The incoming Trump administration has an opportunity to rebuild water sector cyber risk management efforts underway at the Environmental Protection Agency through examining regulatory authorities and working with industry, according to stakeholders with sector-specific expertise.
“It’s a guarantee that we’ll see a full restart effort in the incoming Trump administration on water cybersecurity. It’s a known threat and risk, and we’ve already seen successful infiltrations of water and wastewater treatment centers in the U.S.,” Norma Krayem of Van Scoyoc Associates told Inside Cybersecurity in a statement.
The EPA’s approach under the Biden administration to establish cyber requirements for water utilities has faced pushback from industry. The agency tried to use existing authorities to make new requirements for public water drinking systems through a 2023 interpretative memorandum that was ultimately rolled back after a court challenge from three states, as well as the American Water Works Association and National Rural Water Association.

Norma Krayem, Chair, Cybersecurity and Data Privacy Practice Group, Van Scoyoc Associates
The agency in May stepped up inspection and enforcement actions against water utilities to drive cyber improvement under the Safe Drinking Water Act, but industry stakeholders have expressed issues with a lack of consistency in assessing compliance with SDWA requirements.
Mark Montgomery of the Foundation for Defense of Democracies emphasized the lack of dedicated cyber risk management resources at EPA. On the agency’s May enforcement crackdown, he said, “They have almost no manpower and no budget, so I’m not sure what they were doubling down on.”
Montgomery co-wrote an October transition report from the McCrary Institute that criticized the EPA’s fiscal 2023 budget for sector-specific cyber support, which was more than $20 million less than the $45 million cyber budget recommended by the Cyberspace Solarium Commission.
Krayem, a former senior official who spent time at the departments of Commerce, Transportation and State, said, “The core challenge is that the EPA does not appear to have the regulatory authority it needs to address cybersecurity risks.”
She argued, “The prior focus on attempting to give the mandate to the states, through EPA delegated authority, under the Safe Drinking Water Act, clearly did not work. But the incoming Administration does not necessarily mean that it will take a deregulatory approach to cybersecurity overall, and in the water industry.”
President-elect Trump has tapped former Rep. Lee Zeldin (R-NY) to lead the EPA. Trump said in a Nov. 11 post on Truth Social that Zeldin “will ensure fair and swift deregulatory decisions that will be enacted in a way to unleash the power of American businesses.”
While the incoming Trump administration may take a deregulatory approach in some sectors, Krayem said, “National security and cybersecurity issues have long been managed differently than normal regulatory issues.”
Montgomery said, “The incoming administration has a lot of things they want to change in EPA and maybe reduce what they've been doing. I don't think cybersecurity is one of them.” He noted strong bipartisan support for cybersecurity, saying, “Republicans and Democrats think we have to be better at this.”
Krayem emphasized the GOP’s focus on improving national security in the most recent election cycle, referring to a policy position in the 2024 Republican party platform that elected party members should use “all tools of National Power to protect our Nation's Critical Infrastructure and Industrial Base from malicious cyber actors.”
The chapter on EPA in Project 2025 roadmap specifically calls for implementing “additional policies to address challenges in water workforce, issues surrounding timely actions on primacy applications, and cybersecurity.”
Legislative solutions
Montgomery predicted swift passage of a bill in the next Congress to stand up a public-private regulatory regime for managing risks in the water sector and raising the cyber baseline.
The bill, which was introduced in April by Reps. Rick Crawford (R-AR) and John Duarte (R-CA), would establish a public-private “Water Risk and Resilience Organization” to create and enforce cyber standards for water and wastewater utilities. It is supported by the AWWA and NRWA.
In the 118th Congress, Montgomery said objections to the bill have come primarily from Senate Democrats, but with the GOP in control of both legislative chambers next year, he predicted: “There will be a Senate version and a House version, and it gets through pretty quick.”
Montgomery added that the bill offers an attractive alternative to regulatory enforcement, emphasizing the importance of “bottom-up work” to help organizations “at the lowest level” improve their cyber posture.
CISA’s role
Montgomery said maintaining CISA’s cyber activities should be a top priority for the Trump administration in addressing sector-specific cyber issues. Trump’s pick for CISA director will shape the work of the agency moving forward.
On Capitol Hill, Senate Homeland Security ranking member Rand Paul (R-KY) has expressed concerns over CISA’s engagement with social media companies in election security work, citing issues of free speech and censorship online. Paul is expected to chair the committee in the next Congress.
Montgomery, however, argued CISA’s cross-sector risk management role must be “preserved.”
He told Republicans: “If you want to question CISA’s validity as an organization, let’s take a look at its constituent parts. If you want to take them out of the disinformation business, that’s an extremely small portion of their budget and resources.”
“Go at it,” Montgomery said, “but use a scalpel, not a chainsaw, because other CISA responsibilities like providing systems and support to the rest of the .gov -- and serving as the national coordinator across sector risk -- are intensely important taskings.”
Montgomery emphasized the need for the EPA to continue to work with CISA on water sector cybersecurity under the incoming administration. CISA and EPA have developed resources targeted at the water sector in recent years.
CISA also has an important role in connecting SRMAs, according to Montgomery. He said, “When CISA gets word from one infrastructure about a challenge,” they should “rapidly coordinate with EPA so they understand the impact on the water sector, or vice versa.”
“If power goes down, water is in trouble -- and if water goes down, power is in trouble because they’re the cooling medium for a lot of plants,” Montgomery explained. -- Jacob Livesay (jlivesay@iwpnews.com)