Keeping Water Safe In A Connected World

By John Karabias and Roger Caslow

Water utilities were never designed to sit on the front line of geopolitics or organized cybercrime.

As operators of essential public services, water and wastewater utilities rely on widely distributed assets and a mix of legacy and modern systems to deliver safe, reliable treatment. They were built for longevity and reliability and not so much for continuous connectivity or cyber defense. That has made them an appealing target.

Cyber threats against water infrastructure now range from criminal groups seeking disruption to state-sponsored actors attempting to establish long-term access. The consequences of a successful intrusion extend well beyond data loss. Disruption can affect treatment performance, regulatory compliance, public confidence, and public health.

Modernization And Exposure

At the same time, utilities increasingly rely on digital systems to manage their operations. Advanced control systems, real-time monitoring, and connected assets now underpin everything from treatment processes to system visibility.

These tools deliver clear operational benefits. They improve efficiency and responsiveness across complex networks. But they also change the exposure of systems that were never designed to be accessible or monitored in this way.

As utilities digitize, cyber risk shifts from just an information technology (IT) issue to an operational one. Protecting data is no longer the primary concern (although it remains important). It’s now about making sure that communities have reliable access to clean, safe water.

The challenge facing utility leaders now is how to secure digitally enabled operations — including treatment plants and the systems that support them — without compromising on reliability or safety.

What Preparedness Looks Like In Practice

Hampton Roads Sanitation District (HRSD) in Virginia offers a practical example of how utilities are responding.

Serving nearly two million people across 20 cities and counties, HRSD has modernized its operations with increasingly sophisticated digital systems. Alongside that modernization, the utility has made cybersecurity a core operational requirement and not a standalone technology exercise.

HRSD has strengthened protections across its operational technology (OT) environment by improving visibility into connected assets, addressing network architecture and by building cyber requirements into system upgrades. A recent $13.4 million investment in OT cybersecurity, one of the largest of its kind in the U.S. wastewater sector, reflects its focus on monitoring and response capability.

For HRSD, cyber readiness is inseparable from operational continuity.

Timing Matters

Utilities understand resilience when it comes to physical infrastructure. Pumps, treatment processes, and power supplies are designed with failure in mind. Cybersecurity, however, is often addressed later.

That sequencing creates avoidable risk. As digital upgrades accumulate, undocumented connections, flat networks and unmanaged access pathways can emerge. Once embedded, these weaknesses are harder to identify and more costly to correct.

Cyber-informed engineering offers a different path. When cybersecurity requirements advance in parallel with engineering and system upgrades, protections can be integrated in ways that support operations rather than interfere with them. Security becomes part of how systems are designed and delivered and not an afterthought added under pressure.

Planning For What Cannot Fail

Readiness depends on how systems perform under real conditions, including when something goes wrong. For water utilities, certain functions cannot fail without serious consequences. Water supply, treatment continuity and environmental protection sit at the core of public trust. Protecting these requires more than basic controls.

A consequence-driven approach is needed here, which starts by identifying what matters most, then mapping the digital and physical pathways that support those critical functions. From there, teams can assess how an attacker might reach those systems and what access would be required. Mitigations are applied last, focused on disrupting the most likely and most damaging paths.

Seeing And Aligning The Operational System

Across the sector, a recurring challenge is limited visibility into operational environments. Many utilities do not have a complete picture of what assets are connected, how they communicate or which systems are most critical to continued operation. Without that visibility, cyber risk remains difficult to prioritize or manage in practical terms.

Improving asset awareness changes that dynamic. Shared visibility supports coordination across operations, IT, and engineering teams, all of which grounds cybersecurity discussions in how systems actually function.

This alignment matters because silos between IT, OT, and engineering remain one of the most persistent barriers to cyber readiness. Each discipline brings different priorities, but resilience depends on working toward a shared operational objective: maintaining safe, reliable service. When teams operate from a common understanding of the system, governance becomes clearer, responsibilities are better defined, and cybersecurity decisions are more likely to hold up over time.

Securing The Flow

Water utilities have always planned for failure. They test systems, build redundancy, and design with public health in mind. As operations become more digitally enabled, that same discipline must extend to their cybersecurity.

The systems delivering safe water are increasingly connected. Securing them means treating cyber risk as an operational reality, designing protections alongside infrastructure and focusing on what cannot afford to fail.

John Karabias, Senior Vice President for Cybersecurity and OT at Jacobs, has more than 20 years of experience in cybersecurity and digital consulting in national security and critical infrastructure protection.  Over his career, he has held operations management, sales, and corporate strategy leadership roles at multiple Fortune 500 companies. In his current position, he leads a global workforce of industrial cybersecurity professionals that protect OT in markets such as water, transportation, and advanced manufacturing.   

In addition to his role at Jacobs, John is an adjunct professor of Information Systems at Loyola University of Maryland and serves on several for-profit and non-profit boards where he is committed to causes such as technology incubation, sustainable economic development, and K-12 education.

Roger Caslow, Chief Information Security Officer at Hampton Roads Sanitation District, leads the security strategy protecting regional water and wastewater services. With more than 20 years’ experience in security and privacy, he blends physical, cyber, and operational expertise to strengthen resilience against evolving threats. Roger leads programs spanning OT and IT governance, risk assessments, insider-threat detection, and third-party risk management to help safeguard essential public services every day.

He also serves as a Water Information Sharing and Analysis Center (WaterISAC) board member. Roger is a Certified Information Systems Security Professional (CISSP), a U.S. Navy veteran, and holds graduate credentials from National Intelligence University and the University of Central Florida.