Black & Veatch’s 2025 Water Report provides a layered, unflinching look at the pressures shaping the future of the U.S. water sector. As utilities contend with aging infrastructure, persistent workforce attrition, and the toxic legacy of ‘forever chemicals,’ they also face rising demands linked to digital transformation, artificial intelligence, and cybersecurity threats. The fourteenth edition of the report, grounded in feedback from 680 stakeholders and over a century of utility expertise, outlines an industry standing at a pivotal moment.
The 2025 Water Report reveals a sector increasingly squeezed between public health mandates and the urgency to modernize. While half of the respondents say they are holding the line on priorities despite recent regulatory rollbacks, concerns over per- and polyfluoroalkyl (PFAS) contamination and sustainability remain high on the agenda. The mood, however, is one of uncertainty. With limited clarity on future regulations and funding mechanisms, many utilities are forced into a holding pattern, waiting for guidance that may not come soon enough.
“This report highlights the challenges our water clients are facing, from cybersecurity threats to aging infrastructure, AI adoption, and the impacts of climate change,” Donnie Ginn, executive vice president and water solutions group portfolio leader for Black & Veatch, said in a media statement. “As they face these new challenges, utilities must rethink how they deliver water, advancing smarter sustainability practices, adapting to new regulations, and modernizing systems to ensure long-term reliability and resilience. With AI-driven data center growth and an increase in cyberattacks against our water infrastructure, the need for resiliency has never been more clear.”
Cybersecurity has risen to the top of the priority list, with 95 percent of respondents citing safety and public welfare as their primary motivation for investing in OT (operational technology) security. Data protection and regulatory compliance, while still important, have taken a back seat to the real-world risks of cyber-physical attacks that could compromise public health and environmental safety.
When asked about the greatest constraint in tackling PFAS, 32 percent of respondents pointed to regulatory uncertainty, while 24 percent cited funding limitations and ratepayer sensitivity. On the wastewater front, resiliency topped the list of drivers for technological upgrades, with nutrient removal and regulatory shifts close behind. Yet again, budget and regulation dominated as limiting factors, with 31 and 30 percent of respondents, respectively, citing them as primary obstacles.
The 2025 Water Report doesn’t just track challenges; it outlines contradictions. For example, while digital solutions offer promise for improving operational efficiency, the very resource constraints they are meant to alleviate are blocking their adoption. Nearly half of the respondents cited staffing shortages as the key barrier to adopting digital solutions, creating a paradox that leaves many utilities stuck in a cycle of inefficiency.
Workforce attrition is not only persisting but worsening in some areas. Sixty-eight percent of utilities report continued losses among managers, engineers, and operators. These retirements are eroding institutional knowledge and weakening succession pipelines. While the pace of attrition has slightly slowed since 2024, the vacuum left by departing senior personnel continues to be a significant concern.
Training emerges as a key strategy to mitigate these risks. It ranks above budget, expertise, and resources when respondents were asked what would most improve their cybersecurity posture. But the training needed goes beyond technical instruction. It must drive cultural and behavioral change, using real-world scenarios and role-based modules to embed cybersecurity into the operational fabric of the organization.
The 2025 Water Report is blunt about the difficulty of performing effective cybersecurity assessments, noting that while frameworks such as those from EPA, AWWA, NIST, and ISA/IEC exist, most utilities lack the in-house expertise to use them properly. Assessments that succeed often rely on outside experts and participation from subject matter experts across SCADA (supervisory control and data acquisition), IT, operations, maintenance, and engineering.
Black & Veatch recommends a pragmatic, multi-tiered response to these challenges. They advocate engaging external cybersecurity professionals to support short- and mid-term planning, setting measurable training goals, using free federal resources for education, and investing in certifications like CompTIA Security+ or SANS GICSP to build internal capacity.
Artificial intelligence and data centers introduce a new set of demands. As AI models become more integrated into utility operations and data centers expand nationwide, water requirements are rising. These facilities generate significant heat, requiring large volumes of water for cooling. Yet 54 percent of respondents said their organizations have not factored these rising demands into their resource planning, suggesting a blind spot that could strain already stretched systems.
Retention is another piece of the puzzle. Experienced data professionals often leave utilities for more lucrative roles elsewhere, taking decades of knowledge with them. This brain drain threatens the stability of long-term planning, especially in a sector where data management is increasingly central to operations. Utilities must not only invest in new systems but also find ways to retain and transfer institutional knowledge before it walks out the door.
The 2025 Water Report identified that respondents are looking for more training and have a desire for their internal teams to be well-equipped to handle cybersecurity practices. Organizations must enlist the help of an external cybersecurity subject matter expert to support short- to mid-term needs, including assessments, planning, governance, policy and implementation; identify training goals, plans and milestones for utility staff; and take advantage of free training from Cybersecurity and Infrastructure Security Agency (CISA) and Idaho National Labs (INL).
The sector must also download free water sector cybersecurity guidance documents from the U.S. Environmental Protection Agency (EPA), CISA, Water ISAC, American Water Works Association (AWWA), National Security Agency (NSA), and the Federal Bureau of Investigation (FBI).
