Among critical infrastructure sectors, water and wastewater operations stand apart as key enablers of many other vital functions of modern society. From drinking water to enabling medical care to cooling data centers, reliable water supplies are vital to nearly all other sectors.
The challenge is that the water and wastewater sectors often operate at very local levels. As a result, they almost always have limited resources that focus on immediate, everyday operations. As noted by the American Public Works Association, 85% of water utilities in the United States employ fewer than three full-time employees. With such low employee numbers, information security tasks and functions cannot be properly overseen. This lack of resourcing results in a variety of adversaries, from criminals and “hacktivists” to state-directed entities, viewing the sector as a unique combination of critical to social function and particularly vulnerable to disruption. According to analysis from commercial security providers to U.S. Congressional hearings, the sector remains at risk for intrusions ranging from short-term service interruption or worse.
A Global Issue
At a global scale, especially since Russia’s invasion of Ukraine in early 2022, multiple cyber incidents have emerged across the water sector. Summarized in the following table, the incidents include unproven hacktivist claims, ransomware incidents, and state-directed access to control systems. The common thread binding these water sector intrusions is that targeting appears opportunistic as victimology focuses on smaller, under-resourced, local utilities as opposed to larger, better resourced municipalities or regional entities.
November 2023
CyberAv3ngers
PLC access & defacement
December 2023
CyberAv3ngers
PLC access & service disruption
January 2024
Cyber Army of Russia Reborn (CARR)
System manipulation
April 2024
Cyber Army of Russia Reborn (CARR)
Claimed access to wastewater system
September 2024
Z-Pentest
System access, shift to manual operations
2025
Multiple sites, PL
Russia-affiliated actors
System access & device alteration
A table of selected water sector incidents
Within the past few weeks of this writing, the Polish Internal Security Agency (ABW) noted in its annual report for 2025 that Russian-affiliated entities breached water infrastructure in at least five Polish water utility locations. The intrusions progressed to a point where system manipulation was possible, although no disruption was noted. This comes on the heels of sustained intrusion activity associated with entities sympathetic to Russian and Iranian interests opportunistically accessing water utility assets, often under “hacktivist” guise.
For example, Iranian-linked (if not -directed) adversaries engaged in a prolonged campaign against multiple water utilities running equipment from Israel-based Unitronics. As detailed by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and others, the CyberAv3ngers “hacktivist” entity compromised multiple, externally-accessible Unitronics PLCs and HMIs while also defacing the systems with political messaging. While not immediately disruptive to water sector operations, the access could have been used to facilitate far more impactful scenarios, such as device manipulation or destruction, leading to subsequent service impacts.
The Looming Threat of Greater Impact
Alongside these opportunistic campaigns is a far more concerning trend: Volt Typhoon operations probing the water sector and developing persistent access over time. As discussed in a previous post, Volt Typhoon remains a “latent” but deeply concerning threat in that the group has patiently worked to compromise critical infrastructure entities, including electric utilities and water and wastewater groups, over several years for indeterminate reasons. This introduces the concerning possibility for either local or widespread disruption from the compromise of multiple utilities, with follow-on responses fragmented among multiple individual water utilities.
From Volt Typhoon and CyberAv3ngers to other entities, the water and wastewater sectors are in the crosshairs for a number of threats ranging from opportunistic and irritable to truly concerning and potentially impactful in the longer run. As noted in previous Dataminr analysis on hacktivist operations, much of this is enabled by externally accessible, critical assets with either unpatched vulnerabilities, weak authentication mechanisms, default credentials, or some combination of the three. From a utility perspective, the solutions to these issues appear obvious and are rooted in seemingly basic cyber hygiene. However, given the vast number of water and wastewater utilities operating across North America and Europe — 148,000 such utilities in the U.S. alone — and the resources available to these entities, even basic security practices and engineering decisions may be expensive or nearly impossible to implement.
Four Key Actions Organizations Should Take
Beyond immediate network defense at utilities themselves, other entities from governments and organizations that are managing or supervising facilities to commercial organizations dependent on them should consider the following steps:
No. 1: Maintain awareness of potential disruptions
Determining risk and developing response, recovery, and contingency plans to ensure continuity of operations for vital services, such as healthcare, is not just desirable but necessary in an increasingly contested information environment.
No. 2: Invest in resources to better equip smaller municipalities
While many defenses and mitigations are “basic” in nature, they nonetheless remain out of reach for the majority of small operators. Removing opportunistic intrusion routes and minimal hardening are easy to advocate for, yet frustratingly difficult to actually address in present circumstances.
No. 3: Address the talent gap between attackers and defenders
The asymmetry in skill and resourcing between capable threat actors and local water utilities is concerning. Expecting a small municipal utility with a handful of employees to defend itself using only its own resources against a Volt Typhoon is not realistic. Public-private sector partnerships, such as those to identify and remove internet-exposed assets, may provide one avenue to address some of the security challenges facing utilities. But additional work is required to address the prospect of cyber disruption going beyond just immediate victims to the entities dependent on utility operations.
No. 4: Extend cyber awareness to cyber-physical risk monitoring
Identifying that an asset is exposed and vulnerable on the internet requires both logical and physical follow-on actions. Organizations must consider both technological remediation and any risk associated with the location of the asset. Aligning the virtual threat with physical impact scenarios allows governments and stakeholders to identify potential risks and begin building contingency plans for potential disruptive or worse scenarios.
Organizations that embrace a cyber-physical risk monitoring approach will not only identify that a claim against this sector has been made, but will also be able to rapidly geolocate the victim entity and its service area. Essentially, an approach that encompasses the entire sector is necessary and should combine efforts ranging from cyber-focused monitoring and hygiene to cyber-physical service and asset mapping. This will allow for informed defensive and planning decisions within the water and wastewater space. Eliminating opportunistic attacks may be possible, but motivated adversaries such as Volt Typhoon will likely continue to see success. To match up with these advanced actors, response efforts must extend beyond cyber preventions and extend into real-world planning and contingencies.
Considering the vast and diffuse attack surface that water and wastewater facilities present in the greater context of critical infrastructure, intrusions will certainly continue for the foreseeable future. Governments and stakeholders must work with and invest in organizations to build better defenses, develop awareness of risk, and build mitigations for future disruption around critical services. Establishing holistic cyber-physical risk awareness, visibility, and continuity planning is thus not just an ideal, but an increasingly necessary goal for multiple stakeholders involved in critical infrastructure operations generally, and the water and wastewater sectors specifically.
Mending the Broken Cyber Defense Chain
Download Mending the Broken Cyber Defense Chain — the complete ebook with detailed scenarios, framework analysis, and the full evidence base.
Download
