Keeping Water Flowing: Cyber Risk, SRMAs, and the Water Sector

Photo Credit: Adobe Stock

This OpEd was originally published in S.C. Media.

January 15, 2026

Author: Valerie Moon, Executive Director, ICIT

I became the Executive Director at the Institute of Critical Infrastructure Technology (ICIT) three months ago, after 26 years of federal service. I spent 22 of those years at the FBI and the last four at the Cybersecurity and Infrastructure Security Agency (CISA).

One of the capstone experiences of my FBI career was serving as the senior detailee to the Cyberspace Solarium Commission (CSC), a congressionally mandated bipartisan body tasked with "develop[ing] a consensus on a strategic approach to defending the United States in cyberspace against cyberattacks."

When I later moved to CISA as Chief Strategy Officer, I had the opportunity to help turn many of the recommendations from the Cyberspace Solarium Commission report into implementation. That work helped shape how I think about protecting the systems we all rely on every day, including something as basic (and as mission-critical) as safe, reliable water.

Why water is a cyber issue

Water is one of the clearest examples of how cyber risk can have real-world consequences. The pumps, sensors, and treatment controls that keep drinking water safe and wastewater moving are increasingly connected to the internet, and many utilities are operating with legacy equipment, constrained budgets, and small teams.

That combination makes the sector both a tempting target and a tough one to defend, which is why clear roles, strong coordination, and practical support matter.

The SRMA framework and shared responsibility

To meet challenges like these, one of the pillars of the CSC's report was to Promote National Resilience. A central recommendation under that pillar was to codify responsibilities and ensure sufficient resources for CISA and sector risk agencies to identify, assess, and manage national and sector-specific risks.

Today, that structure is carried out across CISA's 16 critical infrastructure sectors through Sector Risk Management Agencies (SRMAs), formerly known as Sector-Specific Agencies. SRMAs are the federal partners responsible for risk management and coordination in their sectors, with duties reinforced in National Security Memorandum 22 on Critical Infrastructure Security and Resilience.

Most of the critical infrastructure that makes modern life possible is not owned by the federal government. It is built, operated, and maintained by the private sector or local-government entities.

About 85% of U.S. critical infrastructure is owned by the private sector, which makes the SRMA model essential. Resilience depends on sustained partnerships among SRMAs, owners and operators, and state, local, tribal, and territorial governments.

The water sector's evolving threat landscape

The CSC report included a specific callout for the water sector, and the risks highlighted have only grown since the report's release in March 2020. Water and wastewater utilities increasingly rely on networked operational technology, remote access, and third-party services — and adversaries know it.

In the water sector, the SRMA is the Environmental Protection Agency (EPA), and its role sits at the intersection of public health, safety, and cybersecurity. According to the EPA, there are 148,000 public water systems in the United States. Nearly 90% of these systems serve communities of 10,000 people or fewer.

Increasingly, those systems are facing cyber threats, as described in an EPA enforcement alert, issued in May 2024, warning that nation-state actors including Iran, Russia, and China have sought access to U.S. water systems, potentially positioning themselves for future disruptive or destructive activity.

These warnings are not theoretical. This past fall, "60 Minutes" aired a story on how China infiltrated the water utility of a small town in Massachusetts as part of a broader campaign targeting U.S. critical infrastructure.

Many other rural utilities are doing the best they can with limited staff, aging equipment, and tight budgets, which make it hard to sustain even basic cybersecurity, let alone the layered defenses needed against sophisticated nation-state operators.

Closing the support gap

At the same time, resource constraints across the federal government have reduced some traditional avenues of hands-on cybersecurity support for rural water utilities. Budget pressures facing agencies like CISA and the EPA make it even more important to use the SRMA model the way it was intended: as a coordinating force that can set expectations, share action-ready guidance, and mobilize the broader ecosystem of support.

Who's stepping up

Encouragingly, industry and civil society have stepped into this gap with practical help for the utilities that need it most. For example, the Cyber Readiness Institute, together with the Foundation for the Defense of Democracies, is offering basic cyber security training to water utilities. The approach is straightforward: build baseline understanding and translate it into concrete, repeatable actions.

Another model focuses on hands-on capacity. The University of Chicago's Cyber Policy Initiative has teamed up with DEF CON to create the Franklin project, which matches volunteer cybersecurity experts with water and wastewater utilities that need help. By pairing scarce expertise with vulnerable operators, Franklin is directly addressing one of the most frequently targeted— and least resourced— parts of U.S. critical infrastructure.

Technology companies are also providing targeted support. Cloudflare's Project Galileo was launched more than a decade ago to provide cybersecurity support to vulnerable communities. While it does not exclusively focus on water, I saw firsthand while supporting the Franklin project how Cloudflare's team worked patiently with a rural utility to assess which free tools fit their needs and to get those tools installed and working.

Other programs help strengthen defenses where utilities are most exposed. CrowdStrike's Pro-Bono program provides anti-virus solutions, endpoint detection and response services, and managed threat hunting. Dragos' Community Defender Program offers free operational technology cybersecurity resources to utilities with less than $100 million in annual revenue.

Turning framework into resilience

Taken together, these efforts reflect the core lesson I carried from the Cyberspace Solarium Commission to CISA and now to ICIT: Resilience is built through clear roles, shared responsibility, and sustained collaboration.

SRMAs provide the organizing framework, but protecting the water sector ultimately depends on translating that framework into real support for the utilities that keep water safe and flowing.

The opportunity, and the urgency, is to keep tightening the partnership between SRMAs, utilities, and the private and nonprofit organizations already stepping up, so that even the smallest communities are not left exposed as easy targets.

Val Moon

Val Moon is Executive Director of the Institute for Critical Infrastructure Technology (ICIT), advancing people-centered, secure, and resilient infrastructure. Previously, she served as Chief Strategy Officer at DHS’ Cybersecurity and Infrastructure Agency (CISA) and spent 22 years at the FBI in senior cyber and technology leadership roles, including service on the Cyberspace Solarium Commission.

About ICIT

The Institute for Critical Infrastructure Technology (ICIT) is a nonprofit, nonpartisan, 501(c)3think tank with the mission of modernizing, securing, and making resilient critical infrastructure that provides for people’s foundational needs. ICIT takes no institutional positions on policy matters. Rather than advocate, ICIT is dedicated to being a resource for the organizations and communities that share our mission. By applying a people-centric lens to critical infrastructure research and decision making, our work ensures that modernization and security investments have a lasting, positive impact on society. Learn more at www.icitech.org.