Why Water Systems Are a Persistent Target
Water and wastewater systems occupy a unique position in the critical infrastructure threat landscape. They are simultaneously:
- High consequence — disruption or manipulation of treatment processes directly threatens public health
- Poorly defended — many utilities operate on thin budgets with IT/OT teams that lack dedicated security resources
- Internet-exposed — a significant number of water utility control systems are directly accessible from the internet, often without knowledge of the operators
The combination of high impact and low barrier to entry makes water systems attractive both to state-sponsored actors seeking strategic leverage and to unsophisticated threat actors looking for visible targets. The sector’s threat profile spans the full spectrum from script-kiddie access to SCADA HMIs through to Volt Typhoon pre-positioning campaigns targeting communications and operational resilience.
The Oldsmar Incident: Still a Benchmark
The February 2021 Oldsmar, Florida attack remains the most commonly cited water sector cyber incident — and it illustrates the sector’s most persistent vulnerability class. An attacker gained remote access to the plant’s HMI (reportedly via TeamViewer, which was still installed and internet-accessible), briefly increased sodium hydroxide (lye) dosing to 111 times the normal level, and was caught by an alert operator who noticed the cursor moving.
Five years on, the vulnerability that enabled Oldsmar — internet-accessible HMI software with weak or no authentication — remains widespread. CISA’s Cybersecurity Advisory on internet-exposed water sector ICS (2024) noted thousands of exposed devices globally, with a significant proportion running end-of-life software with known unpatched vulnerabilities.
Current Threat Vectors
Internet-Exposed HMIs and Engineering Workstations
The most prevalent vulnerability class: SCADA HMI software, historian servers, and engineering workstations accessible directly from the internet, often because the utility’s network was extended to the internet during COVID-era remote operations and never fully secured afterwards.
Common exposed software includes:
- GE iFIX and CIMPLICITY
- Wonderware InTouch / AVEVA System Platform
- Siemens WinCC
- Rockwell FactoryTalk View
- Various custom web-based HMI portals
Scanning with Shodan for port:102 siemens or similar queries routinely surfaces water sector assets. Threat actors use the same tools.
Priority action: Conduct an internet-facing asset inventory. Remove any direct internet access to OT network components. Where remote access is operationally necessary, implement VPN with MFA as a mandatory intermediary — never expose the HMI directly.
Default and Weak Credentials
Many ICS devices in water sector deployments retain manufacturer default credentials. PLC programming interfaces, HMI authentication, historian databases, and network equipment are frequently found with default or trivially guessed passwords during security assessments.
The specific vulnerability that enabled the Aliquippa, Pennsylvania Municipal Water Authority attack in November 2023 — where an Iranian-affiliated group (CyberAv3ngers) compromised a Unitronics PLC — was default credentials on an internet-facing device. The device was a Unitronics Vision series PLC with the default password 1111.
Supply Chain and IT/OT Convergence
Modern water utility IT/OT architectures increasingly connect operational systems to corporate IT networks for data historians, reporting, and remote monitoring. This convergence, while operationally beneficial, creates lateral movement paths from the IT network (which faces a much broader attack surface) into OT environments.
The typical attack path: phish an IT user → establish persistence in the IT network → identify historian or data collection systems that bridge the IT/OT boundary → move laterally into the OT network.
Nation-State Threat: Volt Typhoon in Water Sector
CISA and FBI advisories in 2024-2026 have explicitly named water and wastewater systems as a sector being pre-positioned in by Volt Typhoon, the Chinese state-sponsored group assessed to be preparing for potential disruption operations rather than espionage. The pre-positioning pattern in water sector is consistent with the broader CNI targeting:
- Long dwell times without destructive action (months to years)
- Living-off-the-land techniques using legitimate tools that blend with normal operational traffic
- Persistence established in IT networks with capability to reach OT systems
- Minimal footprint designed to survive standard incident response
The targeting rationale is strategic leverage rather than near-term disruption. Pre-positioned access in water systems provides coercive capability during a geopolitical crisis — the threat of disruption is itself an instrument of pressure.
Water utilities should assume that Volt Typhoon-style pre-positioning campaigns are actively targeting their sector and conduct hunt operations specifically looking for low-and-slow intrusions in IT environments with OT adjacency.
Sector-Specific Defensive Priorities
1. ICS-Specific Network Segmentation Implement genuine air-gapping or robust DMZ architecture between IT and OT networks. Data historians, remote monitoring, and reporting functions should operate through unidirectional gateways (data diodes) where bidirectional communication is not operationally required. Purdue model architecture remains the reference framework.
2. Asset Inventory with OT-Specific Tools Passive asset discovery tools (Claroty, Dragos, Nozomi Networks, Armis) can identify OT devices without sending active scan traffic that could disrupt process equipment. Many water utilities lack a complete inventory of their OT assets — you cannot defend what you cannot see.
3. Vulnerability Management for Legacy OT OT environments frequently contain 10-20 year old PLCs, RTUs, and HMIs that cannot be patched without vendor support and planned maintenance windows. Compensating controls (network segmentation, monitoring, protocol filtering) must substitute for patching in these environments.
4. Monitoring with OT Protocol Visibility Standard IT SIEM monitoring does not understand OT protocols (Modbus, DNP3, OPC-UA, EtherNet/IP). Deploy OT-specific monitoring solutions that can baseline normal process commands and alert on anomalous control commands — including seemingly benign commands to setpoints that could indicate pre-attack reconnaissance or testing.
5. Incident Response Planning for Operational Scenarios Water sector IR plans must account for the OT dimension — including the ability to operate manually if SCADA systems are unavailable, the process safety implications of control system unavailability, and communication protocols with state drinking water agencies and CISA during an incident.
CISA Resources for Water Utilities
- CISA Water Sector Resources page — sector-specific guidance, advisories, and the free cybersecurity assessment programme for water utilities
- WaterISAC — sector information sharing and analysis centre with threat intelligence specific to the water sector
- EPA Water Security Initiative — funding and technical assistance for smaller utilities
- CISA’s free ICS vulnerability scanning — available to water utilities as part of CISA’s critical infrastructure support programme