top of page
Logo with SHSU.JPG

Beyond the Fence Line: Drone Threat Mitigation and Operational Readiness for Texas Water Utilities

  • IHS Sam Houston State Uni
  • 7 hours ago
  • 7 min read

By: Julia Chialastri

July 2026

The Emerging Aerial Threat Vector

Drone technology has become increasingly inexpensive, and the shift from several-thousand-dollar investments to a disposable piece of surveillance equipment has had direct implications for critical infrastructure in Texas. Recent federal alerts from the  Water Information Sharing and Analysis Center (WaterISAC) paint a troubling picture of drone-facilitated burglaries and tactical surveillance, pushing the limits of existing state regulations like Texas Government Code § 423.0045 which protects critical infrastructure airspace on paper, but are difficult to implement in practice.[1] Water and Wastewater operators may look to state emergency plans to help guide them on what to do when a drone siting occurs, but existing plans focus on natural disasters rather than aerial intrusion, leaving frontline water utility workers without explicit protocols to counter this threat. To defend their perimeters without entirely reinventing their security architecture, operators must leverage the flexible 'all-hazards' philosophy of federal AWIA guidelines and AWWA M19 standards to implement an immediate, actionable airspace checklist.


Redefining the Perimeter: Why Utilities Must Act

The shift of unmanned aircraft systems (UAS) from specialized hardware to disposable consumer gadgets has fundamentally altered the physical security perimeter of Texas critical infrastructure. In earlier years, protecting water utilities was largely contingent on securing a fence line and cybersecurity protocols. Today, the threat list has grown to include vertical intrusions.

According to joint warnings from WaterISAC and the EPA, malicious actors are actively utilizing low-cost drones for tactical perimeter surveillance and drone-facilitated burglaries. [2] These devices allow adversaries to map asset layouts, locate vulnerabilities in the physical structure, and track operator movement with minimal footprint. [3]  The low financial barrier to entry means drones can be discarded or destroyed with minimal consequences, causing traditional physical deterrence strategies to lose impact.


Statutory Limitations and Enforceability Gaps

The Fifth Circuit Court of Appeals ruling in National Press Photographers Association v. McCraw affirmed the enforceability of Texas Government Code § 423.0045, resolving legal challenges against state-level drone restrictions over critical infrastructure. [4] This final ruling validates the authority to regulate airspace, providing front-line water utilities with legal mechanisms to enforce restrictions on drones over sensitive sites. However, having statutory rights to protect airspace does not automatically translate to a secure perimeter, due in part to the following ongoing challenges:


  • The Interdiction Gap: Federal law enforcement reserves the right to physically intercept, jam or shoot down drones, leaving state and local police departments lacking the federal authority to deploy counter UAS measures. [5] [6] Further complicating matters, local law enforcement can only enforce the criminal provisions reinstated by McCraw if they can catch the operator. Tracking a drone back to a pilot who may be operating miles away remains incredibly difficult without advanced, expensive localized drone detection hardware.[7]


  • Barrier Loophole: Under Texas Government Code § 423.0045, a site is legally protected as a critical infrastructure facility only if it is completely enclosed by a fence or other physical barrier designed to exclude intruders.[8] Remote assets tend to feature open perimeters or geographical gaps, creating legal vulnerabilities that savvy bad actors can use to exploit statutory limitations. [9] [10]


  • Escalating Threat Profiles: As highlighted by federal security agencies, infrastructure sites face a continuous wave of drone incursions. Cartels, corporate espionage actors, and recreational flyers continue to breach restricted airspaces. [11] [12] [13] This ongoing risk is further compounded by state-level investigations into drone manufacturing supply chains regarding unauthorized data harvesting and firmware vulnerabilities.[14] [15]


Regulatory Blind Spots in Existing Emergency Frameworks

At the state level, public water systems face a distinct operational vulnerability due to the shifting regulatory environment. While Texas Water Code § 13.1394 and 30 TAC § 291.163 require that utilities maintain Emergency Preparedness Plans (EPPs), these requirements focus on mechanical continuity, electrical resilience, and critical asset functionality during prolonged power outages or natural disasters. [16] Because these state frameworks do not explicitly address Unmanned Aircraft Systems (UAS) or airspace monitoring, they create a gap where frontline utility workers do not typically receive training, or have clear protocols to identify, or report suspicious aerial surveillance.


To bridge this state-level gap, utilities can turn to federal risk assessment mandates and industry standards that accommodate aerial threats. Under the America’s Water Infrastructure Act (AWIA), the EPA’s (2026) Emergency Response Guidance enforces a statutory mandate to evaluate risks from "malevolent acts."[17] [18]


This broad philosophical umbrella encompasses both drone attacks and cyber-physical surveillance, allowing utilities to inject UAS-specific response steps directly into their pre-existing AWIA incident action checklists.


Furthermore, the American Water Works Association's (AWWA) M19 Manual (2018) serves as the ideal tactical bridge. Although the manual predates current drone dynamics, it offers a functional methodology for threat identification matrices, tabletop exercises, and multi-agency response coordination that can be retrofitted to defend a utility's airspace without reinventing its entire emergency architecture.


Operational Readiness: The “3 S’s” Action Checklist

The following checklist is intended as a starting point for drone sighting reporting; Individual facilities may have needs or considerations that are beyond the scope of the current check list.

Action Checklist for Utility Operators

Spot


  • Note drones’ description: Size, color, number of rotors, camera, payload.

  • Observe flight path and behavior: hovering, loitering, perimeter mapping

  • Determine proximity to sensitive or critical assets

  • Drone Description

  • Flight Path/ Behavior

  • Proximity to Critical Assets

Secure


  • Secure sensitive physical access points

  • Shield visible SCADA/computer screens from aerial photography

  • Lock and monitor hazardous chemical and equipment storage areas

  • Notify the Chief Security Officer or Emergency Coordinator

  • If there is an imminent threat, call 911

  • Secure access points

  • Shield screens

  • Lock & monitor sensitive areas

  • Inform onsite security/coordinator

  • If urgent, Call 911

Share


  • If safe, take photos or video of the drone and possible operators

  • Log time of sighting, duration, and departure direction

  • Report to WaterISAC

  • Report to TXWARN

  • Submit through the CISA suspicious

  • Take photo/video, if safe

  • Log time, duration, departure direction

    Report to:

    • WaterISAC

    • TXWARN

    • Submit through the CISA suspicious UAS reporting process

    •  UAS reporting process

 

Conclusion

Utilities do not need to wait for a lagging legislative body to pass a "Drone Security Act" to protect their assets. Existing frameworks possess the necessary structural architecture to defend against UAS threats. However, this protection is not automatic. Utilities must transition from passive compliance to active interpretation. By intentionally expanding definitions of "all-hazards" and "malevolent acts" to include aerial vectors, and by mapping those threats onto the AWWA M19 framework, utilities can effectively bridge the regulatory training gap and fortify their critical infrastructure against malicious actors, vigilante observers or hobbyists.

 


 

 

Sources:

America’s Water Infrastructure Act of 2018. Pub. L. No. 115-270, 132 Stat. 3765 (2018). https://www.congress.gov/115/bills/s3021/BILLS-115s3021enr.pdf.

Butler, Timothy A., Matthew White, Tessa Cierny, and Cody B. Davis. “Texas Attorney General Announces Investigation into Drone Company over Data Privacy, Surveillance Concerns.” Data Privacy Dish. Greenberg Traurig, May 27, 2026. https://www.gtlaw-dataprivacydish.com/2026/05/texas-attorney-general-announces-investigation-into-drone-company-over-data-privacy-surveillance-concerns/.

Cybersecurity and Infrastructure Security Agency. Unmanned Aircraft System Detection Technology Guidance for Critical Infrastructure. November 2025. https://www.cisa.gov/sites/default/files/2025-10/DetectionTech_20251030_508.pdf.

Gates, Matthew. “A Rising Threat: Using Drones to Conduct Corporate Espionage.” Security Management. ASIS International, 2025. https://www.asisonline.org/security-management-magazine/latest-news/today-in-security/2025/march/drone-corporate-espionage/.

Lambert, Michael. “Fifth Circuit Reverses Ruling on Texas Drone Law, Restores Provisions Previously Held Unconstitutional.” Haynes Boone, May 14, 2024. https://www.haynesboone.com/news/publications/fifth-circuit-reverses-ruling-on-texas-drone-law.

Lykou, George, Dimitris Moustakas, and Dimitris Gritzalis. “Defending Airports from UAS: A Survey on Cyber-Attacks and Counter-Drone Sensing Technologies.” Sensors 20, no. 12 (2020): 3537. https://www.mdpi.com/1424-8220/20/12/3537.

National Fraternal Order of Police. Unmanned Aircraft Systems. Washington, DC: National Fraternal Order of Police, 2025. https://fop.net/wp-content/uploads/2025/06/UAS-doc-1.pdf.

Quesada, K. “What Global Drone Threats Reveal about Domestic Infrastructure Security.” Security Journal Americas, 2025. https://securityjournalamericas.com/global-drone-threats-domestic-security/.

Reuters. “Senator Seeks U.S. Watchdog Probe into Texas Drone Incidents.” Reuters, March 13, 2026. https://www.reuters.com/world/senator-seeks-us-watchdog-probe-into-texas-drone-incidents-2026-03-13/.

Seidaliyeva, U., L. Ilipbayeva, K. Taissariyeva, N. Smailov, and E. T. Matson. “Advances and Challenges in Drone Detection and Classification Techniques: A State-of-the-Art Review.” Sensors 24, no. 1 (2023): 125. https://www.mdpi.com/1424-8220/24/1/125.

Texas Government Code § 423.0045. “Offense: Operation of Unmanned Aircraft over Critical Infrastructure Facility.” Accessed June 12, 2026. https://statutes.capitol.texas.gov/getstatute.aspx?Code=GV&Value=423.0045.

Texas Water Code § 13.1394. “Standards of Emergency Operations.” https://codes.findlaw.com/tx/water-code/water-sect-13-1394/.

U.S. Department of Justice. Criminal Resource Manual § 1423. “Destruction of Aircraft (18 U.S.C. § 32(a)).” Accessed June 16, 2026. https://www.justice.gov/archives/jm/criminal-resource-manual-1423-destruction-aircraft-18-usc-32a.

U.S. Environmental Protection Agency. “America’s Water Infrastructure Act (AWIA) Section 2013.” EPA.gov. Last modified May 14, 2024. https://www.epa.gov/waterresilience/awia-section-2013.

Verza, Maria. “How Mexican Cartels Employ Drones as Tools to Smuggle Drugs and Fight Enemies.” Associated Press, 2026. https://apnews.com/article/mexico-el-paso-drones-drugs-cartels-001b46b535ed957665075daafe8e244f.

Water Information Sharing and Analysis Center and U.S. Environmental Protection Agency. TLP:CLEAR Q3 2025 Water & Wastewater Sector: A Quarterly National Security Information-Sharing Bulletin. 2025. https://www.waterisac.org/wp-content/uploads/2025/08/WaterISAC_EPA-Bulletin_Q3-25_Final.pdf.

Wolfskill, A. Defending Texas Ports from Malicious Drones: Authority Gaps, Emerging Federal Pathways, and Operational Readiness after the FY26 NDAA. Report no. 2026-1043. The Sam Houston State University Institute for Homeland Security, 2026. https://shsu-ir.tdl.org/items/a87eb115-acb6-48b4-972d-8f1b22fe3dee.

 


[1] Tex. Gov't Code Ann. § 423.0045 (“Offense: Operation of Unmanned Aircraft over Critical Infrastructure Facility”), accessed June 12, 2026, https://statutes.capitol.texas.gov/getstatute.aspx?Code=GV&Value=423.0045.

[2] Water Information Sharing and Analysis Center and U.S. Environmental Protection Agency, TLP:CLEAR Q3 2025 Water & Wastewater Sector: A Quarterly National Security Information-Sharing Bulletin (2025), https://www.waterisac.org/wp-content/uploads/2025/08/WaterISAC_EPA-Bulletin_Q3-25_Final.pdf

[3] Cybersecurity and Infrastructure Security Agency, Unmanned Aircraft System Detection Technology Guidance for Critical Infrastructure (November 2025), https://www.cisa.gov/sites/default/files/2025-10/DetectionTech_20251030_508.pdf

[4] Michael Lambert, “Fifth Circuit Reverses Ruling on Texas Drone Law, Restores Provisions Previously Held Unconstitutional,” Haynes Boone, May 14, 2024, https://www.haynesboone.com/news/publications/fifth-circuit-reverses-ruling-on-texas-drone-law

[5] U.S. Department of Justice, Criminal Resource Manual § 1423 (“Destruction of Aircraft (18 U.S.C. 32(a)), accessed June 16, 2026, https://www.justice.gov/archives/jm/criminal-resource-manual-1423-destruction-aircraft-18-usc-32a.

[6] National Fraternal Order of Police, Unmanned Aircraft Systems (Washington, DC: National Fraternal Order of Police, 2025), https://fop.net/wp-content/uploads/2025/06/UAS-doc-1.pdf.

[7] Seidaliyeva, U., Ilipbayeva, L., Taissariyeva, K., Smailov, N., & Matson, E. T. (2023). Advances and challenges in drone detection and classification techniques: A state-of-the-art review. Sensors, 24(1), 125. https://www.mdpi.com/1424-8220/24/1/125

[8] Texas Government Code, § 423.0045.

[9] Lykou, G., Moustakas, D., & Gritzalis, D. (2020). Defending airports from UAS: A survey on cyber-attacks and counter-drone sensing technologies. Sensors, 20(12), 3537. https://www.mdpi.com/1424-8220/20/12/3537

[10] Wolfskill, A. (2026). Defending Texas ports from malicious drones: Authority gaps, emerging federal pathways, and operational readiness after the FY26 NDAA (Report No. 2026-1043). The Sam Houston State University Institute for Homeland Security. https://shsu-ir.tdl.org/items/a87eb115-acb6-48b4-972d-8f1b22fe3dee

[11] Gates, M. (2025). A rising threat: Using drones to conduct corporate espionage. ASIS International: Security Management. https://www.asisonline.org/security-management-magazine/latest-news/today-in-security/2025/march/drone-corporate-espionage/

[12] Quesada, K. (2025). What global drone threats reveal about domestic infrastructure security. Security Journal Americas. https://securityjournalamericas.com/global-drone-threats-domestic-security/

[13] Verza, M. (2026). How Mexican cartels employ drones as tools to smuggle drugs and fight enemies. Associated Press. https://apnews.com/article/mexico-el-paso-drones-drugs-cartels-001b46b535ed957665075daafe8e244f

[14] Reuters, “Senator Seeks U.S. Watchdog Probe into Texas Drone Incidents,” Reuters, March 13, 2026, https://www.reuters.com/world/senator-seeks-us-watchdog-probe-into-texas-drone-incidents-2026-03-13/.

[15] Greenberg Traurig, “Texas Attorney General Announces Investigation into Drone Company over Data Privacy, Surveillance Concerns,” Data Privacy Dish, May 2026, https://www.gtlaw-dataprivacydish.com/2026/05/texas-attorney-general-announces-investigation-into-drone-company-over-data-privacy-surveillance-concerns/.

[16] Texas Water Code § 13.1394. Standards of Emergency Operations. https://codes.findlaw.com/tx/water-code/water-sect-13-1394/

[17] America’s Water Infrastructure Act of 2018, Pub. L. No. 115-270, 132 Stat. 3765 (2018), https://www.congress.gov/115/bills/s3021/BILLS-115s3021enr.pdf.

[18] U.S. Environmental Protection Agency, "America's Water Infrastructure Act (AWIA) Section 2013," EPA.gov, last modified May 14, 2024, https://www.epa.gov/waterresilience/awia-section-2013.

 
 
bottom of page