A sophisticated cyberattack targeting industrial control systems at municipal water treatment facilities across three states has forced emergency shutdowns at 14 plants, disrupting water service for an estimated 2.3 million residents. The Cybersecurity and Infrastructure Security Agency (CISA) has confirmed the incident is under active federal investigation and describes it as the most extensive coordinated intrusion against US water infrastructure on record.
What Happened
The attack targeted SCADA (Supervisory Control and Data Acquisition) systems โ the industrial control software that manages treatment processes, chemical dosing, pumping stations, and distribution pressure. By compromising these systems, the attackers were able to trigger automated safety shutdowns at multiple facilities simultaneously. The shutdowns were the correct response by the systems โ better to lose water pressure than to risk contamination โ but the coordinated nature of the attack across multiple utilities in multiple states indicates a level of sophistication and pre-positioning beyond previous water sector incidents.
Affected facilities included plants in the Ohio River valley, the mid-Atlantic, and the upper Southeast. Residents in affected areas were issued boil-water advisories as a precaution, and several municipalities asked residents to conserve water as backup systems worked to restore pressure.
The Known Vulnerability Context
Water sector cybersecurity has been a recognized weak point for years. A 2024 EPA audit found that 70% of water systems inspected had critical cybersecurity deficiencies. Many facilities run legacy SCADA systems that are decades old, were designed before networked connectivity was standard, and have been patched onto internet-connected infrastructure without the security architecture to support it safely. Budget constraints at most municipal utilities have made comprehensive upgrades slow.
This Is Not the First Water Cyberattack
The 2021 Oldsmar, Florida attack โ where an intruder briefly increased sodium hydroxide levels in the water treatment system to potentially dangerous concentrations โ was caught by a vigilant operator. The 2023 attacks on water systems in Pennsylvania and Texas demonstrated that water utilities remained high-value targets. This latest incident is different in scale, scope, and apparent level of coordination, which is what's driving the elevated federal response.
What This Means for Your Water Preparedness
The preparedness lesson is straightforward: municipal water service, like the electrical grid, is critical infrastructure with real vulnerabilities. It can be disrupted by weather events, pipe failures, contamination events, and โ as this incident demonstrates โ deliberate cyberattacks. Planning as though water will always come out of the tap is not sound risk management.
Water Storage Baseline โ Where You Should Be
- Minimum: 1 gallon per person per day ร 14 days (stored in food-grade containers)
- Better: Add a gravity filter (Berkey, Sawyer, or equivalent) for treating backup sources
- Better still: Know your nearest natural water source and have the tools to treat it
- Rotate stored water every 6โ12 months or use commercial sealed containers rated for long shelf life
- Don't forget pets: dogs typically need 1 oz of water per pound of body weight per day
The households that were unaffected by this incident โ beyond some news-driven anxiety โ were the ones with water already stored. Eighteen to thirty-six hours of service disruption is manageable with even a modest reserve. A week-long disruption, which is plausible in a more severe scenario, is only manageable with deliberate preparation.
Sources:
CISA Water and Wastewater Systems Sector โ cisa.gov
EPA Water Resilience โ epa.gov
American Water Works Association Cybersecurity Resources โ awwa.org
๐ง Calculate Your Household Water Needs
Our free Supply Calculator tells you exactly how many gallons your household needs based on size, climate, and duration โ and how close you are right now.
Calculate My Water Supply โ