Editor's Note: This article is part of an ongoing RANE series on the geopolitical impacts of water stress. The first installment of this series provided a broad overview of how the unequal distribution of freshwater shapes geopolitical patterns. Other installments have examined the impacts of water stress on the global economy, Europe, China, the Sahel region of sub-Saharan Africa, Israel, Central Asia, Chile, the Middle East, the Mekong River region, climate investment, India, and North Africa.

Cyberattacks on water utilities in highly water-stressed areas threaten to disrupt agriculture and industrial processes, exacerbate social unrest and cause civilian casualties, especially in periods of high tension or outright conflict. As the effects of climate change become increasingly palpable, particularly in geographic regions with high water stress, scrutiny of cyber threat actors' potential disruption of water flows is rising. Across the West, including the United States and much of Europe, water systems tend to be more vulnerable than other types of critical infrastructure due in large part to the fact that they are more likely to be municipally owned or operated by smaller utility companies. As a result, these systems are more likely to rely on local taxes and water rates to make up their budgets, frequently leading to financial constraints. Therefore, many water systems operators struggle to adequately update security measures, such as by replacing aging equipment, implementing cybersecurity updates, employing robust cybersecurity teams and updating outdated software. Water systems also largely rely on Supervisory Control and Data Acquisition systems, which are internet-facing, making them more vulnerable to cyberattacks, and systems are often not segmented, meaning hackers who access one part of a network could potentially access critical operations. 

• A Nov. 13 memo from the U.S. Environmental Protection Agency's Office of Inspector General found that 97 out of 1,062 drinking water systems assessed had "either critical or high-risk cybersecurity vulnerabilities," while 211 additional systems had security vulnerabilities "by having externally visible open portals." Those systems with critical or high-risk vulnerabilities serve 26.2 million people, and those with other levels of vulnerabilities serve 82.7 million people.
• Though individual water utilities in the European Union are responsible for conducting and reporting their own security risk assessments, data from individual member states and third-party cybersecurity analyses reveals that EU water systems face persistent cyberattacks on systems, with many states struggling to address vulnerabilities. On Dec. 3, the EU Agency for Cybersecurity, known as ENISA, released its 2024 Report on the State of Cybersecurity in the Union, which found that water sectors tend to have less developed cyber risk management capabilities and incident detection and response capabilities than other sectors.

Water stress in the United States is currently concentrated in the Southwest and is projected to expand significantly to other parts of the country by 2040. The Southwest region of the United States experiences high or extremely high water stress, with additional pockets of high water stress appearing in other places like Arkansas, Nebraska, Colorado and Wyoming. Water stress in these regions is driven by a variety of factors, including climate change, population growth and outdated water infrastructure, which have all contributed to a misallocation of water resources and lack of investment in infrastructure. Water stress tends to be heightened in densely populated areas like cities, especially in arid climates. Los Angeles is among the top 20 largest cities globally facing water stress, and Arizona, New Mexico, Colorado, Nebraska, California and Idaho are using more water than they receive each year and exhausting groundwater reserves to support farming and industrial use. By 2040, water stress in the United States is expected to worsen and expand to a greater proportion of the country, including the Midwest. Meanwhile, demand for water is also projected to increase due to population growth, urbanization and growth in high-tech sectors like semiconductor manufacturing and artificial intelligence, the latter of which requires large amounts of energy and water to cool data centers. 

Russian, Iranian and Chinese state-backed and hacktivist groups have already targeted U.S. water infrastructure, and a more sophisticated future cyberattack could disrupt a range of industries and potentially harm national security and civilian populations. Already, adversarial state actors have taken advantage of vulnerabilities to infiltrate U.S. water systems, often attempting to operate under the guise of hacktivism. In January, the pro-Russian hacktivist group Cyber Army of Russia Reborn, which has been linked to the state-sponsored group Sandworm, carried out a cyberattack against a water system in Muleshoe, Texas, causing a water tank to overflow. The group also unsuccessfully targeted nearby cities Abernathy and Hale Center. All three towns are characterized by their agricultural production — ranging from dairy and beef to cotton — and sit in a part of West Texas outside Lubbock that already faces high water stress. While the hacktivist campaign was fairly unsophisticated, it nonetheless suggests how more advanced state-backed hackers could infiltrate water systems to tamper with water supply levels, leading to potentially more disruptive or even deadly consequences. As water stress in the United States worsens in the coming years, adversaries may aim to compound existing water challenges and harm U.S. entities, particularly by targeting water systems in major agricultural or industrial hubs. In this more extreme scenario, which would be more likely in a period of much higher tension or outright war, cyberattacks on water systems that compound existing water security concerns could more significantly impact agriculture and industrial processes reliant on water, as well as lead to physical harm and compromise national security. 

• The November 2024 Environmental Protection Agency memo highlighted a 2023 U.S. Water Alliance report that found even a one-day water service disruption across the United States could "jeopardize $43.5 billion in economic activity." The report also included examples showing that even regional water service disruptions would have significant economic repercussions. In the case of Charlotte Water, which serves 890,000 people across six counties, the report estimates that a water service disruption to its facilities would cost at least $132 million in lost revenue per day. Similarly, in California, a state-wide water service disruption resulting from a cyberattack on the California State Water Project, which serves more than two-thirds of the state's population, could cost at least $61 billion in lost revenue per day. 
• Chinese state-backed threat actor Volt Typhoon has infiltrated a wide array of critical infrastructure entities globally, including many in the United States. Among those breached include a water utility in Hawaii, which faces high water stress due to its isolation and limited freshwater resources that make it highly sensitive to reductions in water availability. While the Volt Typhoon campaign is primarily espionage-focused, a May 2023 Microsoft analysis noted that the group appears to be developing capabilities for disruption. Moreover, in February, the FBI warned that the group is pre-positioning malware in critical infrastructure that could be activated in the event of an escalation, such as a Chinese invasion of Taiwan. As Hawaii is home to numerous U.S. military bases, China could potentially activate malware on Hawaii water utilities to prompt a local crisis and distract from U.S. efforts to aid Taiwan, likely in conjunction with other cyberattacks elsewhere with the same aim. While such an occurrence would have clear implications for a U.S. military response, it could also cause significant challenges for the state's water supplies, potentially resulting in a crisis for a state that is already highly sensitive to changes in water supply. 
• In November 2023, the Iranian-affiliated hacker group Cyber Av3ngers carried out a cyberattack against the Municipal Water Authority of Aliquippa, Pennsylvania, gaining control of a pumping device that regulates water pressure for a population of over 7,000 people. The group also targeted water utilities in Ireland, Romania and the Czech Republic, as well as a brewery control system in Pittsburgh, Pennsylvania. While the campaign intended to disrupt entities using Israeli-made technology, and Pennsylvania is not in a particularly highly water stressed area, the campaign underscores Iranian intent and capability to infiltrate water systems that could in the future lead Iran to more aggressively try to harm the U.S. water supply if Washington and Tehran engage in direct conflict. 
• In February 2021, an incident at a water utility in Oldsmar, Florida, increased the levels of lye by more than 100 times its normal levels, threatening to poison the local population of over 15,000 people before an employee noticed the change and readjusted the levels. For years, the incident was thought to have been a cyberattack, as the operator believed they watched a hacker access systems remotely to tamper with chemical levels. While evidence regarding the incident is still scant, new details suggest it may have been caused by employee error. Regardless, the incident highlights a scenario in which hackers could infiltrate water utilities and gain control of systems to change the chemical makeup of the water supply, potentially poisoning and killing people. If this were to happen on a larger scale, altering chemical levels of water could at least temporarily exacerbate water stress.

As water stress worsens globally, state-backed groups and sophisticated hacktivists may seek to carry out cyberattacks to disrupt other countries' water systems, compounding water security challenges that threaten food security, lead to social unrest and — in extreme cases — sicken civilians. Cyberattacks on water systems are attractive because they enable countries to deal damage more covertly, at a lower cost and with a lower risk of escalation than physical attacks. Already, Iran has targeted Israel with cyberattacks intended to jeopardize the water supply by raising chlorine levels, disrupting industrial processes and threatening to poison citizens, though attacks thus far have not resulted in physical harm. In response, in 2021 Israel reportedly targeted Iran with cyberattacks on its dams controlling water reserves. As the ongoing cyber and increasingly public kinetic war between these two countries continues, they may seek to target more water systems to exacerbate each other's high water stress. India is another country that is projected to face significant water stress in the coming years, which adversaries like Pakistan and China could seek to exploit. Though Pakistan does not possess robust offensive cyber capabilities and has not signaled intent to invest significantly in enhancing capabilities, even less sophisticated tools like ransomware could be used to disrupt water systems, especially as ransomware-as-a-service offerings make such attacks increasingly available and easy to carry out. Meanwhile, Chinese threat actor Volt Typhoon has already infiltrated Indian critical infrastructure (possibly including water utilities), border disputes between India and China in recent years have coincided with cyber intrusions on Indian critical infrastructure, and Chinese threat actors appear to be increasingly willing to adopt more disruptive tactics against Indian organizations. Therefore, in an extreme future scenario of a direct confrontation, an increasingly brazen China could target India's water systems, disrupting water supplies and exacerbating existing and projected water stress. This would risk disrupting key industrial processes, manufacturing and agriculture in the country, compounding threats to food security. In Europe, too, several countries are projected to face heightened water stress in the decades to come. Adversaries such as Russia and hacktivist groups like Cyber Army of Russia Reborn, which has already targeted several European water systems, could seek to exploit this growing challenge and incorporate water-focused cyberattacks into Russia's ongoing sabotage campaign.

• In April 2020, Israel's National Cyber Directorate reportedly thwarted a series of coordinated Iranian cyberattacks targeting dozens of the country's water and sewage entities — focusing on control centers for water tanks, pumps and pipeline valves — to raise the chlorine levels in the water to unsafe levels, which could have sickened and potentially killed hundreds of Israeli citizens. While authorities prevented the attacks from succeeding, the incident underscores that adversarial nations could use cyberattacks on water systems to harm local populations, particularly amid periods of extreme tension. 
• In Iran, protests have routinely broken out over water scarcity and perceived government failure to address a growing water crisis, at times drawing crowds of thousands. In 2021, protests escalated as Iranian authorities used gunfire and excessive force to disperse crowds, resulting in several injuries and fatalities. Given the already escalatory nature of water in the country, adversaries like Israel could capitalize on the issue during future periods of sharp contention by using cyberattacks to disrupt water systems and exacerbate water scarcity.