Guest Column | July 10, 2026

From Compliance To Resilience: Practical Lessons In OT Recovery For Water Utilities

By Tobias Nitzsche

AI Technology-clean water-GettyImages-1314144808

Water Infrastructure Under Threat

In October 2024, American Water, the largest publicly traded water utility in the U.S., took its customer systems offline after discovering unauthorized access to its networks.1 The company serves roughly 14 million people across 14 states. A few weeks earlier, the Arkansas City Water Treatment Facility in Kansas was hit by ransomware and forced to switch to manual operations.2 In Texas, attackers linked to a Russian hacktivist group remotely manipulated SCADA systems at multiple water plants, causing a water system to overflow in one town before operators regained manual control.3

These incidents reflect a broader pattern. Water and wastewater utilities have become attractive targets for cybercriminals and state-sponsored actors. The Cybersecurity and Infrastructure Security Agency (CISA) has repeatedly warned that drinking water and wastewater systems are vulnerable because they often lack the resources and technical capacity to adopt rigorous cybersecurity practices.4 The question is no longer whether your utility will face a cyber incident, but when — and whether you will be ready.

The Regulatory Push: NIS2 And The IT/OT Divide

Regulators have taken notice. In Europe, the NIS2 directive now classifies water utilities as essential entities, subject to strict cybersecurity requirements including 24-hour incident reporting. At the 15th SWAN Annual Conference in Berlin, I chaired a roundtable on NIS2 implementation across EU member states.5 The room was packed, a clear sign that the industry recognizes the stakes.

What struck me most was the gap between IT and OT awareness. Several delegates pointed out that their organizations had invested heavily in IT security but had barely scratched the surface on the operational technology side. One participant put it bluntly: "People remain the biggest risk. They don't always understand that they need to take care of OT, not just IT."

This IT/OT divide runs deeper than most organizations realize. IT security teams typically focus on data confidentiality and network perimeter defense. OT environments prioritize availability and safety, because a pump that stops unexpectedly can cause environmental damage or endanger public health. The tools are different, the protocols are different, and the consequences of getting it wrong are different.

When a ransomware attack hits, IT teams may instinctively want to isolate systems and preserve forensic evidence. But in OT, an uncontrolled shutdown can be more dangerous than the attack itself. Without joint training and clearly defined roles, these conflicting priorities lead to confusion, delays, and costly mistakes. Bridging this gap requires more than technology. It demands a cultural shift where IT and OT teams plan, train, and respond together.

A Friday Night Ransomware Attack: What Actually Happened

Let me share a case study. The details come from a 600-MW combined-cycle power plant, but the lessons apply directly to water and wastewater operations. Both sectors run complex OT environments, rely on legacy systems, and face the same threat actors.

The plant had done many things right. They had a 20-page disaster recovery plan with contact lists and communication protocols. They ran annual tabletop exercises. They had a 72-hour service level agreement (SLA) with their DCS (distributed control system) vendor. Automated daily backups ran to a NAS (network-attached storage) device on the DCS network. Cold spares sat ready for servers and controllers.

On paper, they were prepared. Then came the attack.

Figure 1. The attack timeline, from initial phishing to plant shutdown

It started with a phishing email. An engineer on the corporate IT network clicked a link, and attackers gained their initial foothold. Over the next two weeks, they moved laterally from IT to OT, exploiting a poorly configured firewall. On a Friday at 10 PM, the ransomware activated. It hit the DCS servers, operator HMIs (human-machine interfaces), and engineering workstations. The backup NAS, connected to the same network, was encrypted too.

Operators lost all visibility. They executed an emergency trip to prevent a catastrophic failure and shut down one of the units. The plant went dark.

Where The Plan Fell Apart

The post-incident analysis revealed several gaps that looked obvious in hindsight but had been invisible before the attack.

The backup strategy failed to account for asset criticality. Daily differential backups existed, but the most recent offline backup was three months old. When the online NAS was encrypted, the recovery point objective (RPO) went out the window. The backup design had been built around convenience, not around what would actually be needed in a worst-case scenario.

The cold spare strategy did not align with recovery time objectives (RTO). The plant had a 24-hour RTO, but cold spares take days to configure and restore. A warm spare approach, with systems ready to take over within hours, would have made the difference. Nobody had done the math to check whether the spare strategy could actually meet the recovery targets.

Click image to enlarge

Figure 2. Recovery point and recovery time objectives, aligning strategy with business needs

The vendor SLA covered recovery but not the full incident lifecycle. When the IT security team tried to investigate and contain the threat, they struggled. They lacked visibility into the OT network and systems. The DCS vendor's scope was limited to getting systems back online, not to helping with forensics or eradication. Roles and responsibilities had never been clearly defined for a cyber incident.

The communication plan had gaps. Media speculation started before the company could get ahead of the story. The disaster recovery plan addressed internal contacts but had not been tested against a scenario involving public attention and reputational risk.

Training had not included OT-specific scenarios. Annual tabletops focused on IT breaches. Operations staff had not been involved. When the incident hit, people were unsure whether they were dealing with a cyberattack or a system failure, and that uncertainty cost precious time.

What This Means For Water Utilities

While this case study comes from the power sector, water and wastewater utilities face the same fundamental challenges, often with additional complexity.

Water systems are typically more geographically distributed than power plants. A single utility may operate dozens of remote pump stations, storage tanks, and small unmanned facilities spread across a wide service area. Each of these sites represents a potential entry point for attackers, and maintaining consistent security across all of them is a significant challenge.

The technology landscape adds another layer of difficulty. Many water utilities rely on mixed generations of infrastructure, with PLCs (programmable logic controllers), RTUs (remote terminal units), HMIs, and DCS components from different vendors and different eras operating side by side. Some of these systems were installed decades ago and were never designed with cybersecurity in mind. Patching and updating them without disrupting operations requires careful planning and specialized expertise.

Budget and staffing constraints compound these challenges. Water utilities often operate with tighter funding and leaner teams than their counterparts in the energy sector. Dedicated OT cybersecurity specialists are rare. In many organizations, the same staff who manage day-to-day operations are also responsible for security, leaving little time for proactive measures like tabletop exercises or backup testing.

These realities do not make resilience impossible, but they do mean that water utilities must be strategic about where they focus their efforts. The questions that follow are designed to help prioritize the fundamentals.

5 Questions Every Water Utility Should Answer

Click image to enlarge

Figure 3. Backup strategy, RPO/RTO defines the backup type needed

Based on this experience, here are five questions worth asking at your next planning session:

1. Does asset criticality drive your backup frequency and design?

Historians, databases, and key servers need frequent incremental backups. The 3-2-1 rule, three copies, two different media, one offsite, should apply to your most critical recovery targets. And those offline backups need to be tested periodically, not just assumed to work.

2. Does your spare strategy match your recovery time objectives?

Cold spares are cost-effective, but if your RTO is 24 hours and your cold spare takes three days to configure, you have a problem. For critical systems, consider warm spares that can be operational within hours.

3. Does your vendor SLA cover the full incident lifecycle?

Recovery is only one phase. You also need support and the right competences available for investigation, containment, and eradication. If your OEM's scope stops at "get the system running again," you may find yourself without the expertise you need when it matters most.

4. Does your disaster recovery plan include a tested communication protocol?

Think beyond internal contacts. Consider media, regulators, customers, and partner organizations. A plan that has never been exercised under pressure is a plan that will fail under pressure.

5. Do your tabletop exercises or simulators include OT-specific scenarios?

Your staff should be able to distinguish between a system malfunction and a cybersecurity breach. If your exercises only involve IT or vice versa process simulators only address OT incidents, you are training for half of the fight.

Lessons From The Field: Water Utilities In Action

These questions are not theoretical. At ABB, we work with water and wastewater utilities around the world to address exactly these challenges.

One example is a wastewater treatment facility on the U.S. East Coast that partnered with ABB to build a comprehensive Defense-in-Depth cybersecurity program.6 The facility, which protects the adjacent harbor from pollution, recognized that uninterrupted operations were critical for environmental protection and public health. Working together, we deployed a layered security approach including patch management, malware protection, backup and recovery solutions, and application allowlisting.

Similarly, the City of San Jose wastewater treatment facility faced an ambitious challenge: deploy security controls, apply more than 2,000 security patches, and conduct a cybersecurity assessment, all within five days.7 By combining centralized management with on-site expertise, the project was completed on schedule, demonstrating that even large, distributed systems can be secured efficiently when the right approach is taken.

These examples show that resilience is achievable. It requires commitment, planning, and the right partnerships, but the water sector is rising to meet the challenge.

Building Resilience, Not Just Compliance

Compliance with NIS2 or other regulations is a starting point, not an end state. Checking boxes will not protect your operations when an attacker encrypts your control systems on a Friday night.

Resilience comes from integration. Business continuity, disaster recovery, and cybersecurity cannot live in separate silos. They need to be planned together, tested together, and improved together based on real incidents and near-misses.

Resilience also comes from people. Technology alone will not save you. Your teams need to understand the threats, know their roles, and have practiced their response. That means investing in training that goes beyond annual compliance exercises.

The water sector faces real threats from sophisticated adversaries. But the path forward is clear: get the fundamentals right, test your assumptions, and build a culture where security is everyone's responsibility. The utilities that do this work now will be the ones that recover quickly when, not if, an incident occurs.

Tobias Nitzsche is Head of Legislation and Technology, Cyber Security at ABB. He works with critical infrastructure operators across the energy and water sectors on OT security strategy, incident response, and regulatory compliance. Drawing on hands-on experience from former roles leading recovery efforts after ransomware attacks, he advises utilities on aligning their security programs with evolving legislation including NIS2.

References

  1. WaterISAC, 'Incident Awareness: Major Water Utility Experiences Cyber Attack,' October 2024. https://www.waterisac.org/incident-awareness-major-water-utility-experiences-cyber-attack-update-october-15-2024
  2. City of Arkansas City, 'Arkansas City Water Treatment Facility Returns to Regular Operations,' December 2024. https://www.arkcity.org/city-manager/page/arkansas-city-water-treatement-facility-treturns-regular-operations
  3. The Texas Tribune, 'Rural Texas towns report cyberattacks that caused one water system to overflow,' April 2024. https://www.texastribune.org/2024/04/19/texas-cyberattacks-russia/
  4. EPA/White House, Letter to Governors on Water Sector Cybersecurity, March 2024.
  5. ABB, 'Navigating NIS2 in the Water Sector: SWAN 2025 Perspectives,' October 2025. https://new.abb.com/news/detail/126967/navigating-nis2-in-the-water-sector-swan-2025-perspectives
  6. ABB, 'U.S. wastewater treatment plant deploys ABB cyber security solutions.' https://new.abb.com/control-systems/industry-specific-solutions/water-wastewater-treatment/u.s.-wastewater-treatment-plant-deploys-abb-cyber-security-solutions
  7. ABB, 'ABB cyber security extends support to San Jose wastewater treatment plant.' https://new.abb.com/control-systems/industry-specific-solutions/water-wastewater-treatment/abb-cyber-security-extends-support-to-san-jose-wastewater-treatment-plant

Click here for more Water Innovations articles