Why You Can't Patch Your Way Out Of The Latest Water Utility Threats

By Dr. Jaushin Lee

On April 7, 2026, a joint advisory from six U.S. federal agencies (including the Cybersecurity and Infrastructure Security Agency, Federal Bureau of Investigation, and Environmental Protection Agency) confirmed what many in the cybersecurity community have long feared: Our critical infrastructure is now an active target for geopolitical cyber operations.

Iranian-linked hackers have successfully exploited programmable logic controllers (PLCs) at water utilities and energy facilities across the U.S., resulting in operational disruptions and massive financial loss. For many water utility executives, the immediate and instinctive reaction is to look for a patch. But in this case, there is no simple vendor fix. These attackers are exploiting the fundamental way our industrial networks were built rather than an easily patchable bug.

We need to treat this incident as a wake-up call. The vulnerability of our water systems and the operational technology (OT) that manages them is a failure of architectural design and trust. As geopolitical tensions breach our digital infrastructure, a “business as usual” mindset toward utility network security amounts to an active acceptance of catastrophic risk.

The False Comfort Of “Air Gapping”

For decades, the water industry has relied on the concept of the “air gap,” or the idea that operational technology is safe because it is isolated from the public internet. However, the push for digital transformation is steadily eroding these boundaries. With a rise in remote monitoring requirements, vendor maintenance access, cloud connectivity, and the need for real-time data, most “gaps” are being replaced by a web of interconnected systems.

Recent attacks on Rockwell Logix controllers demonstrate that hackers don’t need to knock on the front door. They find the smallest crack — an internet-exposed PLC, a compromised vendor credential, or an unmanaged remote access pathway — and use that to establish a foothold.

From there, the lack of internal segmentation, legacy hardware, and dated software that cannot run modern security clients allow attackers to move around easily, manipulating project files and supervisory control and data acquisition (SCADA) displays that control our most vital resource.

Why Traditional Network Security Protections Are Failing

Most utilities have invested heavily in perimeter-based defenses such as firewalls. Although these remain important, they are fundamentally ill-equipped to protect legacy OT environments for three specific reasons.

Implicit Trust

Traditional networks assume that once a user or device is inside the perimeter, it can be trusted. However, this castle-and-moat model collapses once an attacker gains access. In recent Iranian-linked incidents, threat actors that breached the perimeter interacted with critical OT systems with little resistance.

The Patching Paradox

In standard IT environments, the fix for a vulnerability is a patch. In OT, many legacy systems cannot be patched without risking operational instability, downtime, or costly upgrades. Relying on vendor updates that cannot keep pace with attackers — or may never arrive at all — is, quite simply, a losing strategy.

Lateral Movement

In flat OT networks without effective segmentation, a single compromised device can expose the entire environment. Once attackers gain access to one OT system or controller, they can often move laterally across the network and interact with other critical systems with little resistance.

A New Architecture For Real Resilience

If utilities cannot patch the hardware itself, then they must secure the network environment around it. This is where a Zero Trust approach shifts from a technical preference to a baseline requirement for public safety.

The goal of Zero Trust in a water utility is to replace implicit trust with tightly controlled connectivity. Instead of allowing a device to communicate freely across a network, a Zero Trust network architecture ensures that every connection, session, and network packet is continuously authenticated and authorized based on identity and context.

For utility leaders looking to mitigate risk immediately, I recommend a specific three-step transition.

1. Cloak internet-exposed assets.

The most immediate risk identified by federal agencies is direct internet exposure. Using security virtualization and identity-based access controls, utilities can cloak these PLCs and OT systems. This makes them invisible to unauthorized users and connections without requiring a full network redesign.

2. Enforce Zero Trust.

Utilities must assume that the perimeter has already been breached. By implementing Zero Trust strategies such as segmentation, utilities can isolate critical controllers and OT assets into tightly managed security zones. If one PLC is compromised, the attacker is contained within that single segment, unable to move laterally to other network segments.

3. Implement non-human identity governance.

As the world moves toward more autonomous systems, remote automation, and AI-driven operational tools, utilities must treat non-human identities with the same rigor as human users. Every automated action, service account, and machine-to-machine interaction needs to be verified against a strict security policy.

Remember The High Cost Of Inaction

Previous financial modeling proves that delaying the shift to Zero Trust can lead to compounding risks that climb into the millions of dollars over time. For water utilities, consequences extend far beyond a simple financial loss. The cost includes the safety of drinking water, the integrity of wastewater treatment operations, and the public’s trust in municipal leadership.

Iranian-linked cyberattacks demonstrate that geopolitical hackers are willing and able to wield attacks on our infrastructure as a weapon. Water utilities can no longer afford to wait for the next budget cycle or the next vendor patch.

By adopting an incremental Zero Trust-based architecture today, utilities can significantly reduce their attack surface, contain breaches before they spread, and strengthen the resilience of the critical infrastructure that communities depend on every day.

Dr. Jaushin Lee is the founder and CEO of Zentera Systems. He is a serial entrepreneur with many patents. He is also the visionary architect behind CoIP® Platform, Zentera's award-winning Zero Trust security overlay. Jaushin has over 20 years of management and executive experience in networking and computer engineering through his experience with Cisco Systems, SGI, and Imera Systems.