The New Cyber Risk Challenging America's Water: Modernization Itself
The New Cyber Risk Challenging America's Water: Modernization Itself
As water utilities embrace digital transformation, they're also expanding their attack surface at an alarming rate
Water utilities have made significant strides in modernizing and securing their systems over the past decades. Embracing digital transformation has been necessary to improve efficiency, resilience, and service delivery. But this progress comes with a sobering reality: the very technologies enabling smarter water management are also creating new pathways for cyber attackers.
The Attack Landscape: By the Numbers
Source: Check Point Research, 2024
The Modernization Trap
Water utilities today operate in a complex environment shaped by growing populations, evolving regulations, and resource constraints. Most of America's water infrastructure is decades old and underfunded. To meet rising demand, utilities have embraced digital innovation: cloud-enabled sensors, networked monitoring systems, and process automation.
These tools extend the capabilities of skilled operators, enabling continuous, data-driven decision-making. But greater efficiency comes with greater exposure. The rapid expansion of IoT technologies has dramatically increased the number of devices connected to water networks.
Note: Device counts vary significantly by utility size. Global IoT devices projected to exceed 35 billion in 2025.
Where Utilities Are Failing
EPA inspections have revealed a troubling picture of cybersecurity readiness across the water sector. More than 70% of water utilities fail to meet basic cybersecurity standards set by the Safe Drinking Water Act.
Source: EPA Enforcement Alert, May 2024 (updated July 2025)
Source: EPA Office of Inspector General assessment of 1,062 drinking water systems, October 2024
- Default passwords that haven't been changed
- Single-factor logins that can easily be compromised
- Continued system access for former employees
- Outdated operating systems no longer receiving security patches
- Externally visible open portals
Who's Attacking — and Why
The threat actors targeting water infrastructure aren't just opportunistic hackers. They include sophisticated nation-state groups with strategic objectives far beyond financial gain.
Recent Attacks: A Growing Pattern
| Date | Target | Impact |
|---|---|---|
| Oct 2024 | American Water (14M customers) | Billing systems offline for week; core operations preserved |
| Sep 2024 | Arkansas City, Kansas | Switched to manual operations; no service disruption |
| Apr 2024 | Tipton, Indiana | Hackers posted video of SCADA access; manual control activated |
| Jan 2024 | Multiple Texas utilities | SCADA systems accessed; water tank overflow in Muleshoe |
| Nov 2023 | Aliquippa, Pennsylvania | Iranian group compromised booster station; default password '1111' |
The Resource Gap
When asked what prevents utilities from advancing cybersecurity, the answers reveal a sector struggling to keep pace with threats:
Source: Black & Veatch 2024 Water Report
Only about 50% of utilities surveyed are currently investing in cybersecurity measures to protect their critical infrastructure — despite 86% reporting that cybersecurity is "very important."
Building More Resilient Systems
Utilities are not abandoning digital tools or automation. Instead, the path forward involves more selective, security-conscious modernization. Rather than assuming every system should be interconnected, utilities are reconsidering what should be decoupled.
Standard protective measures now being recommended include:
- Decoupling OT systems from the public internet wherever possible
- Strengthening firewalls between IT and OT networks to limit lateral movement
- Restricting IT permissions so teams can read OT data but cannot write back into control systems
- Ensuring all automated processes are essential and can be overridden manually when necessary
- Changing all default passwords immediately
- Implementing multi-factor authentication
- Conducting regular vulnerability and risk assessments
The Path Forward
The challenge for water-sector leadership is to determine how to reap the benefits of modernization while minimizing its risks. The question is no longer whether to modernize, but how: How do we make the target smaller without sacrificing the tools that help us operate more effectively?
For now, the responsible approach is measured modernization — advancing technology adoption at a pace and in a configuration that keeps critical water infrastructure safe from increasingly sophisticated attacks. The future of water security will depend not just on innovation, but on intentional design that respects both the promise and the risks of a more connected world.
