The water sector, a cornerstone of critical infrastructure, is increasingly under siege from cyber threats. In 2024, incidents and developments highlight the sector’s vulnerability and the urgency of enhanced cybersecurity measures.
In the UK, Southern Water reported in February a data breach that exposed personal and operational data. Hackers targeted the utility’s IT systems, gaining unauthorized access and compromising personal details of a portion of customers and employees. Across the Atlantic, American Water, the largest regulated water utility in the U.S., was hit by a cyberattack that disrupted internal systems last October. Although the attack was contained, it raised alarms about the potential consequences of a successful infiltration into critical systems controlling water distribution and quality.
Other incidents have demonstrated the catastrophic potential of cyberattacks in the sector. In Texas, a water facility was targeted in a cyberattack that attempted to manipulate processes, suspected to involve Russian-linked hackers. In Kansas, a water treatment facility in Arkansas City suffered a cybersecurity incident and was switched to manual operations out of caution. These incidents highlight the vulnerability of water utilities, not always equipped to counter sophisticated cyber threats, underscoring the need for robust cybersecurity measures and collective action to protect this vital infrastructure.
The risks prompted Moody’s to flag the water and wastewater sector as facing important cyber risks. In an Investors Service report, Moody’s identifies as a primary threat for water services the potential infiltration of operational technology (OT) systems by malicious actors. According to the report, attacks orchestrated by nation-states pose heightened risks due to their substantial funding and extensive expertise, often aiming for nonfinancial gains by disrupting various sectors of the economy
In response, governments are stepping up efforts. Last March the White House and the Environmental Protection Agency (EPA) issued a joint warning emphasizing the sector’s exposure to cyber threats, urging state authorities to allocate more resources and attention to protecting water utilities. In May, the EPA revealed that over 70% of inspected water systems fail to meet critical security standards set out by the Safe Drinking Water Act (SDWA).
Legislative and strategic actions are gaining momentum. In February, a U.S. congressional subcommittee hearing addressed the escalating cybersecurity challenges in the water sector, underscoring the need for urgent policy intervention. A proposed U.S. cybersecurity bill focuses on safeguarding water systems by establishing a Water Risk and Resilience Organization, while in December the Cybersecurity and Infrastructure Security Agency (CISA) and EPA issued updated guidance for safeguarding critical water infrastructure.
Furthermore, threats from pro-Russia hacktivists targeting water utilities in North America and Europe were flagged in an international advisory issued jointly by multiple U.S. agencies as well as the Canadian Centre for Cyber Security and the United Kingdom’s National Cyber Security Centre last May. In addition, U.S. authorities have accused “Volt Typhoon”, a group of hackers allegedly linked to the Chinese government of targeting American civilian critical infrastructure. Other suspected actors are officials from the Iranian Islamic Revolutionary Guard Corps (IRGC), sanctioned by the U.S. Department of the Treasury as responsible for cyber attacks against critical infrastructure. A group called “CyberAv3ngers”, affiliated with the IRGC, has targeted technology by Israeli company Unitronics used in water and wastewater facilities.
In light of these risks, international collaboration and proactive investments in cybersecurity are a must. As cyber threats grow in sophistication, governments, utilities, and private entities must collaborate to safeguard water systems, which are not just critical to public health and safety but also to national security.