The integrity of water systems is both a public health and national security concern. Yet these essential systems have become increasingly soft targets in a rapidly changing cyber threat landscape. As treatment plants, distribution networks, and dams adopt digital tools to improve efficiency and reliability, they also expose themselves to new vulnerabilities that must be addressed with focus and collaboration.
Across the globe, utilities are linking systems through Supervisory Control and Data Acquisition (SCADA) technology, Internet of Things (IoT) sensors, and remote management platforms. These digital tools enable real-time monitoring and automation, helping operators manage resources more effectively. However, they also create additional entry points for cybercriminals and hostile actors seeking to exploit weaknesses in critical infrastructure.
Recent incidents in Norway, Poland, and the United States underscore the reality of these risks. In Norway, a water supply facility attack exploited outdated software and poorly segmented networks, disrupting operations and raising concerns about water quality. In Poland, hackers attempted to alter the chemical dosing systems that regulate chlorine levels, putting thousands of residents at risk. A similar event in a small U.S. town demonstrated how even small utilities are vulnerable. While these attacks were contained before causing physical harm, they highlight the urgent need for stronger cybersecurity protections in the water sector.
Every utility should have a clear, tested incident response plan to contain and recover from an event quickly while maintaining public trust.
Our work with U.S. water utilities highlights the practical challenges many operators face in improving cyber readiness. Smaller utilities often rely on legacy equipment and have limited to no dedicated IT or cybersecurity staff. Many were designed for reliability, not resilience, leaving them open to unauthorised access or remote exploitation. Because digital controls directly influence physical operations, a successful cyberattack could have immediate, far-reaching consequences, contaminating water or disrupting supply.
Improving cybersecurity across the water sector requires a multilayered approach. Modernising infrastructure is essential, replacing unsupported or outdated systems with secure and well-maintained solutions. Network segmentation should separate operational technology from corporate networks and the wider internet to limit lateral movement in the event of a breach. Regular patching, access control and continuous monitoring can further reduce vulnerabilities and improve early detection. Yet technology alone is not enough, and often we see that budgets prevent organisations from being able to make such investments.
There is hope, however, as technology alone is not enough, and there are steps organisations can take to improve their cyber resilience by looking at their processes and people. Many cyber incidents begin with phishing or social engineering. Training employees to recognise and report these attempts is one of the most effective defences. Every utility should have a clear, tested incident response plan to contain and recover from an event quickly while maintaining public trust.
Regulation and collaboration are equally important. Governments and industry regulators must establish and enforce minimum cybersecurity standards for critical infrastructure. International cooperation is also needed to share threat intelligence, develop best practices and coordinate responses. Cyber threats do not respect borders, and protecting the water sector requires consistent global engagement.
Cybersecurity in the water industry is about protecting communities, not just networks. As utilities modernise and embrace digital transformation, security must evolve alongside innovation. With thoughtful investment, cross-sector collaboration and a commitment to continuous learning, we can build the resilience needed to safeguard one of our most vital resources and ensure the utilities the public counts on remain secure, reliable and trusted.