OT Cybersecurity for Water and Wastewater Utilities: Protecting the Infrastructure Nobody Thinks About
Water and wastewater utilities do not make headlines the way power grids and pipelines do. They are not perceived as high-value targets. They lack the regulatory pressure of the energy sector and the defense budgets of military infrastructure. And yet, the consequences of a successful cyberattack on water infrastructure are immediate and physical in a way that distinguishes this sector from almost any other.
In February 2021, an attacker gained remote access to a water treatment facility in Oldsmar, Florida, through an unprotected remote desktop connection, and attempted to increase the sodium hydroxide level in the treated water to more than 100 times the normal concentration. An operator noticed the cursor moving and reversed the change. The attack failed. But it demonstrated that water infrastructure OT systems are both reachable and targeted, and that the safety consequence of a successful attack is not data loss: it is harm to the people who drink the water.
Water utilities serve populations that depend on continuous, safe service. Understanding the OT security risks specific to this sector, the regulatory framework now surrounding it, and the controls that protect it is the starting point for any water sector OT security program.
Why Water and Wastewater OT Security Has Become Urgent
Three converging factors have elevated OT cybersecurity risk in water and wastewater utilities over the past five years:
-
Remote access proliferation: water utilities, especially smaller ones, rely heavily on remote SCADA access for operations across geographically distributed pump stations, treatment facilities, and storage infrastructure. Many of these remote access connections use unprotected or legacy protocols
-
IT/OT convergence without security controls: operational data integration with billing systems, regulatory reporting, and enterprise IT has created network connections between the operational network and the corporate IT environment that were not designed with security in mind
-
Regulatory attention: the EPA's America's Water Infrastructure Act (AWIA) of 2018 and its cybersecurity provisions, and the 2024 EPA rule requiring water systems to address cybersecurity in sanitary surveys, have placed formal compliance obligations on systems serving more than 3,300 people
The OT Attack Surface in Water and Wastewater Utilities
SCADA Systems for Treatment Process Control
A water treatment facility uses SCADA to monitor and control chlorination, pH adjustment, filtration, and distribution pressure. The SCADA server communicates with PLCs and RTUs at pump stations, chemical dosing points, and storage facilities. If the SCADA server is compromised, an attacker has the ability to send commands to those field devices. Securing the SCADA network through proper zone architecture and access controls is the primary defense against this attack pathway.
Chemical Dosing Systems
Chemical dosing, specifically the addition of chlorine, sodium hydroxide, and coagulants at precise concentrations, is the most safety-critical OT function in water treatment. Control system integrity for dosing PLCs is a public health obligation. A dosing system that can be commanded remotely without authentication is a direct threat to the population the utility serves. The Oldsmar incident targeted exactly this function.
Remote Pump Stations and Telemetry
Water distribution systems include pump stations, lift stations, and pressure zones distributed across large service areas, often in remote locations. These stations communicate with the central SCADA system through cellular, radio, or internet-connected RTUs. The remote communications pathways for these assets are a common attack entry point, and many legacy RTUs use Modbus or DNP3 without authentication.
Internet-Connected HMIs
A 2021 CISA advisory identified internet-facing HMIs as a critical vulnerability class in water sector OT environments. Many water utilities, particularly smaller ones serving rural communities, operate HMIs that are directly accessible from the internet through outdated remote desktop protocols or web-based interfaces with default credentials. These represent the lowest-effort attack surface in the water sector and were the entry point for both the Oldsmar incident and several similar attempts identified by CISA in the same period.
Documented OT Attacks on Water Sector Infrastructure
The water sector has experienced a pattern of OT-targeted incidents that illustrates the realistic threat profile:
-
Oldsmar, Florida (2021): attacker gained access through an internet-facing remote desktop connection and attempted to alter sodium hydroxide dosing levels. Caught by an alert operator.
-
Nevada water facility (2021): an unidentified threat actor attempted to modify the treatment process at a Nevada water utility using a legitimate remote access tool. CISA issued an advisory.
-
Kansas water treatment attempt (2019): a former employee used credentials that had not been revoked to access a water treatment facility's control system after termination. Illustrates the access control vulnerability from insider threats.
-
Cyber Av3ngers (2023): Iranian-linked threat actor compromised Unitronics PLCs at multiple US water utilities, exploiting default credentials on internet-accessible devices. CISA issued an advisory identifying the attack vector as default password usage on internet-connected PLCs.
Regulatory Framework for Water Sector Cybersecurity
|
Regulation |
Applies To |
Key OT Requirement |
|
AWIA 2018 Section 2013 |
Community water systems serving 3,300+ people |
Risk and resilience assessment including cybersecurity; emergency response plan |
|
EPA Rule (2023, proposed) |
Public water systems in sanitary surveys |
Cybersecurity evaluation as part of sanitary survey; still subject to legal challenges as of 2024 |
|
CISA Water Sector Cybersecurity |
All water utilities (guidance) |
ICS-CERT advisories for water sector OT, free assessment services through CISA |
|
TSA Pipeline Security Directives |
Water utilities with pipeline-connected infrastructure above thresholds |
OT security controls, network segmentation, incident reporting |
|
IEC 62443 |
Water utilities adopting international standards |
Zone and conduit architecture, Security Level assignment for treatment and distribution OT |
OT Security Controls for Water Utilities
Remove Internet-Exposed HMIs and RTUs Immediately
Any HMI or RTU directly accessible from the internet without multi-factor authentication should be treated as a critical finding requiring immediate remediation. Zero Trust remote access architecture replaces direct internet exposure with authenticated, session-governed access that logs every connection and terminates sessions when maintenance is complete. This single control eliminates the most commonly exploited attack vector in the water sector.
Change All Default Credentials on Field Devices
The Cyber Av3ngers attacks in 2023 exploited default credentials on Unitronics PLCs. CISA's advisory on that incident listed default credential use as the primary attack vector. Auditing every PLC and RTU in the distribution and treatment network for default vendor credentials, then changing them, is a foundational OT hardening action that requires no technology investment.
Segment Treatment and Distribution Networks
Flat OT networks in water utilities often have no separation between the chemical dosing PLC network, the distribution SCADA network, and the IT corporate network. Network segmentation that places the chemical dosing systems in a dedicated, highly restricted zone limits the blast radius of any compromise and prevents an attacker who reaches the SCADA server from directly commanding dosing PLCs without crossing a controlled boundary.
Implement Passive Monitoring for Anomaly Detection
Passive monitoring of water treatment OT networks detects unauthorized command traffic, unexpected device connections, and engineering software access outside of maintenance windows. For water utilities with limited security staff, monitoring alerts can be handled through a co-managed service arrangement that provides 24/7 coverage without requiring internal analyst staffing. The OT SOC guide covers operating model options for utilities of different sizes.
Frequently Asked Questions
What is the EPA's cybersecurity requirement for water utilities?
The EPA's 2023 proposed rule would have required cybersecurity evaluations as part of routine sanitary surveys for all community water systems, but it was withdrawn following legal challenges from multiple states. The AWIA 2018 Section 2013 requirement for risk and resilience assessments remains in effect for systems serving 3,300 or more people and explicitly includes cybersecurity within its scope. CISA also provides free voluntary cybersecurity assessments for water utilities through its water sector programs.
Our water utility serves a small community. Do OT security requirements apply to us?
AWIA 2018 requirements apply to community water systems serving more than 3,300 people, which includes many small utilities. But the practical security requirements apply regardless of size: an internet-exposed HMI with a default password is a security risk for a utility serving 5,000 people as much as for one serving 500,000. CISA provides free OT security assessments specifically for small and medium water utilities that want to improve their security posture without large capital investment.
How is water utility OT security different from other critical infrastructure sectors?
The most distinctive feature of water utility OT security is the direct public health consequence of process manipulation. A ransomware attack that encrypts a utility's IT systems can be devastating operationally. An attack that successfully alters chemical dosing at a treatment facility has immediate physical consequence for the population drinking the water. This elevates the safety dimension of OT security in the water sector above most other sectors, and it means that chemical dosing control systems warrant the highest security priority regardless of their perceived value as a target.
What should a water utility do first if it has no OT security program?
Start with two immediate actions: audit all remotely accessible OT assets and remove or secure any internet-exposed HMIs or RTUs, and change default credentials on all PLCs and RTUs in the treatment and distribution network. These two actions directly address the attack vectors used in the most documented water sector OT incidents. Once those immediate risks are addressed, conduct a formal OT risk assessment to establish the full baseline before investing in monitoring technology or broader program development.
|
Ready to assess your OT security posture? We help industrial operators build practical OT security programs that account for operational and process safety constraints. Book a free consultation. |