Water treatment plants and power distribution networks have become primary targets for nation-state actors, ransomware gangs, and ideologically motivated hackers. These are no longer theoretical risks. In Muleshoe, Texas, a hacker remotely shut down SCADA-controlled water pumps and triggered a federal response. In Aliquippa, Pennsylvania, a threat actor disabled human-machine interface screens at a water facility through an unsegmented OT network. A 2024 GAO report identified nearly 170,000 U.S. water systems facing active cyber risks, and an EPA Inspector General review found critical or high-severity vulnerabilities in 97 drinking water systems serving 27 million people.
The challenge is structural. Water and power utilities operate Supervisory Control and Data Acquisition systems, Programmable Logic Controllers, Remote Terminal Units, and Distributed Control Systems that were engineered for reliability and uptime — not security. Many run on legacy architectures with no encryption, no intrusion detection, and minimal access controls. As remote sensors, cloud telemetry, and IoT devices are layered on top of these systems, the attack surface expands faster than most utility security teams can manage.
This guide covers everything utility security teams need to build a credible, sustained cyber resilience program — from OT-specific asset management and network segmentation to incident response, regulatory compliance, and the EPA’s latest planning resources released in October 2025.
Understanding the Threat Landscape for Utilities
Water and power utilities attract attackers for a specific reason: the consequences of disruption are immediate and public. Contaminated water supply, grid outages, or manipulated chemical dosing systems create visible crises that generate pressure — on governments, regulators, and utilities themselves. This visibility makes critical infrastructure a preferred target for both ransom and geopolitical leverage.
Ransomware remains the most operationally damaging threat. Attacks encrypt control system files and configuration data, halting operations until payment is made or systems are rebuilt from backup. For water treatment facilities, inadequate offline backups mean a ransomware event can force manual operation of chemical dosing systems — or worse, unsafe distribution.
State-sponsored intrusions use Advanced Persistent Threats to maintain long-term, low-noise access. These actors gather operational intelligence about grid topology, water treatment processes, and control system configurations — information that could be weaponized in a geopolitical crisis or used to enable a future destructive attack.
Supply chain compromise targets the vendors, contractors, and software providers that utilities depend on for remote maintenance and system updates. Flawed firmware or compromised remote access credentials in a third-party vendor’s system become an entry point into OT networks that would otherwise be difficult to reach directly.
Unsecured HMI devices are a specific and growing vulnerability that the EPA flagged explicitly. Human-machine interface screens accessible over the public internet — often with default or weak credentials — allow unauthorized users to view and adjust real-time system settings, potentially manipulating treatment processes or disabling monitoring systems.
Insider threats, both malicious and accidental, remain a persistent risk in environments where access controls are rarely reviewed and privilege creep accumulates over years of staff turnover and system changes.
Asset Inventory: You Cannot Secure What You Cannot See
Every cyber resilience program for utilities begins in the same place: a complete, accurate inventory of every OT asset on the network. Utilities may have hundreds or thousands of assets — PLCs, RTUs, distributed control systems, HMI terminals, historian servers, and engineering workstations — connected to SCADA networks, often without a current record of what is running what software version.
Passive scanning is the correct approach for OT environments. Unlike active scanning tools that send probes to devices, passive vulnerability scanners monitor SCADA network traffic without interacting with it, avoiding the risk of disrupting sensitive control processes. CISA’s August 2025 guidance document “Foundations for OT Cybersecurity: Asset Inventory Guidance for Owners and Operators” provides a practical framework for this process, emphasizing that OT asset inventory must account for PLCs, RTUs, DCS, instrumentation, and the increasingly connected IoT devices layered across modern utility infrastructure.
Once assets are catalogued, each should be prioritized by function, network exposure, and criticality. A PLC controlling chemical dosing at a water treatment plant carries far higher risk than an administrative workstation on the corporate IT network — even if both have the same unpatched vulnerability. This prioritization drives remediation sequencing and informs segmentation architecture.
Device discovery platforms deployed in production in 2025 have demonstrated what comprehensive asset visibility looks like in practice. One water district deployment identified 1,883 devices across IT, IoT, and OT networks within days, including 62 industrial automation devices, 256 physical security systems, and 51 VoIP devices — none of which had been fully mapped under the previous manual inventory approach.
IT/OT Network Segmentation: The Highest-Impact Control
The single most impactful technical control for utility cyber resilience is proper segmentation between IT and OT networks. The attacks in Muleshoe and Aliquippa both exploited flat, unsegmented networks where IT and OT systems could communicate freely. An attacker who compromises an email account or a contractor VPN credential in a flat network can reach SCADA systems directly — with no security boundary to cross.
Effective segmentation for water and power utilities follows a layered architecture:
Level 0–2 (OT): Field devices, controllers, and SCADA systems. These should have no direct internet connectivity and strictly limited communication paths to higher network levels.
Level 3 (DMZ / Industrial DMZ): Historian servers, data aggregators, and systems that legitimately need to pass data between OT and IT. Communication through this zone should be unidirectional where possible — data flows out from OT, commands do not flow in.
Level 4–5 (IT): Business systems, corporate email, remote access infrastructure. Completely isolated from direct OT access.
Next-generation firewalls at OT/IT boundaries should enforce allowlists of permitted industrial protocols (Modbus, DNP3, IEC 61850) and block everything else. Unidirectional security gateways — hardware-enforced one-way data diodes — provide the strongest possible boundary for the most critical control systems, physically preventing any inbound communication from the IT network to OT systems.
Microsegmentation within the OT network isolates individual systems or process areas, so that a compromise in one area — say, the billing or SCADA historian — cannot spread laterally to chemical dosing controllers or grid management systems.
Securing SCADA and OT Systems
OT security differs fundamentally from IT security in one critical respect: availability and safety take precedence over confidentiality. A patch that requires a 30-minute system restart is acceptable on a corporate laptop. The same patch applied to a PLC controlling water pressure regulation during peak demand may not be. Every security control in an OT environment must be evaluated against its potential impact on operational continuity.
Patching strategy for OT requires coordination between security and operations teams. Virtual patching — deploying intrusion prevention signatures at the network level to block exploitation of a known vulnerability without modifying the endpoint — is the practical interim measure for systems that cannot be taken offline for updates. Physical patching should occur during planned maintenance windows with full rollback capability.
Multi-factor authentication must be enforced for all remote access to OT systems, including third-party vendor connections. Vendor remote access sessions should be time-limited, monitored in real-time, and logged completely. Privileged access management solutions that require vendors to check out credentials for specific sessions — with automatic expiration — eliminate the risk of persistent, unmonitored vendor access that has enabled multiple high-profile utility compromises.
Anomaly detection systems tuned to industrial protocols provide real-time visibility into abnormal OT network behavior. Traditional signature-based security tools designed for IT environments cannot parse industrial protocols like Modbus or DNP3. OT-specific network detection and response platforms establish behavioral baselines for normal device communication patterns and alert on deviations — a PLC that begins communicating with a new destination, or a historian server scanning the OT network, represents an anomaly worth investigating immediately.
Offline backups of control logic, system configurations, and SCADA project files are a non-negotiable requirement. These backups must be stored in isolated security domains — not on the same network that could be encrypted by ransomware — and tested regularly. Knowing that a PLC program can be restored from backup in two hours versus rebuilt from scratch over several days is the difference between a manageable incident and a prolonged public health or safety crisis.
Incident Response Planning for Utilities
The EPA released an updated Cybersecurity Incident Response Plan template, Emergency Response Plan guide, incident-specific checklists, and cybersecurity procurement checklist in October 2025 as part of its “Powering the Great American Comeback” initiative. These resources reflect the specific operational realities of water and wastewater utilities and are available at no cost.
An effective incident response plan for a water or power utility must address scenarios that IT-focused IR templates do not cover: SCADA system compromise, manipulation of chemical dosing setpoints, ransomware on historian servers, loss of remote visibility into distributed assets, and simultaneous cyber and physical incidents.
Key components every utility IR plan needs:
Pre-defined OT shutdown and isolation procedures. When a SCADA compromise is detected, operators need clear, pre-approved authority to isolate network segments or revert to manual operation — without waiting for a chain of approvals that assumes normal business hours and full staff availability.
Manual operation runbooks. Water treatment and power distribution have manual fallback procedures. These must be current, physically printed, and accessible without relying on the systems that may be compromised during an incident.
Regulatory notification timelines. EPA, CISA, and sector-specific regulators have defined reporting requirements for significant cyber incidents. These timelines — often 72 hours or less for critical incidents — must be built into the IR plan with named responsible parties.
Joint recovery exercises involving operations, IT, security, and executive leadership. Tabletop exercises that test only the security team are insufficient. Recovery from an OT incident requires coordination across functions that rarely practice together.
Post-incident review and plan updates. Every drill and every real incident should produce documented lessons that are incorporated into the next plan revision.
Regulatory Compliance Framework
Water and power utilities operate under an increasingly complex regulatory environment. Understanding which frameworks apply — and how they interact — is essential for avoiding duplicated compliance effort.
NIST Cybersecurity Framework (CSF 2.0) is the most widely adopted baseline for utility cybersecurity programs. Its five functions — Identify, Protect, Detect, Respond, Recover — map directly to the operational requirements of water and power infrastructure. The 2024 update to CSF 2.0 added a Govern function that addresses organizational accountability and risk management strategy.
NERC CIP (North American Electric Reliability Corporation Critical Infrastructure Protection) standards are mandatory for bulk electric system owners and operators. CIP-002 through CIP-014 cover asset classification, security management, personnel training, physical security, system security management, incident reporting, and supply chain risk management.
America’s Water Infrastructure Act requires community water systems serving more than 3,300 people to conduct risk and resilience assessments and develop emergency response plans. The EPA’s October 2025 tools directly support compliance with these requirements.
NIS2 Directive applies to essential service operators in EU member states, including water and energy utilities, mandating risk management measures, incident reporting, supply chain security, and business continuity planning with significant penalties for non-compliance.
IEC 62443 is the international standard series specifically designed for Industrial Automation and Control Systems security. It provides a structured methodology for assessing and improving OT security that aligns with both NERC CIP and NIST CSF requirements.
The Cybersecurity Information Sharing Act, reinstated through January 2026 following the November 2025 bipartisan funding package, restores liability protections and real-time threat information sharing mechanisms that are particularly valuable for smaller utilities without dedicated threat intelligence teams.
Staff Training and Security Culture
Technical controls address only part of the attack surface. Phishing remains the most common initial access vector for utility breaches — a credential harvested from a plant manager’s email is often simpler to obtain than a technical OT network exploit. Building a security-aware workforce is not optional.
Training programs for utilities must be role-differentiated. Control room operators, field technicians, IT staff, and executives face different threats and need different knowledge. A field technician connecting a laptop to a substation control panel needs to understand the risk of connecting unauthorized devices to OT networks. An executive approving vendor contracts needs to understand supply chain security requirements.
Phishing simulation campaigns with targeted follow-up training for employees who click are consistently the highest-return investment in human security awareness. Frequency matters — annual training alone produces minimal retention. Monthly or quarterly simulations combined with brief, role-relevant awareness updates sustain the behavioral changes that make social engineering significantly harder.
OT-specific threat awareness for engineering and operations staff should cover: why IT security tools cannot simply be applied to OT systems, how to recognize anomalous behavior in control system displays, and what the correct escalation path is when something looks wrong — before reaching out to a vendor or attempting to fix it independently.
Third-Party and Vendor Risk Management
Remote vendor access is consistently cited as a primary attack vector in utility OT incidents. Vendors require access for maintenance, calibration, firmware updates, and troubleshooting — but unmanaged, persistent vendor credentials create exactly the kind of broad, unmonitored access that attackers exploit.
A structured vendor risk management program for utilities should require: evidence of the vendor’s own cybersecurity controls before granting access; contractual obligations for breach notification within defined timeframes; and access limited to specific systems, specific timeframes, and specific monitored sessions. Privileged access management platforms that create time-limited, session-recorded vendor connections eliminate persistent credentials entirely.
Supply chain security extends to hardware and firmware. Utilities procuring new OT equipment should include cybersecurity specifications in procurement requirements — the EPA’s October 2025 cybersecurity procurement checklist provides a practical template. Firmware integrity verification before deployment and ongoing monitoring for vendor-released security advisories are baseline requirements for any connected OT device.
Funding and Federal Resources for Small Utilities
Resource constraints are the most commonly cited barrier to cyber resilience improvement among smaller water and wastewater utilities. Staffing shortages, aging infrastructure budgets, and limited IT expertise are real constraints — but they do not eliminate the obligation to protect public health infrastructure.
Several federally funded resources reduce the cost of getting started. The State and Local Cybersecurity Grant Program, reinstated through January 2026, provides formula-based funding to state and local governments that many states use to assist smaller water utilities. WaterISAC provides threat intelligence, alerts, and resources specifically for the water sector. CISA’s Cybersecurity Advisor program offers free assessments and technical assistance for critical infrastructure operators. The EPA’s October 2025 guidance package, including the CIRP template and vulnerability assessment tools, is available at no cost.
Cyber insurance tailored to utility OT environments is an increasingly important financial risk management tool. Policies covering OT incident response, operational downtime, and public notification costs are now available from multiple carriers, though premiums reflect the risk profile of the utility’s security posture — making documented security investments directly valuable at renewal.
Pro Tips for Utility Security Teams
- Deploy passive OT asset discovery first. Before changing anything, know exactly what is on your OT network. Passive scanning that monitors traffic without interacting with devices is the only safe approach for live control system environments.
- Treat your offline backups as critical infrastructure. Control logic, PLC programs, and SCADA configuration files stored on the same network as production systems will be encrypted in a ransomware event. Immutable, offline, regularly tested backups are the difference between hours and weeks of recovery time.
- Enforce MFA for every remote access session without exception. Vendor exemptions are the most common source of unmanaged remote access risk in OT environments.
- Test your manual operation procedures annually. If your staff cannot operate the water treatment plant or substation manually during a SCADA outage, a cyber incident becomes a public safety crisis. Manual runbooks must be current, printed, and practiced.
- Integrate cyber-informed engineering into new projects. Cybersecurity designed into new SCADA deployments and infrastructure upgrades from the start is dramatically cheaper than retrofitting security onto systems already in production.
- Join WaterISAC or E-ISAC. Sector-specific information sharing organizations provide threat intelligence that is directly relevant to your operating environment, often before threats become public knowledge.
Frequently Asked Questions
What are the 4 pillars of cyber resilience?
Cyber resilience for utilities rests on four pillars: anticipate threats through continuous risk assessment and threat intelligence; withstand attacks through layered technical controls including segmentation, MFA, and anomaly detection; recover quickly through tested incident response plans and offline backups; and adapt by integrating lessons from incidents and near-misses into ongoing program improvements. These pillars reflect the reality that prevention alone is insufficient — utilities must be able to absorb and recover from incidents while maintaining essential services.
What are the top cybersecurity threats facing water and power utilities?
The primary threats are ransomware targeting OT and IT systems simultaneously, state-sponsored APT intrusions seeking long-term access to control system networks, supply chain compromise through vendor remote access or compromised firmware, unsecured internet-facing HMI devices exploitable without specialized knowledge, and insider threats from accidental misconfigurations or deliberate sabotage. Social engineering targeting utility employees remains the most common initial access vector across all threat categories.
What frameworks should water utilities use for cybersecurity?
The NIST Cybersecurity Framework 2.0 is the recommended baseline for most U.S. water utilities, with IEC 62443 providing OT-specific technical guidance. The EPA’s America’s Water Infrastructure Act requirements mandate risk assessments and emergency response plans for systems serving more than 3,300 people. The EPA’s October 2025 CIRP template and assessment tools directly support compliance with these requirements. EU utilities must also address NIS2 Directive obligations for essential service operators.
How can small water utilities afford cybersecurity improvements?
Federal resources significantly reduce the cost barrier. CISA offers free cybersecurity assessments and technical assistance. WaterISAC provides sector-specific threat intelligence at low or no cost for small utilities. The State and Local Cybersecurity Grant Program funds cybersecurity planning through state governments. The EPA’s October 2025 guidance package — including assessment templates, CIRP template, and procurement checklist — is available at no cost. Starting with high-impact, low-cost controls such as MFA on all remote access, offline backups of OT configurations, and basic network segmentation delivers meaningful risk reduction before larger investments are made.
What is cyber-informed engineering for utilities?
Cyber-informed engineering integrates cybersecurity considerations into the design and engineering phase of utility infrastructure projects, rather than treating security as an afterthought once systems are already deployed. For water utilities, this means evaluating the cybersecurity implications of connecting new sensors, SCADA upgrades, or cloud-based monitoring platforms before procurement and deployment. Physical interlocks that prevent unsafe operations even if digital control systems are compromised are one example. CIE is now embedded in the engineering culture of leading utilities and is being promoted by CISA and the Idaho National Laboratory as the standard approach to securing new critical infrastructure deployments.
