It’s time to raise awareness about cybersecurity in the water sector.

A cyberattack on a water facility poses significant risks to entire communities and businesses. Even a brief disruption in the clean water supply can lead to severe public health and safety consequences. Threat actors are acutely aware of the potential damage they can inflict. Water utilities are increasingly transitioning from isolated Operational Technology (OT) to more digitally connected systems that integrate with Information Technology (IT). This shift enables more accurate, real-time data collection. However, while these advancements enhance efficiency and performance, they also introduce new cyber risks. Water systems are often more vulnerable than other critical infrastructure due to their frequent municipal ownership or operation by smaller utility providers. Years of underinvestment have left these smaller providers lacking the resources necessary to modernise, hire new staff, or bolster cybersecurity capabilities, which may represent the greatest danger.

Cyber threats to water facilities have been highlighted by the Cybersecurity and Infrastructure Security Agency (CISA), which warns that water and wastewater systems are particularly susceptible to attacks. Intruders often exploit vulnerabilities in outdated or unsecured OT and Industrial Control Systems (ICS) environments, especially where systems are exposed to the internet or still utilise default credentials. The United States Water Alliance estimates that a one-day interruption in water service across the U.S. could jeopardise approximately $43.5 billion in economic activity. The United States Environmental Protection Agency (EPA) has identified 97 drinking water systems serving around 26.6 million users as having critical or high-risk cybersecurity vulnerabilities. Water utility leaders express particular concern regarding ransomware, malware, and phishing attacks. Recent incidents, such as those affecting American Water and Arkansas City’s water treatment facility, underscore the global nature of this risk, with similar breaches reported in the United Kingdom and Denmark. Authorities believe that a significant portion of these attacks may be orchestrated by foreign nation-state groups, highlighting the urgent need for enhanced operator awareness and preparedness to protect water infrastructure.