A cyberattack on a water facility can put entire communities and businesses at risk. Even a short disruption in clean water supply can have serious public health and safety consequences, and threat actors know the damage they can cause.
Water utilities have been moving away from isolated OT and toward more digitally connected systems that integrate with IT. This shift helps them get more accurate, real-time data. While these technologies improve efficiency and performance, they also open the door to new cyber risks.
Water systems are often more vulnerable than other types of critical infrastructure, largely because they’re more likely to be municipally owned or operated by smaller utility providers. Years of underinvestment have left those smaller providers without the resources to modernize, hire new staff, or invest in stronger cybersecurity capabilities. And that might be where the greatest danger lies.
Cyber threats to water facilities
CISA has previously warned that water and wastewater systems are vulnerable to attacks. Intruders often exploit vulnerabilities in outdated or unsecured OT and ICS environments, where systems are exposed to the internet or still use default credentials.
The US Water Alliance estimates that a one-day interruption in water service across the U.S. could jeopardize $43.5 billion in economic activity.
The U.S. Environmental Protection Agency (EPA) identified 97 drinking water systems serving approximately 26.6 million users as having either critical or high-risk cybersecurity vulnerabilities.
Water utility leaders are especially worried about ransomware, malware, and phishing attacks.
American Water, the largest water and wastewater utility company in the US, experienced a cybersecurity incident that forced the company to shut down some of its systems. That came shortly after a similar incident forced Arkansas City’s water treatment facility to temporarily switch to manual operations.
These attacks are not limited to the US. Recently, UK-based Southern Water admitted that criminals had breached its IT systems. In Denmark, hackers targeted the consumer data services of water provider Fanø Vand, resulting in data theft and operational hijack. These incidents show that this is a global risk, and authorities believe they may be the work of foreign actors.
According to Semperis, 60% of attacks on utilities were carried out by nation-state groups. It’s believed that major cyber powers have been inside rival infrastructure for years, slipping in malware that could mess with basic services later on.
Protecting water infrastructure starts with operator awareness
Cyberattacks on water facilities directly affect the safety of the community and the daily work of operators. That’s why it’s so important for operators to stay alert and prepared.
Operational disruptions: Attacks can shut down pumps, throw off chemical dosing, or disable monitoring systems, making it tough to keep water safe and flowing smoothly.
Public health risks: Tampering with water treatment processes could lead to contamination, putting everyone in the community at risk.
Increased pressure: Recovering from a cyberattack often means longer hours, urgent troubleshooting, and close coordination with emergency responders.
Operators are the first line of defense. Their knowledge of the system, combined with staying aware of cyber threats, is key to:
- Spotting suspicious activity early
- Sticking to security protocols
- Responding to any potential issues
Government approaches to water sector cybersecurity
The EU is taking a serious approach to cybersecurity, with stricter enforcement and long-term investment in essential services. Through the NIS2 Directive, member states are required to follow security standards, report incidents, and coordinate national oversight. These steps are designed to help utilities strengthen their defenses and improve resilience.
At the same time the U.S. seems to be heading in the opposite direction. The EPA’s proposed budget for fiscal year 2026 would cut its funding by 54%, dropping from 9.14 billion dollars to 4.16 billion dollars. This would be the largest reduction the agency has seen in the past fifty years.
These cuts raise serious concerns about the federal government’s ability to support cybersecurity efforts in the water sector, especially for small and rural utilities that are already dealing with aging infrastructure and limited resources.
However, some U.S. states are stepping up to fill the gap. For example, New York announced new cybersecurity regulations, alongside a grant program to help utilities strengthen their defenses.
Steps to improve cybersecurity
Limit exposure to the internet: Reduce public internet access to operational devices like controllers and remote units. Regularly scan for and address any internet-exposed assets to minimize risk.
Perform regular cybersecurity assessments: Conduct frequent evaluations of both operational and IT systems to identify weaknesses. Use available assessment tools and resources to help pinpoint vulnerabilities.
Change default passwords immediately: Replace default passwords with strong, unique ones and enable MFA wherever possible to strengthen security.
Keep an updated inventory of assets: Maintain a current list of all operational and IT equipment to help monitor and manage your system.
Develop and test incident response plans: Create plans for responding to and recovering from cyber incidents. Regularly test these plans to ensure your team is prepared for potential threats.
Regularly back up critical systems: Perform consistent backups of key operational and IT systems to protect data integrity and support recovery in case of an attack.
