Whether hacks on water plants have recently become more common or just more visible is impossible to tell, because there is no comprehensive federal or industry accounting of water treatment plants' security.
There has never been a nationwide cybersecurity audit of water treatment facilities, and the U.S. government has said it has no plans for one. While individual facilities can ask the federal government for help to protect themselves, few do. In most cases, it's up to individual water plants to protect themselves, and even if they're aware they've been hacked — a big if — they might not be inclined to tell the federal government, much less their customers.
"Generally, they're not reporting to the federal government. There's some distrust, you know, in small-town, Midwest USA," he said. The Cybersecurity and Infrastructure Security Agency, the federal government's primary cybersecurity defense agency, is tasked with helping secure the country's infrastructure, including water. But it doesn't regulate the sector and is largely confined to giving advice and assistance to organizations that ask for it.