Cybersecurity Advisory for Small and Rural Water Systems Issued by RCAP | April 2026

Due to increased international tensions and recent federal alerts, there is a higher risk of cyberattacks targeting U.S. critical infrastructure, including drinking water and wastewater systems. Small and rural systems are especially vulnerable because of limited cybersecurity resources and greater dependence on remote access tools.

Current Threat Overview:
Federal agencies, including the Cybersecurity and Infrastructure Security Agency (CISA), FBI, and EPA, have warned that foreign cyber actors are actively targeting infrastructure sectors. Water systems have been identified as a priority target because of known vulnerabilities in remote access systems and industrial control environments.

These attacks are usually inexpensive, opportunistic, and meant to disrupt operations rather than inflict physical harm.

Why Small Systems Are at Risk:
Many small and rural systems share common vulnerabilities:

• Remote access (VPN, RDP, TeamViewer) left open or unsecured
• Default or shared passwords across systems
• Limited cybersecurity staffing or oversight
• Legacy SCADA or control systems exposed to the internet

These conditions make smaller utilities easier targets for unauthorized access.

Recommended Actions to Take (Priority):
Utilities should take the following steps immediately:

• Disable any unnecessary remote access to control systems
• Change all passwords for:
  • SCADA systems
  • Remote access tools
  • Administrative accounts
• Enable multi-factor authentication (MFA) wherever possible
• Confirm that no control systems are directly accessible from the internet
• Contact vendors to verify secure configurations of all connected systems

Operational Preparedness:
Ensure your system can continue safe operations if digital systems are disrupted:

• Confirm ability to operate in manual mode
• Verify backup procedures for critical data and system configurations
• Check that alarm and notification systems are functioning properly
• Review and update your Emergency Response Plan (ERP) to include cyber incidents

Staff Awareness:
Cyber incidents often begin with human error. Remind staff to:

• Be cautious of unexpected emails, links, or attachments
• Never share passwords or login credentials
• Report suspicious activity immediately

Recommended Resources:

• EPA: Cybersecurity Guidance for Water Systems EPA Cybersecurity Guidance for Water Systems
• CISA: Cyber Hygiene and Vulnerability Scanning CISA Cyber Hygiene Services
• FBI: Joint Cybersecurity Advisory Joint Cybersecurity Advisory

This is not just a theoretical risk. Water systems have already been targeted during times of geopolitical tension and in the past. Taking quick, straightforward actions can greatly decrease your system’s vulnerability.