I became the Executive Director at the
Institute of Critical Infrastructure Technology (ICIT) three months ago, after 26 years of federal service. I spent 22 of those years at the FBI and the last four at the Cybersecurity and Infrastructure Security Agency (CISA).
One of the capstone experiences of my FBI career was serving as the senior detailee to the
Cyberspace Solarium Commission (CSC), a congressionally mandated bipartisan body tasked with "develop[ing] a consensus on a strategic approach to defending the United States in cyberspace against cyberattacks."
When I later moved to CISA as Chief Strategy Officer, I had the opportunity to help turn many of the recommendations from the
Cyberspace Solarium Commission report into implementation. That work helped shape how I think about protecting the systems we all rely on every day, including something as basic (and as mission-critical) as safe, reliable water.
Why water is a cyber issue
Water is one of the clearest examples of how cyber risk can have real-world consequences. The pumps, sensors, and treatment controls that keep drinking water safe and wastewater moving are increasingly connected to the internet, and many utilities are operating with legacy equipment, constrained budgets, and small teams.
That combination makes the sector both a tempting target and a tough one to defend, which is why clear roles, strong coordination, and practical support matter.
The SRMA framework and shared responsibility
To meet challenges like these, one of the pillars of the
CSC's report was to
Promote National Resilience. A central recommendation under that pillar was to codify responsibilities and ensure sufficient resources for CISA and sector risk agencies to identify, assess, and manage national and sector-specific risks.
Today, that structure is carried out across CISA's
16 critical infrastructure sectors through Sector Risk Management Agencies (SRMAs), formerly known as Sector-Specific Agencies. SRMAs are the federal partners responsible for risk management and coordination in their sectors, with duties reinforced in
National Security Memorandum 22 on Critical Infrastructure Security and Resilience.
Most of the critical infrastructure that makes modern life possible is not owned by the federal government. It is built, operated, and maintained by the private sector or local-government entities.
About
85% of U.S. critical infrastructure is owned by the private sector, which makes the SRMA model essential. Resilience depends on sustained partnerships among SRMAs, owners and operators, and state, local, tribal, and territorial governments.
The water sector's evolving threat landscape
The CSC report included a specific callout for the water sector, and the risks highlighted have only grown since the report's release in March 2020. Water and wastewater utilities increasingly rely on networked operational technology, remote access, and third-party services — and adversaries know it.
In the water sector, the SRMA is the Environmental Protection Agency (EPA), and its role sits at the intersection of public health, safety, and cybersecurity. According to the EPA, there are
148,000 public water systems in the United States. Nearly
90% of these systems serve communities of 10,000 people or fewer.
Increasingly, those systems are facing cyber threats, as described in an EPA
enforcement alert, issued in May 2024, warning that nation-state actors including Iran, Russia, and China have sought access to U.S. water systems, potentially positioning themselves for future disruptive or destructive activity.
These warnings are not theoretical. This past fall,
"60 Minutes" aired a story on how China infiltrated the water utility of a small town in Massachusetts as part of a broader campaign targeting U.S. critical infrastructure.
Many other rural utilities are doing the best they can with limited staff, aging equipment, and tight budgets, which make it hard to sustain even basic cybersecurity, let alone the layered defenses needed against sophisticated nation-state operators.
Closing the support gap
At the same time, resource constraints across the federal government have reduced some traditional avenues of hands-on cybersecurity support for rural water utilities. Budget pressures facing agencies like
CISA and the
EPA make it even more important to use the SRMA model the way it was intended: as a coordinating force that can set expectations, share action-ready guidance, and mobilize the broader ecosystem of support.
Who's stepping up
Encouragingly, industry and civil society have stepped into this gap with practical help for the utilities that need it most. For example, the
Cyber Readiness Institute, together with the
Foundation for the Defense of Democracies, is offering
basic cyber security training to water utilities. The approach is straightforward: build baseline understanding and translate it into concrete, repeatable actions.
Another model focuses on hands-on capacity. The University of Chicago's
Cyber Policy Initiative has teamed up with
DEF CON to create the
Franklin project, which matches volunteer cybersecurity experts with water and wastewater utilities that need help. By pairing scarce expertise with vulnerable operators, Franklin is directly addressing one of the most frequently targeted— and least resourced— parts of U.S. critical infrastructure.
Technology companies are also providing targeted support.
Cloudflare's Project Galileo was launched more than a decade ago to provide cybersecurity support to vulnerable communities. While it does not exclusively focus on water, I saw firsthand while supporting the Franklin project how Cloudflare's team worked patiently with a rural utility to assess which free tools fit their needs and to get those tools installed and working.
Other programs help strengthen defenses where utilities are most exposed.
CrowdStrike's Pro-Bono program provides anti-virus solutions, endpoint detection and response services, and managed threat hunting.
Dragos' Community Defender Program offers free operational technology cybersecurity resources to utilities with less than $100 million in annual revenue.
Turning framework into resilience
Taken together, these efforts reflect the core lesson I carried from the Cyberspace Solarium Commission to CISA and now to ICIT: Resilience is built through clear roles, shared responsibility, and sustained collaboration.
SRMAs provide the organizing framework, but protecting the water sector ultimately depends on translating that framework into real support for the utilities that keep water safe and flowing.
The opportunity, and the urgency, is to keep tightening the partnership between SRMAs, utilities, and the private and nonprofit organizations already stepping up, so that even the smallest communities are not left exposed as easy targets.
