Did you know that less than 25% of water and wastewater utilities in the U.S. undergo an annual cyber risk assessment, according to an EPA survey? As one of 16 critical national infrastructure (CNI) segments, the water sector has landed on high-alert status in recent months of global geopolitical uncertainty. In April, the EPA, FBI, CISA and NSA issued a joint cybersecurity advisory to water systems, raising awareness of just how imperative securing water utilities is.
Indeed, cybersecurity has become an operational resilience issue for water and wastewater utilities, as it is tied directly to public health, environmental protection, service continuity and community trust. Now, the criticality of water for data center infrastructure has heightened security concerns as the AI economy accelerates. From healthcare to data center operations, water is a lifeline.
The systems that move water from source to treatment plant to distribution network and then safely return wastewater through collection and treatment processes are increasingly connected, monitored and automated. While that connectivity, enabled by IT/OT convergence, creates tremendous operational value, it also expands the attack surface for adversaries looking for weak points in critical infrastructure. For instance, attackers have hacked and manipulated human-machine interfaces (HMIs), taken control of programmable logic controllers (PLCs) by changing default passwords and breached operational networks to strike.

The problem is global. According to the International Water Management Institute, more than 30 publicly documented cyberattacks have hit water and wastewater utilities since 2020.
The security challenge is especially urgent because many water system OT environments were not designed with cybersecurity in mind. Even though often-aging assets such as pumps, PLCs, HMIs, sensors, cameras, smart meters, remote access tools and legacy workstations may all support essential operations, many were deployed years before today’s cyber threat landscape even existed. Ask any utility operator to pinpoint the challenges, and you’re likely to hear common concerns since security wasn’t a concern when systems were installed.
What Makes Water Systems Attractive Targets for Cyber Adversaries?
It is understandable that prioritizing the security of water systems has lagged other critical national infrastructures. Water utilities operate under constraints that make security transformation difficult. Budgets are tight. Specialized OT cybersecurity expertise is scarce. Logistically, small, municipal teams are the ones that often are responsible for large, distributed environments with thousands of assets across treatment plants, lift stations, reservoirs, remote pump sites, administrative offices and field locations. Reliability and continuous operations are also considerations: operators must keep services available every day with limited downtime windows. What’s more, equipment may be difficult or impossible to patch without operational disruption.
Against this backdrop, adversaries see an opportunity to pounce. To them, water systems are attractive targets. Internet-exposed devices, the surprisingly common use of default passwords, weak segmentation, insecure remote access and unmonitored industrial protocols are giving them beckoning pathways into environments where even small changes can have physical consequences. A manipulated set point, a disabled alarm, an altered pump cycle or unauthorized access to an HMI can disrupt service, damage equipment, create safety risks or erode public confidence.
There are many reasons why OT security is fundamentally different from traditional IT security, which relies heavily on deploying patches regularly and on a broad scale to fix known vulnerabilities. In IT, the familiar priority order follows the CIA triad: confidentiality, integrity and availability. In OT, by contrast, system availability and safety come first. Control systems may be outdated, unsupported or running on an old operating system, but replacing or patching these systems, some of which are decades old, is not a simple IT maintenance task. As a water utility operator, you must approach security programs in pragmatic ways to reduce cyber risk without creating operational instability.
What Are the Foundational Steps for Maturing Cybersecurity Resilience?
Step #1: Gain Complete Visibility into Your Operational Environment
One of the most important lessons for the sector is also one of the simplest: utilities cannot protect what they cannot see. But many organizations still rely on static spreadsheets, institutional knowledge or vendor documentation to understand what is connected to their networks. As you likely are experiencing now, thanks to digitalization, those approaches can quickly become outdated as equipment changes, vendors connect remotely, new field devices are installed or temporary workarounds become permanent.
An OT security program fit for today’s rampant security threats begins with creating a real-time inventory of assets and their communications. That includes understanding what “normal” looks like by establishing behavioral baselines.
For water and wastewater operators, passive monitoring is often the safest starting point. By observing network traffic through taps, mirrored ports or packet captures, utilities can gain actionable insights without placing tools inline or disrupting production processes. Where appropriate, active discovery, endpoint agents and wireless monitoring can add richer context. The goal is not to overwhelm teams with more data but rather to create a reliable operational picture that helps them understand their cyber risks and prioritize remediation.

Using a combination of endpoint-to-air sensors, passive and active data collection, OT/IoT protocol support and third-party IT asset data, the Nozomi Networks platform provides this complete visibility of assets, turbocharged with AI-powered asset intelligence to enrich profiles.
Step #2: Assess and Prioritize Cyber Risk Dynamically
In IT, device risk is based solely on vulnerabilities, and you can practically eliminate risk with patching. In OT, it’s multilayered, and patches must often be delayed until the next maintenance window — assuming they exist at all. The most effective programs prioritize risk based on exploitability, asset criticality, exposure, communication patterns and operational impact. Clearly, a vulnerability on an isolated, noncritical device should not be treated the same as an exploitable weakness on a controller supporting a vital treatment process.
Effective prioritization depends on the combination of risk scoring, threat intelligence and operational context. Known exploited vulnerabilities, unsupported hardware, insecure protocols, default credentials, abnormal communications and internet-facing services should rise to the top of the remediation queue. In some cases, the answer may be patching or firmware updates. In others, it may be segmentation, tighter remote access controls, compensating controls, vendor coordination, backup validation or formal risk acceptance with clear monitoring. No matter what the scenario is, the bottom line is that risk management in water and wastewater systems (and any OT environment) must be dynamic.
Remediation is rarely a one-time event. New vulnerabilities emerge, assets age into end-of-support status, contractors change, wireless technologies appear and process behavior shifts. Continuous monitoring of the dynamic environment helps teams detect these changes early, well before a minor deviation becomes an incident.
Step #3: Level Up Incident Response Readiness
True, prevention matters, but resilience is the name of the game in cybersecurity today. Response and recovery are crucial. Accordingly, every water and wastewater organization should know who owns each part of an incident response process before an incident occurs. Incident response plans should document:
- Who makes operational decisions
- Who contacts vendors
- Who preserves evidence
- Who communicates with regulators, leadership and the public
- Where is incident data stored
- How are backups maintained and tested
- What happens if a key workstation, HMI or engineering laptop is unavailable
When you regard documented playbooks, scheduled backups and recovery plans as key facets of operational discipline, you strengthen resilience. This approach also helps small teams act with confidence under pressure. In an environment where a few people may be responsible for many sites and systems, clarity can be the difference between a contained disruption and a prolonged outage.
Maturing Your OT Security Strategy for Water Systems
For many water and wastewater system operators, the right approach to OT security is not a massive transformation that happens all at once. It is a maturity journey. What do those milestones look like?
- First, build an accurate inventory.
- Then establish network visibility and segmentation.
- Next, prioritize vulnerabilities and exposures based on operational risk.
- Add anomaly detection and threat intelligence.
- Practice response plans.
- Measure progress site by site and zone by zone.

This “walk-before-you-run” mindset is particularly important in water and wastewater because the mission is continuous service, not technological perfection. The objective is to make better risk decisions faster. A utility that understands its assets, knows its most critical vulnerabilities, monitors abnormal behavior and has tested response plans is far better positioned than one that waits for a breach, spill, outage or public headline to force action.
Cybersecurity in water and wastewater is ultimately about trust. Communities trust utilities to deliver clean water, protect the environment and keep essential services operating. As digital systems become more embedded in those missions, OT security becomes a core part of public service. The sector needs practical visibility, prioritized risk reduction, resilient operations and sustained commitment.
The time to act is well before the alarm sounds. By shifting from reactive cleanup to proactive resilience, water and wastewater utilities can protect their operations, their communities and the public confidence that flows through every tap.
Need help getting started? Nozomi Networks can work with you to achieve operational resilience and reduce risk. Connect with us today.





