Hearing Details

Witnesses

Members Who Spoke

Top 5 Organizations Mentioned

View on Congress.gov

Key Takeaways

•The committee debated a discussion draft to establish a "Water Risk and Resilience Organization" that would create industry-led, risk-based cybersecurity standards for the nation's 170,000 water systems.
•Matt Odermann (Cybersecurity Supervisor, Minnkota Power Cooperative) urged Congress to prioritize technical assistance over enforcement, arguing that small systems face a "capacity gap" rather than a lack of commitment.
•Sen. Whitehouse (D-RI) pressed Odermann on using "cyber insurance riders" as a market-based mechanism to drive utilities toward meeting evolving security standards.
•Sen. Capito (R-WV) opposed burdensome federal mandates for small utilities, while Sen. Markey (D-MA) argued that voluntary measures are insufficient and called for mandatory upgrades backed by federal funding.
•The committee will review legislative proposals to reauthorize EPA grant programs and establish a "circuit rider" program to provide hands-on cybersecurity support to rural water systems.

Hearing Details

Witnesses

Members Who Spoke

Top 5 Organizations Mentioned

View on Congress.gov

Read the full transcript

Starting at $350/mo

Full hearing transcripts
Speaker timestamps with video verification
Organization & competitor mentions
Same-day delivery
Personalized summaries

Start reading

30-day money-back guarantee on all paid plans.

Hearing Analysis

Overview

On March 4, 2026, the Senate Environment and Public Works Committee held a hearing to examine a discussion draft of legislation aimed at strengthening the cybersecurity of the nation’s water and wastewater infrastructure. Chair Shelley Moore Capito (R-WV) and Ranking Member Sheldon Whitehouse (D-RI) convened the session to address the increasing frequency of cyberattacks targeting the approximately 170,000 water utilities across the United States. The hearing focused on the unique vulnerabilities of small and rural systems, the limitations of current federal oversight, and the need for technical assistance rather than punitive mandates.

Key Testimony

The testimony provided a stark look at the threat landscape. Dr. D. Scott Simonton, a Fellow at the Marshall University Institute for Cyber Security, testified that while even the smallest rural systems now rely on digital operational technology (OT) like SCADA and PLCs, they often lack the staff to manage cybersecurity. He noted that in West Virginia, 75 percent of systems serve fewer than 3,300 people and fall below the population threshold for mandatory risk assessments under the Safe Drinking Water Act. Matt Odermann, an Executive Board Member of the North Dakota Rural Water Systems Association, emphasized that for rural utilities, cybersecurity is a "question of capacity, not indifference." He warned that the Environmental Protection Agency (EPA) is often viewed as a punitive regulator, which can discourage utilities from transparently reporting vulnerabilities. Scott Dewhirst, Deputy General Manager of Fairfax Water, representing the Association of Metropolitan Water Agencies (AMWA), highlighted that while large utilities have dedicated cyber staff, the sector as a whole lacks sufficient federal resources.

Policy Proposals

Several specific policy proposals were debated. A central recommendation from AMWA was the creation of a Water Risk and Resilience Organization (WRRO). Modeled after the North American Electric Reliability Corporation (NERC) in the energy sector, the WRRO would be a collaborative body of cyber experts and operators that develops size-tailored cybersecurity standards in partnership with the EPA. Witnesses also strongly advocated for a "cybersecurity circuit rider" program, modeled after the United States Department of Agriculture (USDA) technical assistance programs, where traveling experts provide hands-on security support to small utilities. Legislative mentions included the Water Intelligence Security and Cyber Threat Protection Act, introduced by Sen. Edward J. Markey (D-MA), which seeks to provide federal funding for the Water Information Sharing and Analysis Center (WaterISAC). Additionally, Sen. Lisa Blunt Rochester (D-DE) discussed the Water Infrastructure Resilience and Sustainability Act, a bipartisan bill to reauthorize EPA grant programs for mid-size and large systems.

Industry Impact

The industry impact of these proposals would be significant for the water and wastewater sectors, particularly regarding compliance costs and technical requirements. Small municipal systems would benefit from technical assistance but expressed concern over "one-size-fits-all" mandates. The cybersecurity industry and university research centers would likely see increased roles in workforce development and system assessments.

Overview

The committee identified several key organizations during the discussion. Marshall University and its Institute for Cyber Security (ICS) were praised for their work training National Guard cyber units and assisting small towns like Ansted, West Virginia, with digital transitions. The Environmental Protection Agency (EPA) was discussed both as a necessary regulator and a source of concern for utilities fearing enforcement actions over self-reported vulnerabilities. The Water Information Sharing and Analysis Center (WaterISAC) was identified as the sector's primary information-sharing hub, though witnesses noted it currently receives no federal grant funding. The Cybersecurity and Infrastructure Security Agency (CISA) was referenced as a vital partner for threat intelligence, particularly through the Water and Wastewater Sector Coordinating Council. Geopolitical adversaries, specifically the People's Republic of China (China), the Russian Federation (Russia), the Islamic Republic of Iran (Iran), and the Democratic People's Republic of Korea (North Korea), were identified as the primary sources of state-sponsored "living off the land" attacks and ransomware.

Industry Impact

Partisan dynamics showed a broad consensus on the severity of the threat but diverged on the method of implementation. Republicans, led by Chair Capito and Sen. Kevin Cramer (R-ND), emphasized voluntary compliance, technical assistance, and avoiding burdensome regulations for small systems. Democrats, including Ranking Member Whitehouse and Sen. Markey, pushed for stronger federal standards and increased mandatory funding, with Whitehouse suggesting that the insurance industry could play a role in driving higher security standards through liability requirements.

Next Steps

Notable exchanges included Sen. Markey’s assertion that "vision without funding is a hallucination," referring to the lack of appropriations for authorized cyber programs. Sen. Whitehouse also challenged the distinction between criminal and nation-state actors, arguing that countries like Russia provide a "veneer of deniability" to criminal hackers who probe American infrastructure. Chair Capito concluded by highlighting the "cascading effect" of cyberattacks on public trust, noting that a breach in a small system can cause widespread emotional distress and loss of confidence in water safety.

Key Testimony

The hearing concluded with a call for better data on the frequency of attacks, as witnesses could not provide a definitive number of daily attempted breaches. Senators have until February 18, 2026, to submit additional questions for the record, with witness responses due by March 4, 2026.

Transcript

Sen. Capito (WV)

Good morning and welcome to today's hearing. Today we'll examine the challenge, excuse me, the challenges facing drinking water and wastewater systems to install, implement, and maintain adequate cybersecurity, as well as trying to identify opportunities to address these challenges through new legislation. First, I want to thank our excellent panel of witnesses for making the trip to D.C. and to share their perspectives on this important topic. Your work to enhance the resilience of our water and wastewater systems is incredibly important to Americans' health and daily lives. There are approximately, this number is stunning really, 170,000 water and wastewater utilities across the country. These utilities fill a vital role in ensuring that communities across the country have access to safe and reliable water and sanitation services. I know in the audience we have several of our water system utility folks here, so I'll shout out to my fellow West Virginians. Accessible and reliable water and wastewater services are essential to protect public health and provide fundamental services to our constituents. These services can also be a foundational basis for a strong economy and a strong America. Because of the important role our water systems play in our country, they are unfortunately a target for bad actors. Over the last several years, we've seen a broad trend of entities linked to our geopolitical adversaries, such as Iran, China, Russia, using cyberattacks to target our critical water infrastructure. Cyberattacks on water utilities may take various forms. For example, ransomware attacks can compromise business or customer information. Attackers can also gain access and then manipulate a system's operational technology, disrupting the treatment or distribution of water or altering the levels of chemicals to potentially dangerous amounts. Either way, a successful attack that disrupts safe and reliable water or sanitation services or exposes sensitive customer data could be debilitating for impacting communities. These threats must be acknowledged and challenged, particularly as technological advances such as AI increase the speed and efficiency of these attacks. The rise in cyberattacks is occurring at the same time as our water and wastewater systems deploy new digital control technologies, I've seen some of them myself, systems that allow utilities to operate more efficiently and effectively. As we look to upgrade and modernize our water systems in the face of these threats, it is more urgent for our utilities, federal agencies, and water sector and cybersecurity experts to work together to increase that system resiliency. Increasing water system resilience requires us to take a clear-eyed look at the many challenges and shortcomings that our utilities are facing. Legacy systems are difficult to maintain and update. Workforce shortages limit in-house expertise, and fulfilling basic cybersecurity hygiene practices requires consistent monitoring and communication. For instance, in 2024, the Environmental Protection Agency identified instances where some water systems utilized a single login for all their employees, failed to change default passwords, or did not curtail the ability of former employees to access the systems. While we work to improve the resiliency of our critical infrastructure from cyberattacks, solutions to address cybersecurity must be deliberate and tailored to reflect the challenges faced by utilities in different sizes and location. A one-size-fits-all mandate from the federal government will likely be overly burdensome and unworkable, particularly for our smaller systems, and can hinder utilities' ability to take achievable steps towards meaningful progress. Water and wastewater systems across our nation are already grappling with how to prioritize limited resources while meeting federal and state requirements under the Clean Water Act and Safe Drinking Water Act. Costly requirements can distract from the core mission of providing safe, reliable, and affordable services to the American people. In addressing these cyber challenges, we must strike the right balance between the role of the federal agencies and in empowering local utilities to address their challenges and improve their cybersecurity at their own facilities. Due to the constantly evolving technological environment that we live in, addressing this challenge will require innovative solutions that enable utilities to adapt and respond to quickly changing circumstances. Building and maintaining resilience among cyber threats is not a one-and-done event. It is ongoing and ever-evolving. We should not rely on one specific technological advances as the silver bullet solution or have blinders on when it comes to envisioning or preparing to address potential threats. Look forward to the discussion today, learning how we can be better partners with our water utilities to identify cybersecurity threats and provide a flexible toolkit going forward. So I now recognize Ranking Member Whitehouse for his opening statement.

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum. Sed ut perspiciatis unde omnis iste natus error sit voluptatem accusantium doloremque laudantium, totam rem aperiam eaque ipsa quae ab illo inventore veritatis et quasi architecto beatae vitae dicta sunt explicabo. Nemo enim ipsam voluptatem quia voluptas sit aspernatur aut odit aut fugit, sed quia consequuntur magni dolores eos qui ratione voluptatem sequi nesciunt. Neque porro quisquam est qui dolorem ipsum quia dolor sit amet. At vero eos et accusamus et iusto odio dignissimos ducimus qui blanditiis praesentium voluptatum deleniti atque corrupti quos dolores et quas molestias excepturi sint occaecati cupiditate non provident. Similique sunt in culpa qui officia deserunt mollitia animi id est laborum et dolorum fuga. Et harum quidem rerum facilis est et expedita distinctio nam libero tempore cum soluta nobis est eligendi optio cumque nihil impedit quo minus id quod maxime placeat facere possimus omnis voluptas assumenda est omnis dolor repellendus. Temporibus autem quibusdam et aut officiis debitis aut rerum necessitatibus saepe eveniet ut et voluptates repudiandae sint et molestiae non recusandae. Itaque earum rerum hic tenetur a sapiente delectus ut aut reiciendis voluptatibus maiores alias consequatur aut perferendis doloribus asperiores repellat. Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum. Sed ut perspiciatis unde omnis iste natus error sit voluptatem accusantium doloremque laudantium, totam rem aperiam eaque ipsa quae ab illo inventore veritatis et quasi architecto beatae vitae dicta sunt explicabo. Nemo enim ipsam voluptatem quia voluptas sit aspernatur aut odit aut fugit, sed quia consequuntur magni dolores eos qui ratione voluptatem sequi nesciunt. Neque porro quisquam est qui dolorem ipsum quia dolor sit amet. At vero eos et accusamus et iusto odio dignissimos ducimus qui blanditiis praesentium voluptatum deleniti atque corrupti quos dolores et quas molestias excepturi sint occaecati cupiditate non provident. Similique sunt in culpa qui officia deserunt mollitia animi id est laborum et dolorum fuga. Et harum quidem rerum facilis est et expedita distinctio nam libero tempore cum soluta nobis est eligendi optio cumque nihil impedit quo minus id quod maxime placeat facere possimus omnis voluptas assumenda est omnis dolor repellendus. Temporibus autem quibusdam et aut officiis debitis aut rerum necessitatibus saepe eveniet ut et voluptates repudiandae sint et molestiae non recusandae. Itaque earum rerum hic tenetur a sapiente delectus ut aut reiciendis voluptatibus maiores alias consequatur aut perferendis doloribus asperiores repellat. Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum. Sed ut perspiciatis unde omnis iste natus error sit voluptatem accusantium doloremque laudantium, totam rem aperiam eaque ipsa quae ab illo inventore veritatis et quasi architecto beatae vitae dicta sunt explicabo. Nemo enim ipsam voluptatem quia voluptas sit aspernatur aut odit aut fugit, sed quia consequuntur magni dolores eos qui ratione voluptatem sequi nesciunt. Neque porro quisquam est qui dolorem ipsum quia dolor sit amet. At vero eos et accusamus et iusto odio dignissimos ducimus qui blanditiis praesentium voluptatum deleniti atque corrupti quos dolores et quas molestias excepturi sint occaecati cupiditate non provident. Similique sunt in culpa qui officia deserunt mollitia animi id est laborum et dolorum fuga. Et harum quidem rerum facilis est et expedita distinctio nam libero tempore cum soluta nobis est eligendi optio cumque nihil impedit quo minus id quod maxime placeat facere possimus omnis voluptas assumenda est omnis dolor repellendus. Temporibus autem quibusdam et aut officiis debitis aut rerum necessitatibus saepe eveniet ut et voluptates repudiandae sint et molestiae non recusandae. Itaque earum rerum hic tenetur a sapiente delectus ut aut reiciendis voluptatibus maiores alias consequatur aut perferendis doloribus asperiores repellat. Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum. Sed ut perspiciatis unde omnis iste natus error sit voluptatem accusantium doloremque laudantium, totam rem aperiam eaque ipsa quae ab illo inventore veritatis et quasi architecto beatae vitae dicta sunt explicabo. Nemo enim ipsam voluptatem quia voluptas sit aspernatur aut odit aut fugit, sed quia consequuntur magni dolores eos qui ratione voluptatem sequi nesciunt. Neque porro quisquam est qui dolorem ipsum quia dolor sit amet. At vero eos et accusamus et iusto odio dignissimos ducimus qui blanditiis praesentium voluptatum deleniti atque corrupti quos dolores et quas molestias excepturi sint occaecati cupiditate non provident. Similique sunt in culpa qui officia deserunt mollitia animi id est laborum et dolorum fuga. Et harum quidem rerum facilis est et expedita distinctio nam libero tempore cum soluta nobis est eligendi optio cumque nihil impedit quo minus id quod maxime placeat facere possimus omnis voluptas assumenda est omnis dolor repellendus. Temporibus autem quibusdam et aut officiis debitis aut rerum necessitatibus saepe eveniet ut et voluptates repudiandae sint et molestiae non recusandae. Itaque earum rerum hic tenetur a sapiente delectus ut aut reiciendis voluptatibus maiores alias consequatur aut perferendis doloribus asperiores repellat. Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum. Sed ut perspiciatis unde omnis iste natus error sit voluptatem accusantium doloremque laudantium, totam rem aperiam eaque ipsa quae ab illo inventore veritatis et quasi architecto beatae vitae dicta sunt explicabo. Nemo enim ipsam voluptatem quia voluptas sit aspernatur aut odit aut fugit, sed quia consequuntur magni dolores eos qui ratione voluptatem sequi nesciunt. Neque porro quisquam est qui dolorem ipsum quia dolor sit amet. At vero eos et accusamus et iusto odio dignissimos ducimus qui blanditiis praesentium voluptatum deleniti atque corrupti quos dolores et quas molestias excepturi sint occaecati cupiditate non provident. Similique sunt in culpa qui officia deserunt mollitia animi id est laborum et dolorum fuga. Et harum quidem rerum facilis est et expedita distinctio nam libero tempore cum soluta nobis est eligendi optio cumque nihil impedit quo minus id quod maxime placeat facere possimus omnis voluptas assumenda est omnis dolor repellendus. Temporibus autem quibusdam et aut officiis debitis aut rerum necessitatibus saepe eveniet ut et voluptates repudiandae sint et molestiae non recusandae. Itaque earum rerum hic tenetur a sapiente delectus ut aut reiciendis voluptatibus maiores alias consequatur aut perferendis doloribus asperiores repellat.

Read the full transcript

Starting at $350/mo

Full hearing transcripts
Speaker timestamps with video verification
Organization & competitor mentions
Same-day delivery
Personalized summaries

Hearings to examine a discussion draft of an original bill entitled

Key Takeaways

Read the full transcript

Hearing Analysis

Overview

Key Testimony

Policy Proposals

Industry Impact

Overview

Industry Impact

Next Steps

Key Testimony

Transcript

Read the full transcript

Related Hearings

Hearings to examine restoration efforts in the Great Lakes Region.

Hearings to examine S.3135

Hearings to examine Water Resources Development Act of 2026