Water Infrastructure and the Consequences of Failure
The water and wastewater sector operates systems where a successful cyberattack carries public health consequences that are immediate, visible, and directly harmful to the communities served. A ransomware attack on a manufacturing plant shuts down production. A cyberattack on a water treatment facility, conducted with the right knowledge and access, could manipulate chemical dosing processes in ways that make treated water unsafe to consume before anyone detects the change.
This is not a theoretical scenario. It was demonstrated with alarming clarity in Oldsmar, Florida in February 2021, when an attacker gained remote access to the treatment facility's SCADA system and briefly increased the sodium hydroxide (lye) dosage to 111 times the normal level. The attempt was foiled when an alert operator noticed the cursor moving on the shared screen and reversed the change. A single operator's vigilance prevented a public health incident.
The Oldsmar incident was not a sophisticated attack. It exploited basic security failures: remote desktop software (TeamViewer) with shared credentials, no multi-factor authentication, and insufficient monitoring. These are the same failures present in hundreds of water utilities across the country. Oldsmar was not an anomaly. It was a preview.
The Unique Challenge of the Water Sector
Water and wastewater utilities face a combination of constraints that distinguishes them from most other critical infrastructure operators:
Resource limitations. The majority of water utilities in the United States serve small communities. According to EPA data, over 90 percent of public water systems serve fewer than 10,000 people. These utilities typically have limited IT staff, minimal security budget, and no dedicated cybersecurity personnel. The security programs that are standard practice at large energy utilities are financially and operationally out of reach for a utility with three IT employees.
Aging infrastructure and SCADA systems. Many water utilities operate SCADA systems that have been in place for 20 or more years. Replacing them requires capital investment and operational disruption that small utilities cannot easily justify. These legacy systems often run outdated operating systems, have no authentication on communications protocols, and were designed with no cybersecurity considerations whatsoever.
Essential service obligations. A water utility cannot simply take systems offline while investigating a security incident. Continuous provision of safe drinking water is a public health obligation. Security decisions must account for the operational consequences of any control action, including security-driven isolations.
Process chemistry consequences. The physical consequences of unauthorized control actions in water treatment are distinct from most other industrial sectors. Chemical dosing systems — chlorination, pH adjustment, coagulation — can affect water safety in ways that are not immediately visible and may affect large population groups before detection. The time between a malicious dosing change and consumer exposure can be short.
Regulatory environment. Water utilities operate under a regulatory framework that is evolving rapidly in response to increasing cyber threats.
The Regulatory Framework: AWIA and EPA Requirements
The America's Water Infrastructure Act of 2018 (AWIA) requires community water systems serving more than 3,300 people to:
- Conduct a Risk and Resilience Assessment covering cybersecurity threats to the physical and digital infrastructure supporting water treatment and distribution
- Develop or update an Emergency Response Plan that addresses cybersecurity incidents
- Certify completion of both requirements to the EPA on a defined schedule
The AWIA requirements are a starting point, not an endpoint. A risk and resilience assessment that documents vulnerabilities without a remediation program attached to it creates liability without protection.
In 2024 and 2025, the EPA proposed and engaged on additional cybersecurity requirements for the water sector, driven by documented increases in nation-state probing of water infrastructure. While the specific regulatory path has evolved, the direction is clear: federal oversight of water sector cybersecurity is increasing, and utilities that have not built baseline security programs are facing growing scrutiny.
Priority Security Controls for Water Utilities
Given resource constraints, prioritization is essential. Not everything can be done at once, and the most impactful controls should come first.
1. Eliminate Remote Access Vulnerabilities
The Oldsmar incident was enabled by basic remote access failures. For water utilities, eliminating or hardening remote access should be the highest-priority security action:
- Remove legacy remote access software such as TeamViewer, AnyDesk, and RDP exposed directly to the internet. These tools, especially with shared credentials, represent the most commonly exploited OT access vectors.
- Implement proper remote access architecture: a dedicated VPN gateway with multi-factor authentication, connecting to a jump server in an OT DMZ, with session recording. No direct access from the internet to OT systems.
- Require individual credentials for all remote access. Shared accounts provide no accountability and no ability to revoke access for a specific individual or vendor.
- Audit existing remote access tools: survey the OT environment for any installed remote access software that was added by a vendor or contractor without formal authorization.
For utilities that need vendor remote access for SCADA support, purpose-built OT remote access platforms (such as Claroty xDome, Secomea, or Tosibox) provide vendor access with individual credentials, session recording, and time-limited connections without requiring complex VPN infrastructure.
2. Network Segmentation Between IT and OT
If the SCADA workstation that controls chemical dosing is on the same network segment as the office computers, email server, and anything with internet access, this must change. The minimum viable segmentation for a water utility includes:
- A firewall at the boundary between office/administrative networks and SCADA/control networks
- Default-deny rules: only explicitly permitted traffic crosses the boundary
- Documented justification for every permitted flow
- No direct internet access from the SCADA network
This does not require expensive next-generation firewall technology. Even a mid-grade industrial firewall with properly configured rules provides dramatically better protection than a flat network.
3. Secure the SCADA Workstation and HMI
The SCADA workstation and HMI systems in water treatment facilities are high-value targets because they provide visibility and control over the treatment process. Hardening priorities:
- Update or replace operating systems that are past end-of-life. Windows XP and Windows 7 SCADA systems are widely present in water utilities and have numerous unpatched vulnerabilities with public exploits.
- Implement application whitelisting on SCADA workstations — allow only the SCADA software, not arbitrary executables. On older Windows systems, Microsoft's AppLocker or equivalent third-party tools provide this capability.
- Disable unnecessary services: turn off RDP if not required, disable file sharing, remove unnecessary software.
- Control removable media: USB ports used by operators for routine tasks create introduction vectors for malware. Implement documented procedures for removable media use.
4. Change Management and Baseline Documentation
For water utilities with limited security capability, configuration management provides a foundation for detecting unauthorized changes:
- Document the current configuration of SCADA servers, HMIs, PLCs, and network devices
- Establish a change management process: no configuration changes without documentation and authorization
- Periodically compare current configurations against the documented baseline to detect unauthorized changes
- Maintain backup copies of PLC logic, HMI project files, and SCADA server configurations stored offline
If an attacker modifies a chemical dosing setpoint or PLC logic, configuration change detection provides the mechanism to discover it.
5. Chemical Dosing Alarm and Setpoint Monitoring
Water treatment process engineers typically configure alarm setpoints for chemical dosing — high and low thresholds that trigger alerts when dosing rates fall outside expected ranges. From a cybersecurity perspective, these process alarms serve as a detection layer:
- Ensure chemical dosing alarms are configured at levels that would trigger on malicious manipulation attempts
- Ensure alarms are annunciated to operators and cannot be silently suppressed
- Consider whether dosing verification (laboratory sampling and analysis) provides additional confirmation of process integrity
For high-consequence treatment facilities, independent verification of chemical dosing through physical gauges, secondary instruments, or manual sampling provides a layer of assurance that does not depend on the SCADA system's integrity.
Sector-Specific Resources for Water Utilities
Water sector utilities have access to sector-specific security resources that are not available to most other industries:
WaterISAC: The water sector Information Sharing and Analysis Center provides threat intelligence, security advisories, and incident response support specifically for water utilities. Membership starts at a low cost appropriate for small utilities. WaterISAC published specific guidance following the Oldsmar incident.
CISA Free Services for Water Sector: CISA provides no-cost cybersecurity assessments for water utilities through its Critical Infrastructure Cybersecurity Services program, including Cyber Resilience Review (CRR) assessments and vulnerability scanning.
EPA Cybersecurity Resources: EPA has published sector-specific guidance documents and tools for water system cybersecurity, including the Cybersecurity Guidance for Water and Wastewater Utilities.
WaterCISP: The Water Cyber Incident Sharing Platform facilitates sharing of threat information specific to water sector attacks and attempts.
These resources make meaningful security improvement accessible even for utilities with very limited budgets.
The Staffing Reality
Most small water utilities will never have a dedicated cybersecurity professional on staff. The security program must be designed for the people who are actually available: a water treatment operator, a plant engineer, and potentially a shared IT resource.
This means:
- Simplicity in controls: complex security systems that require specialized expertise to operate and maintain will fail when the expertise is absent. Prioritize controls that are understandable and maintainable by generalists.
- Documentation over expertise: detailed operating procedures for security-relevant activities (responding to alarms, authorizing remote access, changing credentials) allow non-security staff to perform security-relevant activities correctly.
- Managed services for specialist capability: SCADA monitoring, threat intelligence, and incident response can be obtained through managed service providers who specialize in water sector OT security, providing access to specialist capability without requiring in-house expertise.
- Mutual aid relationships: regional water utility associations and ISAC programs facilitate mutual aid arrangements where larger utilities with more security capability support smaller neighbors during incidents.
The Oldsmar incident could have been catastrophic. It was not, because an attentive operator noticed something wrong and acted. Building security programs that work with the humans and resources that are actually present — rather than assuming a security capability that does not exist — is how water utilities build meaningful resilience.
Beacon Security provides OT cybersecurity assessments, AWIA compliance support, and security program development for water and wastewater utilities of all sizes. Contact us to discuss the right approach for your utility's resources and risk profile.
