Strengthening Cybersecurity in Water and Wastewater Infrastructure

Water and wastewater utilities are experiencing a sustained rise in cyberattacks aimed at critical infrastructure, driven by increased connectivity and threat sophistication. Cyber threats against operational technology (OT) systems in these sectors can disrupt services and pose risks to environmental and public health, prompting renewed calls for systematic vulnerability assessment and mitigation across the digital supply chain of utility operations.

Rising Threats and Regulatory Context
Malicious cyber activity targeting water and wastewater systems has escalated annually, with a significant portion of global reported cyberattacks directed at critical infrastructure in 2024. Federal agencies—including the U.S. Environmental Protection Agency (EPA) and the Cybersecurity and Infrastructure Security Agency (CISA)—have been emphasizing enhanced cybersecurity measures for utilities. In 2024, EPA enforcement alerts indicated that a majority of inspected water systems were not compliant with statutory cybersecurity provisions of the Safe Drinking Water Act.

The risk environment for water utility cyber defenses reflects broader sector challenges, such as disparate cybersecurity maturity levels and resource constraints that can leave systems vulnerable to exploitation if proactive measures are not implemented.

Cybersecurity Vulnerability Assessment: Key Mechanism
A foundational practice in improving resilience is conducting a cybersecurity vulnerability assessment (CVA). A CVA systematically identifies weaknesses in OT and information technology (IT) systems, offering prioritized recommendations to elevate a utility’s overall security posture. Tools provided by industry bodies—such as the American Water Works Association’s Cybersecurity Risk Management Tool, the EPA’s Water Cybersecurity Assessment Tool, and CISA’s Cyber Security Evaluation Tool—are available to utilities for self-assessment and benchmarking against best-practice criteria.

These assessments help water utilities address vulnerabilities throughout their digital supply chain, from SCADA and control systems to connected network devices, by highlighting gaps relative to industry frameworks such as the NIST Cybersecurity Framework and ISA/IEC standards.

Mitigation Practices and Operational Measures
EPA guidance on securing water systems outlines practical steps that utilities can adopt to reduce exposure to threats. Reducing unnecessary internet-facing connections, changing default equipment passwords, routine vulnerability scanning, and backing up both OT and IT systems are recommended baseline practices. Complementary actions include cybersecurity awareness training for staff, change and patch management processes, and subscribing to vulnerability alerts from agencies like CISA and the EPA to stay abreast of emerging threats and known exploited vulnerabilities.

Utilities are also advised to require third-party vendors and contractors to perform vulnerability scanning and mitigation before deploying new assets, integrating cybersecurity considerations across the procurement lifecycle of digital and physical infrastructure.

Operational Impact and Resilience
Addressing vulnerabilities is increasingly seen as integral to operational continuity rather than solely regulatory compliance. Effective cybersecurity practices can reduce downtime from incidents, protect sensitive operational data, and strengthen resilience against sophisticated threat actors. By embedding cybersecurity into planning, assessment, and operations—particularly in the context of digital supply chain dependencies—utilities enhance their ability to maintain safe, reliable service in the face of evolving cyber risks.

Adopting structured mitigation frameworks and leveraging established assessment tools enables utilities to benchmark progress over time and align with recognized standards, which supports regulatory compliance and operational reliability across the water and wastewater ecosystem.

www.tetratech.com