.S. water systems.
"There are approximately … 170,000 water and wastewater utilities across the country," Chair Capito said in opening remarks, framing the hearing on threats to public health and daily life. Witnesses from Marshall University, the National Rural Water Association and the Association of Metropolitan Water Agencies described a mix of technological vulnerabilities, workforce shortages and limited access to federal resources.
Why it matters: Utilities increasingly rely on SCADA, programmable logic controllers and internet‑connected monitoring, witnesses said, but many small systems fall below regulatory population thresholds and lack dedicated IT or cybersecurity personnel. Dr. Scott Simonton, a Marshall University cybersecurity fellow, testified that operators commonly face exposed remote access interfaces, default or shared PLC credentials and legacy vendor‑managed equipment that cannot be patched. "These issues show up consistently, but not because operators lack commitment, but they lack capacity to deal with some of these issues," Simonton said.
What witnesses recommended: All three witnesses urged expanding practical technical assistance and funding rather than imposing one‑size‑fits‑all mandates.
- Circuit‑rider cyber teams: Simonton and Matt Orteman of the National Rural Water Association recommended a circuit‑rider model—teams or consultants that travel or remotely support multiple small utilities—built on existing state association relationships. "The circuit rider program is single‑handedly the most successful built up program that I see in our state," Orteman said of North Dakota’s model.
- Expand Water ISAC and grant funding: Scott Dewhurst of the Association of Metropolitan Water Agencies emphasized the role of Water ISAC, the sector’s information‑sharing and analysis center, and said it has no dedicated federal grant funding. He and other witnesses urged Congress to appropriate money to known grant programs and to reauthorize the EPA mid‑size and large drinking water infrastructure resilience program, which witnesses said has been authorized at $50 million but not appropriated at that level and is set to expire in FY2026.
- Tailored, outcome‑based standards: Dewhurst proposed a Water Risk and Resiliency Organization (WRRO), modeled on the energy sector’s NERC, to develop adaptable, outcome‑based standards that would set higher expectations for more connected systems while remaining implementable for smaller utilities.
Incidents, reporting and response: Witnesses said ransomware and criminal attacks are more common than destructive, nation‑state operations but that the sector lacks consistent reporting. Orteman estimated attempted probes or phishing reach many systems daily, even if most attempts do not cause service interruptions. Utilities and senators pressed for better incident data and urged operators to have cyber incident response plans. Dewhurst said Water ISAC and contracts with third‑party responders are key tools to coordinate response and share anonymized lessons learned.
Funding and workforce: Senators and witnesses highlighted workforce gaps in rural areas and recommended scalable training—Simonton described "stackable micro‑credentials" for operators—and internships and apprenticeships as recruitment tools. Members also discussed whether cyber insurance might incentivize improvements but cautioned that mandates must be funded to be achievable for small systems.
Legislative context and next steps: Senators referenced pending bills and proposals—the Water Infrastructure Resilience and Sustainability Act to reauthorize EPA grant programs (noted by Sen. Blunt Rochester and Sen. Curtis) and legislative proposals to fund Water ISAC and provide EPA with additional tools (several senators including Sen. Markey discussed his related bill). Committee members may submit written questions for the record; Capito set a deadline for questions and witness written responses, and adjourned the hearing.
The hearing record noted gaps in sector data and repeated calls for Congress to fund technical assistance, expand trusted information‑sharing mechanisms, and design standards that account for the diversity of U.S. water systems.
View the Full Meeting & All Its Details
This article offers just a summary. Unlock complete video, transcripts, and insights as a Founder Member.
✓
Watch full, unedited meeting videos
✓
Search every word spoken in unlimited transcripts
✓
AI summaries & real-time alerts (all government levels)
✓
Permanent access to expanding government content
30-day money-back guarantee
