The other "water security"

Hack the blue planet ... The Titans of the Colorado River ... And pay your sewage bill unless you want to haul it off yourself.

May 23, 2025

A few years ago, a Florida water-plant operator watched as the cursor on a computer screen began moving around and opened the plant’s control system.

The unknown cyber intruder raised the water’s caustic lye additive levels from a harmless 100 parts per million to a skin-burning 11,100 parts per million. The staffer yanked the numbers back before the dangerous water entered the delivery system, officials reported in the aftermath.

Normally, we think of “water security” as having enough of the blue stuff. But it can also mean preventing cyberattacks on water systems, which can cause chaos for everyday water users.

It’s such a big deal that Ruben Gallego introduced the bipartisan “Water Cybersecurity Enhancement Act” in the U.S. Senate this year. Today we’ll look closer at who’s been doing the hacking and what can go wrong when they gain control over U.S. utility systems.

I also bring some updates from Wednesday’s Water Resources Research Center Conference — the WWRRCC, I suppose — on Colorado River negotiations, including “hot off the press” news from federal officials who joined the conference remotely.

That, and all the other Arizona water news that keeps your mind hydrated.

Consider becoming a paid subscriber if you’re glad that someone is attending these 16-hour conferences and bringing back the good stuff to everyday Arizonans.

How did hackers get into a Florida water plant’s computer system back in 2021?

"That’s the million-dollar question, and it’s a point of concern, because we don’t know where the hole is and how sophisticated these people are," Bob Gualtieri, the local sheriff investigating the incident, told Wired. "Did this come from down the street or outside the country? No idea."

That same year, the Colonial Pipeline — an oil pipeline system connecting Texas to the Southeast U.S. — suffered a ransomware cyberattack that halted all operations until the company paid $4.4 million to the Russian hacker group “DarkSide.”

`This is what it looks like when the DarkSide hacker group targets you.`

In November 2023, the North Texas Municipal Water District was attacked by the “Daixin Team” hacking group — and Pennsylvania’s Municipal Water Authority of Aliquippa was hit by the “Cyber Av3ngers.”

In fact, the first publicly known cyberattack on critical infrastructure was on a water system 25 years ago. It’s only become more frequent since then.

Sewage, sandworms, and security breaches

2000: Maroochy Shire, Australia. A disgruntled former contractor hacked into the local wastewater system, causing sewage to flood parks, rivers, and hotel grounds. Over several weeks, he sent at least 46 rogue radio commands to the utility’s SCADA system — the remote monitoring and control interface for a water system’s pumps, valves, and other equipment — disrupting operations and disabling alarms. The case is said to be the earliest documented cyberattack on critical infrastructure.

2016: Undisclosed location. Verizon Security Solutions saw a water utility’s pumps and valves being manipulated via the plant’s SCADA system, which triggered erroneous chemical treatment levels in the water. Verizon reported that the cyberattack vulnerability was due to “outdated operation technology systems that had been more than 10 years old.”

“As shown by this report, the required skills needed to gain entry into this particular mission-critical system was much less impressive that what we might expect or typically see on TV … With a little more knowledge of the ICS/SCADA system, (the water company) and the local community could have suffered serious consequences,” Verizon researchers wrote in their post mortem on the attack.

January 2024: Muleshoe, Texas. A Russia-linked hacktivist group livestreams itself poking around the small town’s control screens. One pump is flipped on long enough to overflow a storage tank; water floods down the street for more than half an hour.

The attack coincided with similar attacks in three other Texas towns, including Abernathy, where storage tanks also flooded. In all cases, the utility managers had to “unplug” the systems and operate them manually until the breaches were resolved.

The hackers then uploaded videos of their exploits to public forums and were subsequently outed by Google’s cybersecurity team as hacker group “Cyber Army of Russian Reborn,” which Google says might actually be the Kremlin cyber unit known as “Sandworm.” After being ousted, the hackers openly celebrated their exploits and notoriety.

"Comrades, today the collective rotten West recognized us as the most reckless hacker group. … As long as they fear us, let them hate us as much as they want."

Francesca Lockhart, a cybersecurity leader at the University of Texas, told the Texas Standard:

“[The hackers] see where they can push the envelope, where they can get into critical infrastructure … They might go for these target-rich, resource-challenged or critical infrastructure organizations that serve a small but essential population with an essential service, but may not have the time, the resources, the manpower, etc., to invest in robust cyber security.”

October 2024: American Water utility. The United States’ largest water and sewer utility, American Water, serving 14 million people in 14 states, spotted “unauthorized activity” inside its corporate network. The company yanked customer-billing, call-center and other IT systems offline “to protect our customers’ data and prevent any further harm,” it told regulators in an SEC filing. The outage froze online payments for almost a week.

`A February 2025 report from U.S. intelligence agencies.`

In March, cybersecurity firm Dragos published a report with their findings of an “effort by China’s government to preposition their hackers within U.S. critical infrastructure.” The hacker group in question is known as “Volt Typhoon.”

Side note: Is it just me, or are 2020s hackers still using 1990s hacker names?

`Hacker aliases from the 1995 film “Hackers.”`

Water is an easy target

Government agencies and cybersecurity specialists are ringing the alarm bell about water infrastructure cyber vulnerabilities.

Is anyone listening?

“All drinking water and wastewater systems are at risk — large and small, urban and rural.”
- EPA spokesperson to CNBC

“Water is among the least mature in terms of security.”
- Adam Isles, head of cybersecurity practice for Chertoff Group

“We have demonstrated in our lab how operations, such as a water plant, could be shut down not just for hours or days, but for weeks. It is definitely technically possible.”
- Stuart Madnick, MIT professor and co-founder of Cybersecurity at MIT Sloan

“(China, Russia and Iran) are actively seeking the capability to disable U.S. critical infrastructure, including water and wastewater.”
- Former EPA Deputy Administrator Janet McCabe

“China’s hackers are positioning on American infrastructure in preparation to wreak havoc and cause real-world harm to American citizens and communities, if or when China decides the time has come to strike.”
- Former FBI Director Christoper Wray

“By working behind the scenes with these hacktivist groups, now these [nation states] have plausible deniability and they can let these groups carry out destructive attacks. And that to me is a game-changer.”
- Dawn Cappelli, cybersecurity firm Dragos Inc.

Recently, the U.S. has been moving against Chinese agencies that have been pretending to hire federal employees laid off by DOGE and deceptively extract sensitive information from them and exploit cybersecurity weaknesses in the U.S.

In other words — it’s a mess. And cash-strapped small utilities which don’t want to interrupt day-to-day operations are going to have a hard time modernizing their cybersecurity.

Attacking the silicon desert

“To most Arizonans, our state seems blessedly far from geopolitical conflicts between the United States, China and Russia. Unfortunately, however, America’s foreign adversaries, particularly the Chinese Communist Party (CCP) appear to have a different perspective. They are quietly executing on a strategy to home in on Arizona’s military bases, manufacturing plants and critical infrastructure as targets to hit in order to disable or divert U.S. forces at the outset of a conflict that they would start. And now they have reportedly admitted as much…”

So begins an opinion piece published this month from Reps. Nick Kupper and Lupe Diaz. Kupper’s HB2696 is meant to “safeguard Arizona’s critical infrastructure by prohibiting the use of software and equipment produced by companies controlled by the People’s Republic of China.”

In February, the Scottsdale radiology practice SimonMed was hit with a ransomware attack. In March, the Arizona Federal Public Defender’s Office was also hit with a ransomware attack, leading to a shutdown of their network and the loss of a defense team’s 25-page work-in-progress for a death row inmate’s upcoming hearing.

The Central Arizona Project canal system operators remain concerned about potential cyberattacks as well. For years, they’ve been requiring “quarterly staff cybersecurity training with 95% compliance rate.”

If Arizona were marked in a major foreign conflict, the CAP canal system would be an attractive target for physical and cyber attacks. But hopefully it wouldn’t be an easy target.

Bipartisan h@ck3rz

In response to the escalating cyber threats targeting America's water infrastructure, bipartisan techbro Senators Ruben Gallego and Tom Cotton of Arkansas introduced the Water Cybersecurity Enhancement Act of 2025 this month.

`A rogue A.I. in the “deep web” told me Gallego’s and Cotton’s secret hacker names are “son 0f saguaro” and “Tom 0wnz U.”`

The bill proposes amendments to the Safe Drinking Water Act, extending and expanding its Drinking Water Infrastructure Risk and Resilience Program, which provides grants for local water infrastructure. Key provisions include:

Grant program extension: Updating the authorization period for the grant program from 2020–2021 to 2026–2031, ensuring continued federal support for cybersecurity initiatives in water systems.

Expanded funding uses: Broadening the scope of permissible uses for grant funds to encompass:

Participation in cybersecurity training programs.
Acquisition of training manuals and guidance materials.
Development and implementation of cybersecurity strategies and response plans.
Procurement of equipment and technologies to detect and respond to cyber threats.

It’s not flashy, and it will probably be slow to roll out if it passes, but best to get the ball rolling because the hackers aren’t waiting for us to get our act together — and no one wants to wake up and brush their teeth with skin-burning water or find sewage pouring into the cemetery next door.

“Senator Gallego’s Water Cybersecurity Enhancement Act is a vital step toward safeguarding America’s water infrastructure from an increasingly complex cybersecurity threat landscape. Cybercriminals and nation-state actors are targeting our water systems—especially those in small and rural communities—by attacking the critical technology that keeps water flowing,” said Arizona Department of Homeland Security Director Kim O’Connor.

So, thanks, techbro senators.

You can hack into the Water Agenda’s financial system by clicking this button.

This week was my fourth year attending the Water Resources Research Center’s annual conference at the UofA — but my first time attending for free with a press pass, and I found out the press doesn’t get lunch. Too bad. But the conference served up some important news and big names.

Gov. Katie Hobbs took the stage after lunch (I went to the University deli, in case you were wondering) and let the audience know that it's still a “few” Republicans in the Legislature who are blocking groundwater policy reform.

“We know that with a 300-400% overdraft in some areas, 10% (reductions) won’t move things,” Hobbs said. “They continued their tradition of stonewalling.”

Carly Jerla, the “Post-2026 Program Manager” for the Colorado River at the Bureau of Reclamation, joined via Zoom to give some updates on the federal government’s involvement in the ongoing negotiations between Basin States over the Colorado River Compact. She noted that they are considering revising their draft proposal from last year which Arizona water managers were not a big fan of, and might have a new one drafted before the end of the year.

“The department is committed to staying engaged in the process, keeping it on track, and finding a consensus-based path forward,” Jerla told the audience.

Tom Buschatzke, Arizona’s water boss, gave an update on Colorado River negotiations as well. He said he’s allowed to “be optimistic and have anxiety” because “that’s how it works when you’re negotiating.” He’s also hopeful about negotiations under the Trump administration, which he says seem to be more open to Arizona’s needs than what he saw under the Biden administration.

The previous management proposal issued by the feds would have seen Arizona’s CAP water go to zero and Yuma farmers’ water possibly go to zero, Buschatzke said. He wants the federal government to issue a new, if-negotiations-fail proposal that would “show risk” to all the basin states, not just Arizona. He believes that would encourage the upper basin states to be more flexible at the negotiation table.

The Department of Water Resources director also noted that “lots of frequent flyer miles” are being racked up by the states as they continue private negotiations.

“It is a huge burden for us to try to deal with this river,” Buschatzke said.

`In his presentation, ADWR Director Buschatzke said the work of Colorado River managers is titanic in its magnitude.`

The conference also honored Colorado River Indian Tribes chairwoman Amelia Flores and inducted her into the UofA Women’s Plaza of Honor.

And I might have helped myself to a dessert at the conference when no one was looking.

Meanwhile: Democratic U.S. Rep. Greg Stanton joined Nevada Democratic Congresswoman Susie Lee in issuing a fierce warning against a recent GOP land-sale amendment.

The proposed bill would offload federal lands in southern Utah to local authorities — parcels that align with the route of Utah’s planned Lake Powell Pipeline — a long-delayed project that would pump 86,000 acre-feet a year from the Colorado River.

Stanton and Lee argue this is a back-door shortcut for the controversial pipeline, which would divert Colorado River water from Lake Powell to Washington County, Utah. Six of seven basin states (all except Utah) have raised legal objections to the pipeline and the amendment has been called a “Trojan horse” that could undermine fragile post-2026 River negotiations.

Sanction the sewers: In Casa Grande, officials are grappling with a spike in unpaid sewer bills by proposing a tough solution: cutting off water service for delinquents. The city would need Arizona Water Company to carry out the punishments, and the Arizona Corporation Commission would need to approve the whole deal.

“This is a good way because everyone, most people, pay their bills and it’s not fair for others just to keep going on and having no consequences for that,” said Casa Grande’s Mayor Pro Tem Matt Herman.

Go to the flow: Tucson high school teacher Joseph Cyr hiked out to Sabino Canyon knowing its seasonal stream would still be dry after a very dry winter. He was right — but not for long. Cyr witnessed the stream come back to life while he stood in the streambed, and captured the event on his phone.

“Sabino Canyon is truly an oasis … a ribbon of forest in the desert. Seeing it remain dry was just so disheartening and honestly scary, making us wonder if changing climate conditions will radically change this ecosystem in our lifetime,” Cyr told the Arizona Republic.

Drink up: The National Park Service has lifted a boil-water advisory on tap water in the North Kaibab corridor of the Grand Canyon, saying they are “confident there is no public health concern” after previous tests had shown harmful bacteria like E. coli in the water supply.

“Have a Poop Plan”: If you don’t want to be the one responsible for making water unsafe to drink, the Arizona Department of Environmental Quality’s new “Arizona Water Keepers” campaign has four tips for you:

Don’t leave trash in public lands
Use proper restrooms and bag pet waste
Avoid washing in natural waters
And stay on trails

“Trash left behind and human or pet waste that isn’t properly handled can introduce harmful bacteria like E. coli into the water,” ADEQ Water Quality director Trevor Baggiore says.

The new Commish: The office of the Commissioner of the U.S. Bureau of Reclamation has been vacant for months, but a White House spokesperson told the Arizona Republic that Trump’s new pick will go through a confirmation hearing soon. Because the commissioner will oversee federal involvement in Colorado River negotiations, officials in the seven basin states are awaiting the nomination announcement with great anticipation.

Tragedy in Chandler: Police recently confirmed that Trigg Kiser, the 3-year-old son of Chandler TikTok personality Emilie Kiser, was pulled from his family’s pool unconscious and died days later. Arizona Republic columnist Laurie Roberts notes that 31 children drowned in 2023, and people need to take water safety more seriously because “Every one of those deaths was preventable. Every one, a damn tragedy.”