Content

/

Blog & Substacks

/

America’s Sewer Systems Are Surprisingly Vulnerable to Cyber Attacks

Blog & Substacks

Artificial Intelligence

Technology & Statecraft

America’s Sewer Systems Are Surprisingly Vulnerable to Cyber Attacks

July 14, 2026
The featured image for a post titled "America’s Sewer Systems Are Surprisingly Vulnerable to Cyber Attacks"

Amid growing awareness of AI’s cybersecurity implications, an unusually vulnerable form of critical infrastructure has flown under the radar: local water and sewer systems.

On the Saturday after Thanksgiving in 2023, a screen at a water utility outside Aliquippa, Pennsylvania bore a message: you have been hacked, down with Israel. The attackers, an Iranian Revolutionary Guard-linked crew calling itself Cyber Av3ngers, did not single out this specific station, which regulated water pressure for two small rural townships, because of some hidden strategic value. Instead, the attackers had scoured the open web for a particular model of small industrial computer—the Israeli-made Unitronics Vision-series—located the ones left exposed on the internet at the manufacturer’s default settings, and logged in with the standard password for units shipped from the factory: 1111. At least 11 American targets surfaced in this scan, which included a brewery, an aquatics center, and water utilities like the one in Aliquippa.

This story captures a strange duality about America’s water utilities. On one hand, they are quite decentralized compared to other kinds of critical infrastructure. American water grew up locally, with pipes, treatment facilities, and financing organized around particular communities. As a result, we have about 170,000 drinking-water and wastewater systems, splintered across municipalities, special districts, tribes, co-ops, and private operators; there is no national or even regional control room. Through no plan or intention, but mere historical contingency, this fragmentation became a source of resilience. To take down a water system, an adversary would have to grind through targets one at a time. All that reconnaissance, intrusion, and manipulation repeated by hand might have a payoff measured in a few thousand inconvenienced residents. Essentially, decentralization was a tax levied on attacker labor, and for decades it made the sector too tedious to be worth attacking at scale.

On the other hand, despite their decentralization, water utilities are quite similar to one another on a technical level. Much of the sector relies on a recurring set of manufacturers and product families to source their operating technology—the computers and software that runs the physical plant equipment. As operators have wired the aging controllers that run their pumps, valves, and chemical feeds into ordinary IT networks, some of those systems have become reachable through the internet or through connected municipal networks. This, when coupled with the system’s technical redundancy, has made water facilities a new, appealing attack surface which adversaries have increasingly exploited, drawing water utilities into the plane of modern warfare.

These features make our water facilities close to an ideal target for AI-enabled cyberattacks. Agents are perfect for tasks where the work is repetitive, the targets are many, and each one covers too small of a population to be worth a human’s time. That is what makes the sector’s near-absence from the debate over AI and critical infrastructure so striking. The conversation gravitates to flashier targets such as the grid, financial infrastructure, gas pipelines, or hospitals, while humble, local wastewater plants draw a fraction of the attention and money. The cruel irony is that the decentralization that once shielded the sector now mostly handicaps it. Agents ease the labor burden it imposes, but what remains is a headless sector of thousands of utilities that must each find and patch their own vulnerabilities, one at a time, against an adversary that no longer has to.

A crash course in sewers

For our purposes, a water utility can be understood as two linked systems. The drinking-water system draws water from a river, reservoir, or well, treats it, stores it, and delivers it to homes and businesses. The wastewater system collects what comes back through sewers, removes contaminants, and releases the treated water into a river or other receiving body.

A lot of this work has been automated. Across treatment plants, storage tanks, wells, sewer networks, and pumping stations, computers continuously monitor conditions and operate physical equipment:

  • Sensors measure water pressure, tank levels, chemical concentrations, and whether equipment is functioning
  • Pumps move drinking water through distribution systems and sewage toward treatment plants
  • Valves control where water or sewage flows
  • Chemical-feed systems add disinfectants and other treatment chemicals
  • Aeration blowers pump oxygen into wastewater so microorganisms can break down sewage
  • Lift stations pump sewage uphill where gravity alone cannot carry it to the treatment plant

At the base of this system are small industrial computers called programmable logic controllers, or PLCs. A PLC receives information from sensors and carries out basic commands such as starting a pump, closing a valve, adding more disinfectant, or triggering an alarm. The Unitronics device compromised in Pennsylvania was one such controller.

Above these controllers sits the SCADA (Supervisory Control and Data Acquisition) system, which gathers information from equipment scattered across the utility and presents it to operators on a single graphical control panel. Although none of this requires the public internet, a town may need to monitor an unmanned pumping station miles away, while an equipment vendor or outside contractor may need to diagnose a malfunction without driving to the site. Utilities therefore connect pieces of the control network through ordinary municipal networks or remote-access software. When those connections are poorly separated or an operator screen is left online, an attacker may be able to reach through the same digital doorway intended for legitimate maintenance.

We can understand the stakes of hardening our sewers by examining what happens when a given part is targeted. If an attacker compromises a utility’s PLCs (as Iran attempted), they may be able to stop pumps, overflow tanks, or alter chemical feeds. In a wastewater system, shutting down lift stations or aeration can cause sewage backups or release insufficiently treated waste into rivers. In a drinking-water system, manipulating pressure, disinfection, or storage can interrupt service and, in more serious cases, threaten water quality. If attackers gain control of SCADA, they can make operators distrust the readings on their screens. Thus, an attack need not make any machinery malfunction; a hack that merely makes a system opaque to its operators would already be deeply disruptive and dangerous.

Why there can’t be a Project Glasswing for sewers

Water utilities are fragmented as institutions, but the technology inside them is drawn from a much smaller and constantly recurring set of suppliers. There is no comprehensive public accounting of vendor market share within American water systems, but the Cybersecurity and Infrastructure Security Agency’s (CISA) vulnerability record gives a sense of the overlap: of 713 industrial-control advisories tagged as affecting the water and wastewater sector between 2010 and July 2026, more than half concerned products from just four companies: Siemens, Rockwell Automation, Schneider Electric, and ABB.1 The same product families recur throughout the advisories.The Unitronics attacks provide a concrete example for this redundancy matters: one model of controller was common enough across otherwise unrelated facilities that Cyber Av3ngers could search for it online and reuse the same default-password attack against multiple American water systems.

At first glance, that shared vendor layer ought to cut the other way and make the sector easier to defend. This is roughly the promise behind efforts like Anthropic’s Project Glasswing, which gave trusted organizations access to Mythos, their powerful cyber-capable model, to search widely used software for hidden vulnerabilities and help develop fixes before adversaries find them. In theory, it seems like you could do the same thing with water: find vulnerabilities in common PLC or SCADA products, notify the manufacturer, and protect every utility using it.

Unfortunately, it is not that simple. A utility’s control system is a site-specific combination of software and equipment frequently implemented or supported by third-party systems integrators. The same controller or SCADA product may therefore sit inside different local configurations, running different software versions and connected to different pumps, sensors, and treatment processes. That means a manufacturer’s discovery of a vulnerability does not translate automatically into thousands of repaired installations. Unlike an update to a phone or web browser, an industrial-control patch must be evaluated against the particular system in which it will operate. NIST warns that patches can interfere with other control software or even introduce new production and safety risks, and recommends testing them offline or with the vendor before deploying them during a planned outage. The utility must therefore identify the affected equipment, obtain the patch, test it, and arrange a safe time to install it. That process can be particularly difficult for a service that is expected to operate continuously. The Government Accountability Office (GAO) found that some water-system operators decline even updates containing vital security fixes because their systems cannot remain offline for extended periods and because an unsuccessful update could interrupt operations.

Nor is there usually a standing cyber team to manage this process. GAO reports that small and medium water systems generally do not employ cybersecurity professionals, instead relying on operators with little cyber expertise or on outside contractors. The EPA’s own checklist flags the absence of an accurate equipment inventory, a named person responsible for cybersecurity, timely patching, control over internet connections, and requirements that vendors disclose vulnerabilities as serious gaps. Compare this with a large bank that can discover a vulnerability and push a coordinated response through one security organization.

Sewer/acc

Let’s start upstream, where the work is easiest and mostly already imagined. Models of the kind Anthropic describes under Project Glasswing could comb the software common to PLCs, SCADA platforms, and remote-access tools for flaws, and manufacturers could turn each finding into a single fix pushed across a product line. This is not unprecedented; CISA already gives water utilities free scanning of their internet-facing systems. So, this discovery layer is worth building, but it is also the part attackers have effectively automated already and it doesn’t matter if no one actually patches the vulnerability.

Then, we have to ensure that this discovery actualizes into action, and here there are already proposals to be considered. H.R. 2594, the Water Risk and Resilience Organization (WRRO) Establishment Act, introduced in April 2025, would have EPA certify a single independent body to write binding cyber requirements for drinking-water and wastewater systems, enforced with penalties reaching $25,000 a day. The model is deliberately borrowed from the electric grid’s reliability regime: industry experts draft the standards, the federal regulator approves them, operators attest to compliance annually, and independent assessments follow every few years. The America’s Water Infrastructure Act (AWIA) of 2018 asks systems serving more than 3,300 people to assess their risks and keep an emergency plan, but it sets no security standard, excludes wastewater entirely, and leaves everyone below the threshold with voluntary advice. The WRRO would fix this problem, but it would not fix the long tail: like AWIA before it, the bill stops at 3,300 people, which means tens of thousands of the smallest systems remain exactly as vulnerable as before.

However, to meet any of these standards, facilities require the requisite personnel. Therefore, the single highest-leverage investment in water-sector cybersecurity is human capital: a corps of people who can assist a plant that has no cyber staff and do the work of inventorying the devices, changing the passwords, patching, and testing it without shutting down the treatment process. There are templates for this kind of program. For example, there is the USDA-funded circuit rider, a roving specialist who solves operational problems no single small town would staff for. There are proposals that would replicate this model and expand the number of systems that receive threat warnings, namely the Cybersecurity for Rural Water Systems Act of 2025 and H.R. 2344. However, both should be funded at a level that matches the size of the problem: not tens of millions of dollars, but hundreds.

Cloacas Tuemur

The Romans had a goddess who lived in the sewer. Her name was Cloacina, and her seat was the Cloaca Maxima, the enormous drain that pulled the entire discharge of the city down into the Tiber. This was a civilization that did not deify anything low. They had no god of the armpit, no god of the dropped coin. But when they looked at the sewer, they decided that something holy lived down there, and they were right. The Romans understood something we have worked very hard to unlearn: that a nation is only ever as free as its plumbing.

But we can’t forget about it, lest we fail to defend it. Just ask the doctors: More than eleven thousand of them, polled by the British Medical Journal, were asked to name the greatest medical advance since 1840, and they did not say antibiotics, or anesthesia, or vaccines, or the discovery of the structure of DNA. They instead said sanitation. There were cities, not long ago, that chose their leaders on the strength of a promised drain. For most of human history, this was the whole of the war, and we won it.

That victory is what now sits exposed. To ensure that AI-enabled cyberattacks cannot reach in and undo something as plain and as sacred as clean water for millions of Americans, we have to do the unglamorous thing: hold every facility to a single standard, the enormous and the tiny alike, and actually pay for the tools and the people it takes to guard water systems of every size. Cloacina had priests. The least we can do is fund the budget.

Explore More Policy Areas

InnovationGovernanceEducation
Show All