As early as 2017, the Journal of the American Water Works Association warned that cybersecurity could become one of the defining challenges of our time. That prediction has proven alarmingly accurate. Cybercrime now ranks among the FBI’s top law enforcement priorities, with water and wastewater utilities increasingly targeted due to their critical role in public health and infrastructure.

Since 2023, cyberattacks are no longer just digital disturbances—they are producing real-world consequences. With industrial control systems central to many water utilities, a single breach can jeopardize water quality, interrupt essential services, and leave entire communities at risk.

Ransomware groups have taken note. Water utilities are now high-value targets—critical enough to command swift payments, yet often reliant on outdated systems and overextended IT teams. The result is a sharp rise in cyber extortion, with attackers exploiting single points of failure to inflict maximum disruption, often with cascading consequences throughout the sector.

Examples across the U.S. are painting a sobering picture. In Oldsmar, Florida, hackers nearly poisoned the water supply by altering chemical levels. In Maine and California, ransomware disabled control systems, forcing operators into manual mode. In Texas and Pennsylvania, politically motivated attackers exploited outdated systems and default passwords to seize operational control.

What’s unfolding in local utility offices is shaped by global forces. Rising geopolitical tensions, AI-powered phishing, and deepfake-fueled social engineering are escalating threats, highlighting the urgent need for modernization. We are at a pivotal moment where cybersecurity is no longer just a back-office IT concern—it’s a board-level issue of public safety and operational continuity. Municipal leaders must treat cybersecurity as a cornerstone of operational resilience and public service delivery —neglecting it risks compromising critical infrastructure, sensitive data, and public trust.

The Cybersecurity Arms Race Enters the Age of AI

According to Dan Briley, Founder & CEO of Summit Security Group, the cybersecurity landscape is increasingly defined by an ongoing arms race between attackers and defenders. While both sides evolve, attackers frequently maintain the upper hand thanks to ongoing research into novel attack vectors, and AI is only making those efforts faster and more effective.

Ransomware is among the most dangerous threats facing critical infrastructure. Once limited to basic phishing schemes, it has evolved into a multi-layered assault tool enhanced by AI and automation that can overwhelm municipal systems, disrupt essential services, and pressure organizations into costly ransom payments.

To understand the magnitude of this shift, consider the leap from gunpowder to nuclear weapons. Email, the internet, and the World Wide Web revolutionized operations in past decades, but artificial intelligence introduces a fundamentally different scale of impact. AI accelerates the speed and complexity of cyberattacks, enabling adversaries to outmaneuver traditional defenses. For cybersecurity professionals, the challenge isn’t just keeping up; it’s learning how to strategically harness the power of AI to anticipate threats and thwart increasingly intelligent, automated attacks.

Modern cybersecurity companies, like Summit Security Group are stepping in to level the playing field for local government organizations. As defenders, their mission is to harness the same technologies used by hackers—deploying them to detect threats, uncover attack patterns, and analyze the vulnerabilities targeted during an attempted breach. Their approach empowers public entities to stay ahead of evolving threats and helps water and wastewater utilities recognize, mitigate, and recover from cyber incidents.

The following insights, drawn from Summit Security Group’s work with public sector clients, highlight key actions utilities, like yours, can take to fortify their cybersecurity posture.

An Evolving Regulatory Landscape

Cybersecurity in the water sector is no longer just a best practice—it’s becoming a legislative priority. Complying with regulations is a critical first step for safeguarding infrastructure, yet navigating this evolving landscape remains a complex challenge.

Designated as the lead federal agency for safeguarding the water sector’s critical infrastructure, including its cybersecurity, the Environmental Protection Agency (EPA) took a bold step in 2023 by issuing a memorandum that required states to assess the cybersecurity posture of water systems through sanitary surveys. However, by October of the same year, the EPA withdrew the directive—highlighting the ongoing debate over how best to ensure cybersecurity across a diverse and decentralized sector.

While initially opposed to the EPA’s approach, both the American Water Works Association and the National Rural Water Association have since pivoted to support new legislative efforts in Congress, aiming to maintain cybersecurity as a national priority while promoting sector-specific regulations that are both actionable and realistic for water utilities of all sizes.

One of the most significant policy developments in this area is the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) signed in 2022, with enforcement expected to begin in 2026. Proposed by the Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Homeland Security (DHS), CIRCIA will require utilities to report significant cyber incidents and ransomware payments within strict timelines.

CIRCIA’s reporting deadlines are firm: 72 hours for major incidents, and just 24 hours for any ransom payments. These rapid timeframes demand well-rehearsed response plans, streamlined communication channels, and strong documentation procedures. Organizations must not only react quickly to incidents—they must also preserve related evidence for up to two years.

The implications of CIRCIA will differ depending on the size and preparedness of each utility. Smaller systems may experience a heavier compliance burden, requiring new training, improved incident detection capabilities, and updated operational protocols. Utilities will need to ensure facility operators understand which events qualify as “covered incidents” and establish internal processes for timely and accurate reporting.

Technical Practices Supported by Governance

As organizations, like yours prepare to meet new compliance standards, turning to established frameworks can provide the structure and clarity needed to build lasting cybersecurity maturity.

One of the most trusted is the NIST Cybersecurity Framework. Developed by the National Institute of Standards and Technology, it helps organizations understand, prioritize, and manage cybersecurity risks. With a clear taxonomy of high-level cybersecurity outcomes, it empowers leaders in any organization – regardless of its size, sector or maturity – to make informed decisions.

The strength of the NIST framework lies in its adaptability. Described Dan Briley as a “choose your own adventure,” it allows organizations to tailor their cybersecurity strategies based on their unique risk profiles and resources. The framework is underpinned by the NIST SP 800 series, a comprehensive suite of technical guidelines. For example, the NIST SP 800-53—spanning over 400 pages—provides detailed controls to safeguard organizational operations, assets, and individuals, from a wide spectrum of threats, including hostile attacks, human errors, natural disasters, structural failures, foreign intelligence entities, and privacy risks.

Specialized guidance is also available through focused publications. NIST SP 800-171, a subset of NIST SP 800-53 is crucial for protecting Controlled Unclassified Information (CUI) in nonfederal systems, making it vital for any entity working with sensitive government data. NIST SP 800-171 is also a foundational component in achieving Cybersecurity Maturity Model Certification (CMMC) compliance. Meanwhile, NIST SP 800-82 offers sector-specific recommendations for securing Operational Technology (OT) environments while addressing their unique performance, reliability, and safety requirements—particularly important for utilities managing SCADA systems or other industrial controls.

Beyond NIST, the CIS Critical Security Controls offer another highly actionable framework. With 18 well-defined, prioritized controls, the CIS model provides a streamlined path to strengthen organizational defenses. Its prescriptive nature makes it especially effective for resource-constrained utilities, offering a practical roadmap for hardening systems, securing data, and reinforcing compliance in a rapidly changing threat landscape.

Practical Steps for Organizations of All Sizes

Although regulatory frameworks can be complex and challenging to implement, there are clear, actionable steps organizations, like yours can take to strengthen their defenses. To help utilities stay ahead of cyber threats, Summit Security Group recommends eight strategic measures.

1. Reduce Exposure to the Public-Facing Internet

Reducing an organization’s exposure to the public-facing internet is one of the most effective first steps organizations can take to build resilient cybersecurity posture. Limiting remote access and ensuring only authorized users connect through secure, encrypted channels significantly lowers vulnerability to external threats. Legacy protocols like Telnet and FTP, which transmit data in plain text, should be replaced with modern, encrypted alternatives to better protect sensitive information.

Network segmentation is another essential layer of defense, particularly for utilities. By separating operational technology (OT), business systems, and internet-facing services into distinct, isolated environments, organizations can contain breaches and limit lateral movement across the network, safeguarding mission-critical operations—such as water treatment controls—from compromises elsewhere in the network.

Firewalls also serve as vital gatekeepers in segmented network environments, but their effectiveness depends on proper configuration and active oversight. They must be governed by clearly defined security policies that dictate allowed communications between zones. When paired with secure access protocols like VPNs or SSH, firewalls help enforce boundaries, detect threats, and block unauthorized users. Together, these practices create a robust perimeter that not only guards against known threats but also strengthens overall system resilience against emerging cyber risks.

2. Conduct Regular Cybersecurity Assessments

Another impactful—and accessible—step utilities can take to strengthen their cybersecurity posture is conducting regular assessments. These evaluations, whether internal or external, help identify vulnerabilities before attackers can exploit them. Internal assessments offer a cost-effective starting point, especially for smaller, resource-strapped organizations. Using structured checklists or questionnaires, teams can review systems, policies, and procedures to flag potential risks. While not exhaustive, this approach lays the groundwork for a robust cybersecurity program.

For deeper insight, engaging a third-party assessor can bring deep technical expertise and access to specialized tools, as well as deliver objective insights that might be missed internally. Partnering with experts ensures a broader understanding of your threat landscape and a prioritized roadmap for remediation. Assessments may include penetration testing: simulating real-world attacks to expose technical flaws and misconfigurations, providing a detailed view of exploitable entry points.

It’s also important to remember that cybersecurity assessments shouldn’t be purely technical. They should also evaluate governance processes, internal documentation, and staff readiness to ensure a cohesive security posture. Reviewing internal documentation—such as incident response plans and password policies—helps ensure that both human and technical safeguards are aligned.

Industry standards recommend formal assessments at least once a year. Doing so helps track progress, meet regulatory requirements like CIRCIA, and build a strong historical record of an organization’s cybersecurity maturity and risk management efforts—proof of its commitment to protecting infrastructure and earning public trust.

3. Change Default Passwords Immediately

Changing default passwords should be one of the first cybersecurity actions every organization takes. Default credentials are widely known and frequently exploited by attackers as easy entry points into systems. Strong passwords—comprising at least 12 characters with a mix of letters, numbers, and symbols—offer greater protection against unauthorized access.

Adding multi-factor authentication (MFA) for all user accounts is another critical step. Whether through SMS-based codes or, more securely, authenticator apps like Google Authenticator or Microsoft Authenticator, MFA adds a crucial layer of defense that significantly reduces the risk of compromise.

Password security training is equally vital. Employees should be trained to avoid weak passwords, use complex passphrases, and never share credentials. Organizations should consider using a secure password manager to help store and manage passwords safely. Free tools like Have I Been Pwned?, updated frequently, can also help identify compromised accounts and encourage timely password updates.

4. Conduct Inventory of OT and IT Assets.

A comprehensive inventory of both IT and OT assets is another foundational step in any cybersecurity strategy. Organizations can’t defend what they don’t know they have—they must know exactly what software and hardware exist in their environment to detect unauthorized or rogue devices.

Using automated discovery and monitoring tools is essential—manual tracking simply isn’t feasible in today’s complex and dynamic network environments. These tools help identify all connected assets and offer a real-time view of your digital landscape. Just as important is understanding which assets are mission-critical. Not all systems carry the same level of risk, so identifying high-value devices ensures that your security resources are focused where they matter most.

Once inventory is established, maintaining it is just as important as creating it. As new systems are added, software is updated, or equipment is decommissioned, the inventory must be kept current. A well-maintained inventory supports better threat detection, incident response, and long-term resilience.

5. Develop and Test Contingency Plans

Developing and regularly testing contingency plans is also critical for any organization aiming to build true cyber resilience. A comprehensive approach includes an incident response plan, a business continuity plan, and a disaster recovery plan—all designed to ensure your team can respond quickly and effectively when something goes wrong. These plans should be drafted in advance, clearly outlining step-by-step procedures to follow during a security incident. Waiting to “figure it out” in real time can result in costly delays, confusion, and missteps. Strong plans ensure that essential services can continue, even during a major disruption.

Equally important is training your employees on these plans. Everyone should understand their roles and responsibilities during an incident. That includes making sure these documents are not only up to date, but also easily accessible—ideally stored in both digital and physical formats. Relying solely on digital access could backfire if a critical system is impacted during a cyber event, leaving your team unable to retrieve vital information when it’s needed most. Having printed copies stored securely ensures continuity even in worst-case scenarios.

To put planning into practice, organizations can schedule tabletop exercises. These structured simulations walk your team through a hypothetical incident using your actual contingency plans. Facilitated sessions often include realistic scenarios and unexpected curveballs to test your team’s readiness and highlight any gaps or weaknesses. Think of it as a role-playing exercise for cybersecurity—part rehearsal, part stress test. It’s an engaging and revealing way to ensure your plans are not just written but actionable, and that your team is confident and prepared to respond when the pressure is real.

6. Back Up OT/IT Systems

Reliable backups are essential for both OT and IT environments, serving as a lifeline for restoring systems to a safe, known state after a compromise. However, not all organizations implement best practices to ensure those backups are truly secure. Backups should always be encrypted to protect sensitive data from unauthorized access, and at least one copy should be stored offsite—ideally in a secure cloud environment or third-party facility. This protects against physical disasters such as fires, floods, or regional outages that could impact on-premises systems. Keeping backups geographically separated from primary systems adds a critical layer of resilience.

Equally important is validating that your backups actually work. Backups that can’t be restored are of little use in an emergency, so routine testing is a must. Following NIST’s 3-2-1 rule is a simple way to guide your strategy: maintain at least three copies of your data, store them on two different types of media, and keep one copy offsite. This approach ensures your data is both recoverable and resilient.

7. Reduce Exposure to Vulnerabilities

Reducing exposure to vulnerabilities is another fundamental part of maintaining a secure OT and IT environment. As technology evolves, so do the methods used by cybercriminals to exploit it. Hackers regularly uncover new weaknesses in hardware and software, often publishing these findings publicly, making it easier for bad actors to launch targeted attacks.

Effective patch management is essential for minimizing risk. All systems, including operating systems, applications, and especially OT equipment, should be kept current with the latest updates. For OT environments that operate continuously, it’s important to schedule patches during planned downtime to avoid service disruptions. Firmware should also be included in your update strategy—devices like surveillance cameras and industrial sensors often run outdated firmware that could serve as an unmonitored entry point for attackers.

Beyond updating, organizations should also regularly audit their environments to remove unnecessary software. Unused or outdated applications contribute to system bloat and create avoidable vulnerabilities. In addition, vulnerability scanning—similar to penetration testing—should be performed routinely to identify and remediate any known issues before they can be exploited. Treat this as routine hygiene: proactive, preventative maintenance that helps ensure your systems stay resilient.

8. Cybersecurity Awareness Training

Cybersecurity awareness training is one of the most effective defenses an organization can deploy. Many breaches begin with social engineering—tactics that trick individuals into granting access. These attacks can be digital, like phishing emails prompting users to click malicious links, or physical, such as someone posing as a contractor trying to bypass security at the front desk. Training your staff to recognize these threats is essential to preventing unauthorized access.

Effective training should also include password and physical security best practices. Employees should understand how to create strong, unique passwords, avoid reuse across platforms, and use multi-factor authentication. Physical vigilance matters too—like ensuring secure areas aren’t accessed by tailgating, locking workstations, and reporting suspicious behavior. Protecting systems means securing both the digital and physical fronts.

Your employees also need to know how to respond when something goes wrong. Recognizing unusual activity, escalating incidents, and taking immediate steps to limit impact can make a significant difference. Ongoing training helps build this awareness and ensures everyone understands their role in the organization’s security posture. Like patching software, human training needs to be refreshed regularly—ideally on an annual basis—to remain effective against evolving threats.

Where Utilities Go from Here

Keeping up with cybersecurity best practices is a complex and resource-intensive task—especially for water utilities operating on tight budgets. Conducting regular assessments, maintaining secure backups, and training staff on cybersecurity hygiene are all vital measures, but can be prohibitively expensive or logistically difficult for smaller municipalities. With shifting funding priorities and uncertainty in federal support, many organizations struggle to identify what assistance is available or how to prioritize their efforts amid evolving regulatory expectations.

However, cybersecurity in the water and wastewater sector is no longer a future-facing concern—it is an immediate operational imperative. From ransomware targeting industrial control systems to regulatory changes like CIRCIA, water utilities face a convergence of threats and responsibilities that demand action now.

By following a layered strategy that blends technical best practices with strong governance, utilities can make measurable improvements in resilience. Frameworks like NIST and CIS provide the structure. Practical steps like segmenting networks, conducting regular assessments, and implementing contingency plans bring that structure to life. With the right partnerships, modern tools, and informed leadership, water organizations can stay ahead of cyber threats and build systems that are not only compliant, but secure and sustainable.