The information contained in this article is not intended as legal advice and may no longer be accurate due to changes in the law. Consult NHMA's legal services or your municipal attorney.
Why is cybersecurity important? Why does the Water Sector need cybersecurity? These are some of the questions that ponder the minds of operators, field technicians, local and small utility businesses, and U.S. citizens as agency leaders stress the importance of cybersecurity.
Cybersecurity is a fundamental practice in which IT professionals from all levels aim to secure and protect networks, devices, computer hardware, operating systems, information technology, and data from unauthorized access or criminal use and the practice of ensuring confidentiality, integrity, and availability of information (CISA, 2025).
Due to the ongoing attacks against the United States’ infrastructure from adversaries and criminal organizations, the Water Sector is facing yet another enormous challenge – Cybersecurity Breaches. The U.S. Government Accountability Office’s (GAO) critical infrastructure protection report on the water and wastewater systems within the United States has currently identified that there is a significant threat to the U.S. Water Infrastructure (U.S. GAO, 2024). There are numerous reasons that are contributing to the industry’s shortfall in cyber defense, ranging from lack of cybersecurity procedures and policies, vulnerable operating and information technology, unawareness to proper cyber hygiene, and resource constraints to name a few.
Operation Technology (OT) and Information Technology (IT) within the water and wastewater sector have been identified to be areas of vulnerability due to the rise in sophisticated attacks. Recent attacks have been successful as hackers target industrial control systems, pumps, Programmable Logic Controllers (PLCs), and computer systems. Many of these OT systems do not have modern security protections in place and are vulnerable to targeted attacks. Examples of these vulnerabilities are seen as OT systems have fallen victim to Iranian Government regime cyberattacks targeting Israeli-made PLCs and Human-Machine Interfaces (HMIs). Many of these systems were publicly exposed (no firewall) with default credentials.
We understand there are challenges that are preventing the Water Sector from increasing their cybersecurity posture, such as funding constraints. The inability to invest in modern equipment has caused an issue of reliance on legacy equipment. Legacy equipment continues to be an active risk factor within the water and wastewater environment due to a lack of updates, known attack vectors, and limited resources (U.S. GAO, 2024). Updating technology allows for quicker updates and less down time, which contributes to a stronger system. There are risks associated with any decision and introducing OT and IT systems to internet connectivity, yet there are many benefits such as increased resilience, facility efficiency, up to date software, and optimized processes. However, incidents can happen to anyone thus organizations must have an incident response plan in place.
The current reality of cyber vulnerabilities regarding water and wastewater systems is becoming increasingly noticeable across the nation as every level of local, state, or federal government systems are being attacked by adversaries domestically and globally. With the help of advanced technology, attacks are becoming more sophisticated and harder to detect. The following are the different threat types the U.S. infrastructure is facing today (U.S. GAO, 2024):
- State-Sponsored Groups:
- China
- Iran
- North Korea
- Russia
- Criminal Organizations
- Extremist Groups
- Insider Threats
- Black Hat Hackers
Malware, phishing, and ransomware top the list of common cyber threats, with nearly a quarter of respondents falling victim to ransomware attacks in the past year (McCann, 2024). One of the areas of concern with criminal activities is highlighted through the concerns of the public health and environmental impact regarding the various chemicals that are used to treat water plants. Additionally, the Department of Homeland Security (DHS) has highlighted their concerns of the possibility of an attacker’s objective could be to cause harm to the public by changing chemical mixtures within the water supply. Human error, exploitation of known vulnerabilities, and failure to implement multi-factor authentication are the leading causes of breaches (McCann, 2024).
However, there is a light at the end of the tunnel and that is the resilience of U.S. agencies, along with a diverse array of professional industry leaders dedicated to the cyber defense of water and wastewater systems. Agencies such as the Environmental Protection Agency (EPA), Cybersecurity & Infrastructure Security Agency (CISA), U.S. GAO, and the Water Information Sharing and Analysis Center (Water ISAC) support water systems by offering various of cybersecurity services free of charge. These services range from gap analysis, risk assessment guides, incident response, checklists, and toolkits developed to assist leaders in taking the correct steps to develop internal cybersecurity procedures. The proactive approach to cybersecurity leads to a stronger organization and reduces risks associated with a reactive situation.
It is important to understand that cybersecurity implementation is just the beginning of the effort to strengthen the Water Sector in the U.S.
Cyber incident reporting is an important piece of the security of any organization. A cybersecurity incident response plan plays a vital role in reacting appropriately and professionally to cyber incidents. We understand that water and wastewater organizations do not have the funds for a full IT and Cybersecurity team, thus the utilization of resources is key. CISA has developed a basic guide that will assist the Water Sector in starting the proactive approach of preparation before a cybersecurity incident (CISA, 2025). One of the most important aspects of incident response is training. It is also important to allow staff to be more cautious and report any issues freely. Additionally, other important aspects of your incident response are meeting local law enforcement and FBI representatives in an effort to fully understand their procedures. Lastly, it’s crucial that you develop a relationship with a cybersecurity and legal/PR firm(s) that act quickly on your behalf to prevent further technical or reputational damage, as well as investigate the cybersecurity incident.
Cybersecurity breaches increase in risk as best practices are not implemented, which leads to exposing individuals’ personal information, organizational
data, state and local data, and possible harm to the public’s drinking water. The EPA and Water ISAC September bulletin reiterates that 98% of organizations that follow basic security hygiene are protected from attacks (EPA & Water ISAC, 2024). This can be accomplished with the dedication to a training and awareness program that slowly trains employees on best cyber practices. IBM reported that the global average cost of a data breach in 2024 is $4.48 million, which is a 10% increase since 2023 (IBM, 2024). However, cost savings was $2.22 million on average for organizations that were prepared. Starting with the little things can have a huge impact on cyber resilience within your organization (IBM, 2024). The majority of these incidents are due to the lack of
cyber hygiene, but the implementation of those processes has minimal costs.
Additionally, partnering with a professional service provider is a solution that offers many benefits. The benefit of a managed service provider (MSP) is a multitude of different aspects. The goal of an MSP is to remove the hassle and stress that comes with protecting your organization. There are many positives when it comes to outsourcing your IT and Cybersecurity. One of those positives is that it removes the stress of cybersecurity from organizations and allows entities to focus on their primary function. MSPs offer more than cybersecurity consulting, including procurement from manufacturers and distributers, help desk support, risk assessments, and gap analysis. There is a vast list of options available for smaller to larger entities, but it really depends on the needs of the organization.
It is important to highlight that organizations must vet an MSP to ensure they are operating in good faith, legally, and efficiently due to these organizations
having access to business data, password(s), information system(s), operating system(s), license(s), and other critical components that may have a negative impact on any organization they are supporting. A few things to look out for would be legitimate accreditations, certifications, company history, professional knowledge, and pass successes or failures. Requesting references is a beneficial approach to vetting an MSP as it allows organization to receive truthful feedback.
In conclusion, cybersecurity is very serious and, in today’s modern world of technology, is a vital component in protecting business information, data, operating technology, information technology, and information systems. Water and wastewater are in need of cybersecurity implementation and many water systems have already started to take action. Take action today and reduce risk while increasing a defensive posture against cyber criminals.
References
CISA, C. (2025). Incident response plan (IRP) basics. Cybersecurity & Infrastructure Security Agency - CISA. https://www.cisa.gov/sites/default/files/publications/Incident-Response-Plan-Basics_508c.pdf
Environmental Protection Agency, E. P. A., & Water Information Sharing and Analysis Center, W. I. S. and A. C. (2024, September). WATERISAC. Water Information Sharing and Analysis Center - WaterISAC. https://www.waterisac.org/
IBM, I. (2024, August). Cost of a data breach 2024. https://www.ibm.com/reports/data-breach
McCann, K. (2024, August 15). US Gov’t agency issues warning over water sector’s security. Cyber Magazine. https://cybermagazine.com/articles/us-govt-agencyissue-warning-over-water-sectors-security
United States Government Accountability Office, U. S. G. A. O. (2024, August). Critical Infrastructure Protection: EPA Urgently Needs a Strategy to Address
Cybersecurity Risks to Water and Wastewater Systems. United States Government Accountability Office - U.S. GAO. https://www.gao.gov/assets/gao-24-106744.pdf
WaterISAC, W. (2024, December 20). Cybersecurity fundamentals for water and Wastewater Utilities. https://www.waterisac.org/fundamentals