From The Editor | March 6, 2025

Cybersecurity For The Win: How Water Utilities Can Embrace Digital Technology

kevin-westerling_110x125_sans-nameplate.jpg

By Kevin Westerling,
@KevinOnWater

Water supply system, Data Management, network-GettyImages-2163561156

Water and wastewater system operators are known to be a careful lot. Tightly regulated by the U.S. EPA and state agencies — and committed to public health — they cannot afford mistakes. This often results in “tried-and-true” methodologies winning out over innovative solutions, but the incredible upside offered by digital technologies has encouraged a wave of cyber adoption. Almost cruelly, it comes with cyber threats.

The benefits will outweigh any potential downside, however, so long as cybersecurity is in place. To better understand the scope of risk utilities face and the protection required, I spoke with Steven Taylor, Senior Global Product Manager of Cybersecurity Services at Rockwell Automation. Read on for insight to keep you confident in traversing the digital path to more efficient, sustainable, and effective water and wastewater management. Don’t let bad actors impede our industry’s progress!

How much at risk are water and wastewater systems to cybersecurity threats?

Water and wastewater treatment facilities are critical systems that are increasingly targeted by threat actors. In a recent IBM report, it was stated that attacks on vulnerable systems in industrial sectors had an 18% total cost increase compared to those costs in 2023. The impacts can be catastrophic if control systems at water treatment plants are targeted, potentially causing crippling disruptions, panic, widespread illness, and more. As a result, these systems are often considered highly vulnerable due to their traditionally outdated systems and legacy infrastructure. Some methods used often come in the form of ransomware attacks or insider threats.

What is the current regulatory landscape for cybersecurity protection of critical infrastructure?

Recent high-profile incidents in Pennsylvania and Kansas have highlighted the need for stronger cybersecurity frameworks, as many facilities still rely on outdated systems with limited security measures. Though many security professionals are pushing for stricter guidelines, implementation gaps remain a challenge. While formal regulations continue to be evaluated, cyber threats are evolving; therefore, a proactive and collaborative approach between government agencies and private sector operators is essential. In terms of best practices, current guidelines, provided by the Cybersecurity and Infrastructure Security Agency (CISA) and the EPA, are being leveraged by vendors to thoroughly serve as protection.

How does a utility ensure good “cybersecurity hygiene”?

Critical infrastructure operators should practice “good hygiene” by implementing a holistic, structured OT cybersecurity program rooted in industry frameworks. A good framework to follow is the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF). The core functions of the latest framework are to identify, protect, detect, respond, recover, and govern. These functions of the CSF also act as steps for operators to take to help protect their systems before, during, and after a potential attack. Another tip to ensure good cybersecurity hygiene is to do an assessment of the current staff’s awareness of tools and/or best practices. This could include involvement in proactive disaster recovery drills, general tabletop exercises, and penetration testing.

What are the challenges to meeting that standard, and how are they overcome?

While there are differences in the way that each individual water treatment facility is operated, they often face similar cybersecurity challenges. Water treatment infrastructure is often aging and outdated. It can also be difficult and expensive to upgrade security, especially when cybersecurity is underfunded or overlooked in critical infrastructure. However, operators must recognize that even newer facilities, with advanced technologies, are not immune to attacks. Operators must work to ensure that cybersecurity is integrated into both new and legacy systems to prevent service disruptions or more severe consequences.

What cybersecurity considerations must utilities make as digital technologies continue to proliferate?

The increasing reliance on automation and AI in critical infrastructure, including water and wastewater systems, will require significant and strategic shifts in cybersecurity protocols and investments. While modern technologies enhance efficiency and threat detection, they also introduce new vulnerabilities that adversaries can use to their advantage. Organizations must prioritize investments in AI-driven security measures, continuous monitoring, and adaptive risk management to stay ahead of evolving threats. Additionally, cybersecurity protocols will need to incorporate stronger safeguards against AI manipulation and system breaches. A balanced approach of leveraging automation while maintaining human oversight will be key to ensuring both operational efficiency and security resilience.