A run of intrusions into water and wastewater industrial control systems has kept critical-infrastructure defenders on alert through 2025, reviving a regulatory fight that has simmered for years. Small and mid-sized utilities, many operating internet-exposed human-machine interfaces and programmable logic controllers with default or weak credentials, remain among the softest targets in U.S. critical infrastructure. The Environmental Protection Agency and the Cybersecurity and Infrastructure Security Agency have repeatedly urged operators to disconnect exposed control systems and reset factory passwords, but the sector's fragmentation into thousands of underfunded local systems makes uniform hardening elusive.

The governance gap is the recurring theme. The EPA's efforts to fold cybersecurity into sanitary-survey inspections faced legal headwinds, leaving the agency to lean on guidance, voluntary assessments, and coordination with CISA rather than binding rules. The result is a patchwork in which the utilities most in need of protection are often those least able to fund it, and where oversight authority is contested rather than clear.

The regulatory vacuum

An Atlantic Council commentary noted that water sits at the intersection of public health and national security yet lacks the regulatory muscle applied to electricity or pipelines, leaving a structural vulnerability that adversaries have learned to probe. In a Lawfare analysis, observers have emphasized that the threat is less about sophisticated zero-days than about basic hygiene at scale, and that the policy failure is one of capacity and authority rather than technology. A Council on Foreign Relations report argued that critical-infrastructure resilience depends on aligning federal mandates with the resources needed to meet them, a match that the water sector conspicuously lacks.

What makes the water case instructive is that the technical fixes are well understood while the legal architecture to compel them is not. The debate is therefore less about defense engineering than about who holds the authority to require it, who pays, and what standard of care applies to a public utility that cannot afford a dedicated security staff.

The Journal addressed this precise problem before it reached today's urgency. Volume 8, Issue 1 features "A Case Study on Improving ICS Cyber Security Legislation," a direct examination of how control-system protections can be written into law without overwhelming the operators who must implement them. Its analysis of legislative design, and the broader treatment of connected-system risk in Volume 9, Issue 1's "The Internet of Things (IoT) in a Post-Pandemic World," speaks squarely to the water sector's predicament.

As utilities and regulators search for a workable oversight model, the lesson from the Journal's earlier work endures: legislation for industrial control systems must be calibrated to the realities of the operators it governs, or it will protect no one. For that foundational treatment, we point readers to JLCW Volume 8, Issue 1.

– JLCW Research Desk