Cybersecurity Guide

Safeguarding the environment: Cybersecurity in environmental protection

Written by Cybersecurity Guide ContributorsLast updated:
In this guide

The environmental sector in the United States, crucial for clean water, energy, and waste management, is becoming increasingly dependent on digital systems, posing substantial cybersecurity challenges.

As 2025 progresses, the convergence of advanced attackers, evolving strategies, and outdated infrastructure is heightening risks.

Cyberattacks in this sector could have dire consequences, such as water contamination, energy grid disruptions, and ecological disasters.

Understanding this evolving landscape is crucial for professionals in environmental science, engineering, policy, and technology.

This article explores the rising threats, innovative defenses, the impact of artificial intelligence, and growing regulatory pressures shaping cybersecurity in this critical sector.

Safeguarding our planet’s lifelines demands a proactive and informed approach to this increasingly urgent issue.

Related resources

Cybersecurity and the environment

According to the Cybersecurity and Infrastructure Security Agency (CISA), 153,000 different public drinking water infrastructure systems and 16,000 public wastewater districts are in the United States alone.

Approximately 80 percent of US residents get drinking water from a public drinking water service, while about 75 percent of residents rely on municipal wastewater services.

Environmental services like drinking water and wastewater are on the CISA list of National Critical Functions. The CISA defines National Critical Functions (NCFs) as,

“functions of government and the private sector so vital to the United States that their disruption, corruption, or dysfunction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.”

The list of NCFs is broken into four major categories, including:

  • Connect — relates to information networks and the internet, communications and broadcasting, and telecommunications and navigation services
  • Distribute — relates to transportation and supply chains
  • Manage — relates to critical services such as the ability to manage elections and sensitive records and information as well as things like infrastructure, capital markets, medical and health facilities, public safety and community health, and hazardous materials and wastewater.
  • Supply — relates to the distribution of fuel and energy, food, critical materials, housing, and drinking water.

So, when viewed through the lens of the CISA’s National Critical Infrastructure classification, water supply and wastewater management occupy two of the four major categories of infrastructure deemed critical to the continued safe operation of local, regional, and national government.

For this reason alone, environmental infrastructure like water treatment plants provides valuable targets for cybercriminals, including hackers looking for ransoms, disgruntled employees, and terrorists. 

The scale of a potential infrastructure attack is also staggering. Using social engineering or insider attacks, a cybercriminal could easily affect the daily lives of millions of people with the same amount of effort that it would take to compromise one account or system.  

Learn how to respond to cyber hacks and breaches

It should be noted that this kind of critical infrastructure identification and categorization is not just limited to the United States.

The European Commission (the executive arm of the European Union) also maintains a list of critical infrastructure and includes drinking and wastewater management among some of the most important systems to defend against attack or disruption.

Another parallel drawn between environmental protection and sustainability and cybersecurity is that they are both often seen as issues that are subject to the “tragedy of the commons.” Like regulating the ocean or creating comprehensive climate change policy, cyberspace is seen as big and poorly defined in terms of boundaries and responsibilities. 

Just like most legal jurisdictions are not dealing with issues like carbon emissions, sea level rise, or ocean acidification proactively, most entities (in this case, companies, organizations, and people) only have a reactive or defensive posture when it comes to cybersecurity.

Currently, there is little in the way of any kind of aggressive cybersecurity policing body that acts in the public interest. Just like environmental regulation and enforcement are tough, the rules and policies dictating cybersecurity best practices are also proving elusive.

Case Study: American Water Works Company, Inc.

On October 3, 2024, American Water Works Company, Inc., the largest publicly traded U.S. water and wastewater utility company, experienced a cybersecurity incident after detecting unauthorized activity in its computer systems, later identifying it as a cyberattack. The company promptly activated its incident response protocols, engaging third-party cybersecurity experts to assess and contain the breach while also notifying law enforcement and cooperating fully.

Although water operations remained unaffected, customers faced temporary disruptions in online billing, with American Water waiving late fees. Initially, the company stated that customer personal information was not impacted, but later committed to notifying affected individuals outside its regulated areas.

By October 10, 2024, systems were being securely restored. Financially, the company did not anticipate a major impact, though Moody’s Ratings viewed the event as credit negative due to potential harm to customer trust and increased regulatory scrutiny.

While the attack’s nature was undisclosed, indications suggested a possible ransomware incident. Occurring amid rising cybersecurity concerns in critical infrastructure, the breach highlights the need for stronger security measures and preparedness within the sector.

What makes cybersecurity challenging in the environmental protection and environmental health field?

There are several reasons why developing cybersecurity best practices in the environmental field is challenging.

  • First, as outlined above, cybersecurity and environmental protection are not often thought of as closely associated.
  • Second, while critical infrastructure such as water and energy systems is important, historically, they have not been vulnerable to cyberthreats. But as more infrastructure becomes networked, the number of cyber attack surfaces grows steadily.
  • Lastly, historically, threatening environmental services or critical infrastructure is increasingly becoming a target for bad actors because it is a way to magnify the impact of an attack by damaging social sentiment and public trust.

One of the biggest challenges of implementing cybersecurity in the environmental space is the need for comprehensive and holistic regulation that is both large-scale and tactical, and also surgical in its approach.

Ideally, regulations or policies provide enough room for individual environmental infrastructure operators to respond to specialized threats and immediate incidents. 

As is true in other sectors of environmental regulation, coming up with mutually agreed-upon cybersecurity policies is cumbersome.

The challenge is only compounded by the fact that different drinking water and wastewater utilities (not to mention other types of infrastructure and environmental service providers) use different kinds of technology and computer networks to run their systems. 

In other words, cybersecurity policy and best practice recommendations for infrastructure operators need to be specific enough to be useful and impactful and general enough to be widely applicable. Finding the middle ground is no easy task.

Nevertheless, while some of the higher-level organization and policy items might seem out of reach for local drinking water and wastewater treatment plant operators, several very basic things can be done to help insulate environmental infrastructure from cyberattacks. 

Some recommendations, taken from the Water Information Sharing and Analysis Center’s (more info about this organization can be found below) list of 15 Fundamentals for Water and Wastewater Utilities, include some basic tips such as: 

  • Perform regular risk assessment
  • Enforce user controls (and password best practices)
  • Restrict physical access to digital infrastructure
  • Develop cybersecurity policies and procedures
  • Plan for cyber incidents and emergencies

The full list of recommendations can be found on the Water Information Sharing and Analysis Center’s (WaterISAC) website.

Cybersecurity solutions for the environmental field

The first step in developing cybersecurity solutions for the cybersecurity field is to fully understand all of the vulnerabilities faced by environmental and infrastructure service providers.

The good news is that several specialized entities are emerging that are familiar and capable of dealing with the increase of cyberattack-related activity, particularly as it pertains to environmental infrastructure. 

Here are just a few examples of organizations that are now taking on reporting and investigation roles for environmentally sensitive cyberattacks:

In regards to the bigger picture, preparing for and preventing cyber attacks and cyber incidents will only become more important.

After a cyberattack on water infrastructure in two American cities by hackers connected to Russia, Lani Kass, a former adviser to the US Joint Chiefs of Staff on security issues, told the BBC that everyone needed to do a better job of understanding cybersecurity and the vulnerabilities of critical infrastructure.

“The going in hypothesis is always that it’s just an incident or coincidence,” she was quoted as saying in the news report. “And if every incident is seen in isolation, it’s hard — if not impossible — to discern a pattern or connect the dots. Failure to connect the dots led us to be surprised on 9/11.”

Additional reading and resources

  • American Water Works Association — Water sector cybersecurity risk management guidance, 2019. Link to report
  • Cybersecurity and Infrastructure Security Agency — Assessments: Cyber resilience review, 2020. Link to resource
  • Institute for Security and Development Policy — Climate change, environmental threats, and cybersecurity in the European High North (Sandra Cassotta, 2020). Link to report
  • WaterISAC — 15 cybersecurity fundamentals for water and wastewater utilities — Best practices to reduce exploitable weakness and attack, 2019. Link to report

Conclusion

The cybersecurity challenges facing the environmental sector are not merely technical hurdles; they are a matter of public safety and environmental integrity.

The potential consequences of successful cyberattacks, from contaminated water supplies to disrupted power grids and ecological damage, underscore the urgency of the situation. While progress is being made, complacency is not an option.

A sustained and dedicated effort, backed by adequate resources and strong leadership, is essential to fortify the sector’s defenses and prevent potentially catastrophic outcomes.

Frequently asked questions

Why is cybersecurity important in environmental protection?

Cybersecurity plays a pivotal role in environmental protection, as many of our environmental monitoring and control systems are now digital. Ensuring these systems are secure prevents malicious attacks that could disrupt environmental data collection, analysis, and response mechanisms.

How can cyber threats impact environmental systems?

Cyber threats can lead to unauthorized access, data manipulation, or even shutdown of critical environmental systems. This can result in inaccurate environmental data, hindered pollution control, and even potential environmental disasters if systems like water treatment plants are compromised.

Are there any real-world instances where environmental systems were compromised due to cyber threats?

Yes, there have been instances where water treatment plants and energy grids were targeted by hackers, leading to potential risks for both the environment and public safety.

What’s the future of cybersecurity in environmental protection?

As environmental systems become increasingly digital and interconnected, the role of cybersecurity will only grow. We can expect advancements in AI and machine learning to aid in threat detection, and a greater emphasis on securing emerging technologies used in environmental protection.

Why is public awareness about this topic crucial?

Public awareness ensures that everyone, from individuals to corporations, understands the importance of cybersecurity in safeguarding our environment. An informed public can advocate for better policies, adopt secure practices, and support initiatives prioritizing cybersecurity and environmental protection.

Sources

  • Water and Wastewater Systems Info | Sourced from CISA in Apr 2025
  • American Water Works Company Cybersecurity Incident | Sourced from SEC in Apr 2025
  • Climate Change, Environmental Threats & Cybersecurity | From ISDP.edu in Apr 2025
  • Cybersecurity in the Water Sector | Sourced from AWWA.org in Apr 2025
  • Water & Wastewater Utilities Cybersecurity Fundamentals | From Waterisac.org in Apr 2025
  • National Critical Functions | Sourced from CISA in Apr 2025
  • RRA and ERP Information | Sourced from EPA in Apr 2025