Guest Column | June 17, 2026

The Easiest Way To Attack U.S. Water Systems Isn't What You Think

By Rahul Powar

scam alert, cybersecurity warning-GettyImages-2222587920

The latest warnings from U.S. intelligence agencies about escalating cyber activity from foreign-state-linked actors have become more pronounced and urgent in recent months following the kick-off of military interventions in Iran. Today, even with reports indicating a potential peace deal between the two countries is now underway, bad actors will continue to operate, with the weaponization of AI streamlining efforts. Campaigns are no longer abstract or even confined to the U.S. defense sector, with these attacks increasingly focused around local communities and the daily operational systems underpinning public health and safety, specifically regional critical infrastructure.

For the water and wastewater sector, this heightened threat landscape should be deeply concerning. Water utilities are not just service providers; they are guardians of public trust and essential public health infrastructure. Yet new nationwide research suggests that many water organizations remain exposed through one of the most basic, and most exploited, attack vectors: brand impersonation.

Recently, my team at Red Sift examined thousands of organizations representing the top 100 employers across all 50 U.S. states and Washington, DC. The findings revealed a systemic and persistent weakness in email authentication, or in other words, the controls designed to prevent attackers from spoofing trusted domains, executives, vendors, even billing systems.

The water and wastewater sector stands out in the report for the wrong reasons. Nearly 40% of water and wastewater organizations analyzed are operating at high or critical security risk levels, largely due to missing or inadequate protections such as DMARC enforcement, the security standard that lets organizations authenticate legitimate messages and instruct inbox providers whether to block, quarantine, or allow fraudulent emails that impersonate their domain. This means that attackers can impersonate utility domains with little resistance, enabling phishing campaigns, fraudulent billing notices, vendor payment diversion, and social engineering attacks targeting employees and customers alike.

In operational terms, this is not a hypothetical risk. Email-based attacks are routinely used as the first step in incidents that disrupt operations, compromise sensitive customer data, or create cascading financial and reputational damage. For utilities that rely on communications with municipalities, contractors, regulators, as well as the general public, this kind of digital impersonation becomes an especially potent weapon.

Even more concerning is the sector’s lack of adoption of advanced, widely available defenses. None of the water or utility organizations analyzed have implemented BIMI (Brand Indicators for Message Identification), a key standard that allows verified logos to appear in inboxes and gives recipients a clear visual trust signal. Only about one-third of organizations in the sector have achieved full DMARC enforcement using a “reject” policy, the setting that actually blocks spoofed emails rather than simply monitoring them.

This gap matters because water systems are recognized as critical infrastructure. And, as essential services, they are often operating with lean teams, aging systems, and tight budgets, conditions that foreign actors and cyber criminals actively exploit. State linked attackers do not need to breach industrial control systems directly if they can compromise an employee’s inbox, redirect payments, harvest credentials, or gain a foothold for subsequent attacks. Across all sectors, roughly 35% of the country’s largest employers still operate with weak or nonexistent email authentication. Almost 2,000 of the country’s largest employers can be impersonated via email with minimal technical resistance.

These weaknesses are most pronounced in rural and less-populated states, areas which host a high concentration of utilities, hospitals, and regional energy providers. The pattern mirrors long standing disparities in cybersecurity funding and oversight, but threat actors do not discriminate based on geography. In fact, under-resourced organizations are often preferred targets.

For water leaders, the takeaway is clear: this is not primarily a technology problem, it is a major governance and risk management issue. Today, email authentication is relatively low cost and easy to implement compared to the potential impact of a successful attack. The lack of enforcement reflects competing priorities, limited awareness, and the false assumption that a company or institution is “too small” or likely not a target.

Foreign adversaries have already demonstrated that they view U.S. critical infrastructure as fair game for disruption, signaling, and leverage. As geopolitical tensions rise, utilities should expect increased probing, not less.

The water sector has made significant progress in areas like physical security, resilience planning, and operational redundancy. Cyber hygiene must now be treated with the same seriousness, and that must start with closing the most obvious and exploitable gaps.

In the water industry (and beyond), email is not particularly new or glamorous. Still, it remains one of the most effective entry points for attackers. For an industry tasked with safeguarding public health and safety for cities and towns, leaving that door open is a risk that the sector simply can no longer afford.

Rahul Powar is the founder and CEO of Red Sift, a leading cybersecurity firm focused on supporting critical infrastructure against AI’s weaponization.