On March 14, ransomware knocked out the water treatment plant serving 80,000 people in Minot, North Dakota. Staff spent 16 hours operating the system by hand. The city took more than two weeks to rebuild. Water quality was not affected, but the Supervisory Control and Data Acquisition (SCADA) system was gone, and the FBI was called in. The attackers have not been publicly identified. It shouldn't have been hard to see coming.
When EPA inspectors began showing up at drinking water facilities across the country in 2023, more than 70 percent of the systems they inspected were violating federal law. Not obscure regulatory technicalities. Basic security. Facilities that had never changed the factory-default passwords on their equipment. Systems where every employee, past and present, logged in with the same credentials. Former workers who still had full access to infrastructure serving tens of thousands of people.
On April 7, the EPA, FBI, CISA, and NSA issued a joint advisory on Iranian-affiliated actors targeting water and wastewater systems. The advisory did not describe a potential threat. It described an active one:
U.S. organizations are experiencing exploitation and, in some cases, disruption of commonly used operational technology at drinking water and wastewater systems that are diligently working to ensure that Americans can rely on clean and safe water.
Reported consequences have included wiped system configurations, tampered mechanical sensors, and knocked-out control interfaces, along with direct financial losses. In November 2023, an Iran-affiliated group breached a Pennsylvania water system and forced workers to manually shut down a pumping station. The April advisory was the federal government's acknowledgment that the threat never stopped.
More than 153,000 drinking water systems and 16,500 wastewater systems operate across the United States. Most run aging equipment on thin budgets. None is subject to a mandatory federal cybersecurity standard. The EPA spelled out what a successful intrusion could mean:
Possible impacts include disrupting the treatment, distribution, and storage of water for the community, damaging pumps and valves, and altering the levels of chemicals to hazardous amounts.
The GAO identified why so many systems remain exposed: aging technology that can't run modern security software, workforce shortages, and a funding reality in which clean water regulatory compliance consistently beats out cybersecurity for budget.
The Safe Drinking Water Act does not give the EPA authority to mandate cybersecurity standards. The Federal Energy Regulatory Commission has that authority for the power grid. The Transportation Security Administration has it for pipelines. In 2023, EPA tried to work around that by directing states to include cybersecurity reviews in routine sanitary surveys. A coalition of state attorneys general sued, won, and the EPA withdrew the memorandum. The GAO's May 2026 testimony put the result plainly: "EPA identified significant limitations in its authority under federal drinking water and clean water laws to address those gaps."
GAO has listed cybersecurity of critical infrastructure as a high-risk area requiring urgent congressional attention since 2003. Iran-affiliated groups are still breaking into water systems. Ransomware is still knocking SCADA systems offline. And 153,000 water systems still have no mandatory federal security floor to meet.
The FBI's statement after Minot drives the point home: "Unfortunately, the most critical threats to infrastructure come from our networks."
Editor’s Note: The American people overwhelmingly support President Trump’s law and order agenda.
Help us fight back against the Democrats and Soros-backed DAs that refuse to enforce our laws to hold criminals accountable. Join RedState VIP and use promo code FIGHT to receive 60% off your membership.
Join the conversation as a VIP Member