Managing Risk In Water Utilities: From Compliance To True Resilience

By Steve Rupar

When thinking about minimizing risk, it used to be enough for utilities to focus on highly visible assets such as reservoirs and storage tanks using deterrents like chain-link fences, locked doors and cameras. Today, that’s no longer enough, as utilities face sophisticated threats that are evolving faster than plans to prevent them. To prepare, we need to better align security strategies with emerging vulnerabilities.

A Broadening Risk Landscape

Forward-looking operators are shifting from a compliance-driven mindset to an active system-wide approach that recognizes both threats and opportunities across four interconnected categories of risk:

1. Physical risk may be the most visible, but it’s also the most misunderstood. Utilities need to go beyond security for large, obvious assets and consider the vulnerabilities of less visible components. For example, valve chambers, pressure-reducing stations, and distribution access points are areas where a knowledgeable actor could disrupt service simply by manipulating system controls.

Remote asset vulnerability is another concern. Many utilities manage thousands of square miles of watershed and need to regularly up-level digital tools such as sensors and drones, potentially combined with AI for rapid analytics. At the same time, new tools can introduce new vulnerabilities. For example, a physical 'tamper' on a remote water-quality sensor at the edge of the system could be used to trigger a false emergency at the central plant. So it’s critical to understand and plan for a variety of system limitations.

2. Information risk has evolved considerably in the 25 years since 9/11, with operators now factoring in issues ranging from the confidentiality of customer data to potential vulnerabilities involved with everything from social engineering to outsourced services. While many utilities have restricted data sharing, it is too often without clarity on what truly needs protection. Individually harmless data points can become dangerous when aggregated into system-wide operational intelligence.

Utilities also need to plan ahead. A hacker gaining access to a digital twin might do far more damage than one with an old CAD drawing or blueprint. In other words, they need to consider cybersecurity.

3. Cyber risk may conjure firewalls, encryption, and other efforts to prevent unauthorized digital access. For security, many utilities have relied on “air-gapping,” or keeping water controls off the internet. The risk is that air gaps may provide an illusion of security, particularly for utilities run on decades-old SCADA (supervisory control and data acquisition) software. While modern systems can incorporate patches and new software, how do you secure a machine that is so old it no longer accepts updates?

Most utilities would benefit from up-leveling their digital tools. They also need scenario-planning for information leaks, ransomware, which involves locking files or the entire systems for money, and also killware, or attacks where the goal is purely the disruption of service or the alteration of chemical balances without a financial motive. For example, what if a bad actor changes the programmable logic controllers (PLCs) with the goal of dumping a year's worth of chlorine into the system in a matter of minutes or hours? Utilities need enhanced processes and planning.

4. Process and planning risk may be the most pervasive. While most utilities maintain plans to meet regulatory requirements, vulnerability assessments and emergency response plans are frequently treated as compliance exercises rather than operational tools, The result is documents are outdated, impractical, or unusable in real-time scenarios. For example, in one city, major water main failures left one-third of the population without water for a week since inoperable valves and unknown asset locations led to cascading failures that could not be quickly contained.

Scenario planning and on-the-ground testing can help utilities become more future ready across the value chain. For example, what happens under a drought or high-heat scenario, when the system is operating at 95% capacity with little zero margin for error if a pump fails? Too often, emergency response plans amount to little more than lists of contractors to call, rather than actionable, scenario-based strategies.

Across these areas, it is key to remember that the most protected assets are not always the most consequential targets. To prepare, it’s critical to consider both the likelihood that the risk will be realized and the consequences if it is.

The Limits Of Manual Response

Many utilities rely on the assumption that manual operations can serve as a fallback in the event of system disruption. While technically true, this approach is far more constrained in practice.

Operating pumps and valves manually requires trained personnel, rapid mobilization, and safe access to infrastructure. In emergency scenarios, including extreme weather events, these conditions are often not met. For example, a dam monitoring protocol that relies on physical inspections during storms isn’t realistic. Safety concerns are likely to delay staff deployment precisely when system intervention is most critical.

Even when feasible, manual operation also comes at the cost of real-time system intelligence. Without automated monitoring, utilities forfeit visibility into water quality, pressure dynamics, and system performance, data that is essential for informed decision-making during a crisis.

From Compliance To Risk Management

Regulatory frameworks, such as the U.S. EPA’s requirement for vulnerability assessments and emergency response plans every five years, have established a baseline for preparedness.

Treating compliance as a “check the box” exercise overlooks the dynamic nature of risk and the rapid pace of technological change. True resilience requires continuous evaluation and demands that utilities move beyond static assessments toward adaptive, intelligence-driven strategies.

Addressing the growing range of threats requires a comprehensive, multidisciplinary approach. It can include:

• Cybersecurity expertise that goes beyond documentation to include penetration testing and active threat identification.
• System-wide physical security assessments that evaluate not just major facilities, but the full distribution network.
• Digital tools and advanced analytics that enable advanced hydraulic modeling and anomaly detection, helping utilities identify issues before they escalate.
• Automated monitoring technologies, including sensors, cameras, and piezometers to provide real-time insight into dams and critical infrastructure.
• Integrated asset management and emergency planning, ensuring that response strategies are both actionable and aligned with actual system conditions.

The good news is that funding is increasingly available to support assessments and upgrades. Advances in technology — ranging from low-cost sensors to drone-based inspections — are making it more feasible than ever to implement meaningful improvements within existing regulatory cycles.

There are also underutilized resources within the sector. Mutual aid networks, such as WARN (Water/Wastewater Agency Response Networks), offer valuable platforms for equipment sharing and knowledge exchange. Yet participation remains limited, often due to misconceptions about obligations. Expanding engagement in these networks could significantly enhance collective resilience.

The Path Forward

We have entered a new era of risk, one that requires water utilities to rethink their approach. It is not easy. It will add cost. It means prioritizing the most critical vulnerabilities, modernizing emergency response strategies, and embracing technologies that provide real-time insight and predictive capability. Most importantly, it requires a cultural shift.

The stakes could not be higher. Water systems are foundational to public health, economic stability and community well-being. Ensuring their resilience is not just a technical challenge: it is a strategic and societal imperative.

Steve Rupar is a senior vice president and drinking water practice leader for WSP in the U.S. He has over 35 years of experience in water utility engineering, consulting, and public utility management. Steve’s expertise includes management of capital improvement programs, pipeline design and rehabilitation, asset management, pipe condition assessment, water resource planning, hydraulic modeling, and water loss control. He is an active member of the American Water Works Association (AWWA) since joining in 1994, and is currently serving as Director for the Connecticut Section on the AWWA Board of Directors.