Library Header Image Library Header Image

Our Water Is Under Attack — Why Cybersecurity Must Catch Up


Posted on by Pankaj Kumar

When you think about protecting critical infrastructure, what comes to mind? Maybe power grids. Maybe banks. Maybe even hospitals. But how often do you think about your drinking water?

The reality is water and wastewater systems are quietly becoming one of the most vulnerable sectors to cyberattacks. And if we don’t act quickly, the consequences could be devastating—not just financially, but for public health and environmental safety too.

To better understand the cybersecurity posture in this sector, we examined the practices of three different companies:

Company A is a small supplier (under 10 employees) that provides valves and chemicals to municipal water treatment plants in the Central US. It lacks a dedicated cybersecurity team and relies on basic IT support with no formal Managed Service Provider (MSP).

Company B is a mid-sized valve provider (10+ employees) also based in the Central US. It has rudimentary security measures and minimal formal cybersecurity staffing.

Company C is a multi-site wastewater management firm (15–20 employees) in the Eastern US, operating with some IT personnel and partial engagement with MSPs.

What we found was eye-opening: Asset management was inconsistent and outdated—often documented manually, if at all. Access control existed in some companies but was implemented via basic password protection, lacking modern safeguards like Multi-factor Authentication (MFA). Only one company had a partially developed Incident Response (IR) plan; the other two either had no formal IR plan or relied on ad hoc responses when incidents occurred.

Why Isn’t the NIST Framework Enough?

“Wait, isn’t the NIST Cybersecurity Framework supposed to help here?” It is. But good frameworks don’t fix bad realities by themselves.

The truth is that smaller utilities simply don’t have the resources. Budgets are tight. Cyber talent is hard to come by. And old systems like Supervisory Control and Data Acquisition (SCADA) weren’t built with cybersecurity in mind in the first place.

Even among the companies in the study above, only two had started their journey to adopt NIST principles. However, their implementation was uneven. One had strong policies on paper, but very little enforcement in practice. Others hadn’t gotten much farther than installing basic antivirus.

This isn’t a knock on the people running these facilities — far from it. They’re doing their best with what they have. But when up against increasing cyberthreats, and working with limited budgets, outdated systems, and hardly any dedicated cybersecurity staff, there’s only so much that can be done. Without broader support and attention, the gap between the threats the companies face and the defenses they can deploy will only keep growing.

What Needs to Change — Now

Based on what we saw across Companies A, B, and C, a few key priorities stood out:

  • Know Your Assets: Regularly inventory what’s connected to your network. If you don’t know what you have, you can’t protect it.
  • Lock It Down: Use strong authentication (like MFA) everywhere, and separate critical systems from the open Internet.
  • Get Help If You Need It: Managed Detection and Response (MDR) services aren’t just for big corporations anymore.
  • Have a Plan: An incident response plan isn’t a nice-to-have. It’s a lifeline when things go wrong.
  • Backup Like You Mean It: Conduct offline backups and test regularly. Not just tested once and consider it done.

 These aren’t new ideas. But in sectors like water and wastewater, they’re the difference between a bad day and a catastrophic one.

Why Government and Cybersecurity Leaders Must Partner

Water systems rarely make headlines — until something goes terribly wrong. And while cybersecurity professionals across organizations like RSAC, CSA, and ISACA can see the risks and offer solutions, lasting impact requires strategic action from government bodies — and a strong public-private partnership.

Cybersecurity isn’t just a tech issue — it’s a public safety priority. Protecting people means protecting the systems they depend on every day. Yet many water and wastewater utilities, especially smaller ones, are operating with limited budgets, outdated technology, and minimal cybersecurity staffing.

 This is where federal and state agencies must lead — not alone, but in partnership with cybersecurity experts, industry groups, and nonprofits. By working together, we can bring funding, enforceable standards, training programs, and scalable solutions to the utilities that need them most.

That partnership must go beyond policy — it must be operational. Government agencies can leverage the deep technical expertise within RSAC, CSA, ISACA, and similar organizations to co-develop playbooks, offer assessments, and guide resilience strategies.

If we’re serious about national security and protecting public health, we can no longer afford to treat water infrastructure as an afterthought. Because when these systems fail, the impact is immediate — and deeply personal — felt in every home, every school, and every hospital.

Resilience starts with collaboration. And honestly, what could be more critical than that?

 

Contributors
Pankaj Kumar

Sr Project Manager, United Flow Technology

View More Blogs

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSAC™ Conference, or any other co-sponsors. RSAC Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.


Share With Your Community

Related Blogs