A report in The Washington Post has warned of a growing wave of Iranian cyber threats targeting water infrastructure in the United States, describing the trend as a form of “silent war” that could continue even if military tensions between Tehran and Washington ease.
According to the report, the US Cybersecurity and Infrastructure Security Agency recorded more than 1,900 attempted intrusions targeting an American water facility in just one month. Iran was identified as the primary source of these attacks. Although most of the attempts were unsuccessful, experts say the scale of the activity exposes serious weaknesses in the protection of American water systems.
Water Systems Exposed to Basic Security Failures
Jack Brown, a cybersecurity expert, executive director of the Cyber Policy Initiative at the University of Chicago, and former White House cybersecurity adviser, said many water facilities across the United States still fail to meet even the most basic digital security standards.
These weaknesses include leaving default passwords unchanged and failing to activate multi-factor authentication, making such facilities easy targets for hackers. Brown warned that Iran, along with states such as Russia and China, has developed increasingly advanced capabilities to target critical infrastructure, including water plants, through cyber attacks and digital sabotage operations.
Such attacks, he noted, have the potential to disrupt essential services that directly affect civilian life.
War Has Exposed Infrastructure Vulnerability
The report argues that the fragility of water infrastructure became even more visible during the recent war involving Iran. Iranian Foreign Minister Abbas Araghchi accused the United States of bombing a desalination plant on Qeshm Island, an attack that he said cut off water supplies to 30 villages.
Iran later responded by launching drone strikes on a Bahraini water facility, according to the report, underscoring how water systems have become part of a wider conflict landscape.
A Vast and Underprotected Sector
The United States has around 150,000 water facilities, most of them small, underfunded and lacking specialist cybersecurity staff. This structural weakness significantly increases the overall level of risk.
Security studies have identified more than 1,800 vulnerabilities across water and wastewater systems, some of which have already been exploited by international actors.
Warning of a Larger Threat
Brown concluded that protecting this sector will require sustained federal investment rather than limited voluntary initiatives. He warned that the real question is no longer whether Iran will attempt another cyber attack, but whether the most basic vulnerabilities will be addressed before it is too late.
