The New Cyber Risk Challenging America's Water: Modernization Itself

By Richard Hake

Water utilities have made significant strides in modernizing and securing their systems over the past decades. Embracing digital transformation has been necessary to improve efficiency, resilience, and service delivery. It’s also positioned utilities to respond quickly and effectively as cybersecurity threats evolve.

The integration of IT and OT systems has unlocked significant benefits — from enhanced operational visibility to smarter decision-making — and reflects years of hard work and commitment to innovation. This progress is a foundation for the next phase: strengthening defenses in a rapidly changing threat landscape.

As adversaries grow more sophisticated, utilities are not starting from scratch. They are building on a decade of modernization, leveraging advanced tools, and applying lessons learned to protect critical infrastructure. The challenge ahead is not about past vulnerabilities but about continuing the collaborative journey to ensure security keeps pace with innovation. Together, the industry can accelerate protective measures without sacrificing the efficiency and reliability that modernization has delivered.

Meeting Demand Through Technology

Water utilities today operate in a complex environment shaped by growing populations, evolving regulations, and resource constraints. Most of America’s water infrastructure is decades old and underfunded. These challenges are real, but they also highlight the resilience and adaptability of an industry that has consistently delivered safe, reliable water for decades.

To meet rising demand and maintain high standards, utilities have embraced digital innovation. Cloud-enabled sensors, networked monitoring systems, and process automation are transforming how water quality, chemical dosing, pressure and flow, and rainfall inputs are managed. These tools extend the capabilities of skilled operators, enabling continuous, data-driven decision-making that was once limited by manual processes.

Modern systems allow teams to monitor critical parameters remotely, respond quickly to anomalies, and ensure water is safe to drink or discharge, even when staffing is limited. They also support faster detection of leaks, misconfigurations, or equipment issues, helping utilities maintain performance and reliability despite resource pressures. Far from replacing human expertise, these technologies amplify it, creating a stronger foundation for the future.

Mapping The Vulnerabilities

But greater efficiency comes with greater exposure. The rapid expansion of IoT technologies has increased the number of devices connected to water networks, and every new sensor, controller, or automated component represents a potential point of compromise. These systems generate and store valuable operational data, further increasing the incentive for attackers.

Just as baby monitors and smart home systems have become convenient footholds for infiltrating household networks, cloud-connected sensors in water systems have created new entry points for malicious actors. Attackers often need only one weak link — one outdated sensor, one misconfigured firewall — to gain access to the broader system.

As a result, utilities are proactively assessing their networks to identify potential weak points and ensure that sensors, controllers, and automated components meet modern security standards. This includes hardening devices, enforcing strict authentication, and segmenting networks to limit exposure. Investing in cybersecurity training ensures that every team member is equipped to recognize and respond to potential threats. 

Many utilities are also revisiting connectivity strategies, asking critical questions about what truly needs to be integrated and where selective isolation can reduce risk without sacrificing operational benefits.

These efforts reflect a shift from reactive defense to proactive resilience. By combining modernization with cybersecurity best practices, utilities are building systems that not only deliver efficiency but also withstand evolving threats. The goal is clear: maintain progress while ensuring that security remains a cornerstone of innovation.

Building More Resilient Systems

Utilities are not abandoning digital tools or automation. Instead, they are shifting toward more selective, security-conscious modernization. Rather than assuming every system should be interconnected, they are reconsidering what should be decoupled.

Standard protective measures include:

• Decoupling OT systems from the public internet wherever possible.
• Strengthening firewalls between IT and OT networks to limit lateral movement.
• Restricting IT permissions so teams can read OT data but cannot write back into control systems.
• Ensuring all automated processes are essential and can be overridden manually when necessary.

These measures, often identified through vulnerability and risk assessments, help utilities map their digital ecosystems and understand how attackers might move through their environment. Aligning practices with frameworks like the NIST Cybersecurity Framework further strengthens resilience and clarifies where defenses are most needed.

Modern sensors and networking capabilities have given utilities unprecedented visibility into system performance, reducing operational uncertainty. But they have also exposed pathways that did not previously exist. The goal now is not to reverse modernization, but to modernize with intention — pairing digital efficiency with architectural restraint.

A Path Forward

Water utilities are right to be cautious. The sector has already seen the consequences of exposing legacy systems to a hostile cyber landscape. Yet abandoning technology is not an option. Automation, remote monitoring, and data analytics remain essential tools for meeting regulatory requirements, improving efficiency, and supporting shrinking workforces.

The challenge for water-sector leadership is to determine how to reap the benefits of modernization while minimizing its risks. The question is no longer whether to modernize, but how: How do we make the target smaller without sacrificing the tools that help us operate more effectively?

For now, the responsible approach is measured modernization — advancing technology adoption while doing so at a pace and in a configuration that keeps critical water infrastructure safe from increasingly sophisticated attacks. The future of water security will depend not just on innovation, but on intentional design that respects both the promise and the risks of a more connected world.

Richard Hake is a Water Innovation Leader at Stantec.