The U.S. faces an ongoing threat from Iranian cyberattacks targeting its water infrastructure, U.S. officials and cybersecurity experts warn. The Cybersecurity and Infrastructure Security Agency (CISA) reported on April 7 that a U.S. water facility experienced more than 1,900 hacking attempts in March, with Iran identified as the primary source of these intrusions. Although the attacks were unsuccessful, experts say the assaults underscore the persistent vulnerability of America’s water systems to cyber threats.
Water utilities have become favored targets due to their essential role in everyday life and widespread lack of robust cybersecurity measures. Many facilities operate with limited resources, often relying on personnel who handle IT functions in addition to their primary duties. For example, the Municipal Water Authority of Aliquippa, Pennsylvania, was hacked last year by an Iranian cyber group, though officials were able to quickly contain the breach without disrupting service. Investigations revealed that some systems use default or weak passwords, creating easy points of entry for attackers.
This focus on water infrastructure comes amid broader tensions in the Iran conflict. Iranian officials have accused the U.S. of operations against a desalination plant on Qeshm Island, which they claim disrupted water supplies to 30 villages. In retaliation, Iran launched drone strikes on a Bahraini water facility. Cyberattacks, while less overt than kinetic strikes, carry risks that experts say are just as damaging if successful.
Cybersecurity firm Securin has identified approximately 1,800 vulnerabilities in water and wastewater systems across the United States, with dozens already exploited by state actors such as Iran, Russia, and China. Federal evaluations reveal many utilities fail to meet basic cybersecurity standards, leaving millions of Americans exposed. Some of the most sensitive targets include water systems supporting military bases and data centers, where service disruption could have cascading effects beyond civilian impacts.
Advocates argue that current federal strategies emphasizing infrastructure protection need to be coupled with concrete action and increased investment. Initiatives like DEF CON Franklin, founded by former Biden administration official Jake Braun, rely on volunteer cybersecurity professionals to help water facilities implement basic protections such as changing default passwords and enabling multifactor authentication. These efforts aim to bolster defenses at smaller and under-resourced utilities, especially those critical to regional hospitals and military installations.
However, experts caution that volunteer efforts alone cannot replace the need for sustained federal funding and specialized cybersecurity teams dedicated to safeguarding water infrastructure. With Tehran’s demonstrated intent to continue cyber operations against U.S. utilities, officials stress urgency in addressing these vulnerabilities before future attacks can inflict serious damage.