Five Incidents That Changed Water Utility Cybersecurity
Water utilities have historically operated under the assumption that they are too small, too local, and too low-profile to be targeted. Five incidents in four years proved that wrong — and each one exposed a different failure mode that the industry is still catching up to.
1. Oldsmar, Florida (February 2021) — The Wake-Up Call
An attacker remotely accessed the SCADA system at the Oldsmar water treatment plant and attempted to increase sodium hydroxide (lye) levels from 100 ppm to 11,100 ppm — a concentration that would have poisoned the water supply. An operator noticed the mouse moving on the HMI and intervened.
The attack used TeamViewer with shared credentials. No advanced exploit. No zero-day. Just remote access software with a known password.
What Oldsmar taught the industry: Remote access with shared credentials is not a theoretical risk — it is an open door. The attacker did not need to hack anything. They logged in. The fix is not better passwords; it is identity-based, MFA-protected, session-recorded remote access where every connection is attributed to a specific person.
2. South Staffordshire Water, UK (August 2022) — IT to OT in One Step
The Cl0p ransomware group breached the IT network at South Staffordshire Water and claimed access to SCADA systems controlling water treatment. Whether they actually reached SCADA or not, the incident exposed a structural problem: the IT and OT networks were close enough that a ransomware group could credibly claim to have crossed the boundary.
What South Staffordshire taught the industry: If your IT and OT networks are not segmented, an IT breach is an OT breach. Treatment plant SCADA, pumping station RTUs, and corporate email should never share the same network. Chemical dosing controllers should not be reachable from the email server.
3. Aliquippa, Pennsylvania (November 2023) — Nation-State Actors Hit Small Utilities
Iran-linked CyberAv3ngers compromised a Unitronics PLC at a water authority booster station. The default password "1111" was never changed. The attackers defaced the HMI with an anti-Israel message, but they had full control of the PLC — they could have changed pump operations.
What Aliquippa taught the industry: Nation-state groups are not just targeting large utilities. A small municipal water authority with a single booster station was hit because it had a PLC exposed to the internet with a default password. The fix is not more monitoring — it is ensuring that no OT device is directly reachable from the internet, and that no default credential survives commissioning.
4. Volt Typhoon Pre-Positioning (2024) — The Threat You Cannot See
CISA and EPA issued joint advisories after discovering that Chinese state-sponsored actors (Volt Typhoon) had pre-positioned access in multiple US water utility networks. These were not smash-and-grab attacks. The adversary had established persistent, quiet access — sitting inside utility networks for months, mapping systems, and maintaining the ability to disrupt operations on command.
What Volt Typhoon taught the industry: You cannot rely on detecting attacks in progress. A well-resourced adversary will sit quietly inside your network until they choose to act. The defense is not better detection — it is network architecture that limits what an attacker can reach even after they get in. Every pump station needs its own encrypted tunnel to the SCADA server. A compromised RTU at one site should not be able to reach any other site.
5. The Regulatory Response (2023-2025) — Enforcement Arrives
The incidents above triggered a wave of regulatory action. The EPA began using its authority under the Safe Drinking Water Act to push cybersecurity requirements through sanitary surveys. CISA issued multiple advisories specifically targeting water sector vulnerabilities. The EU's NIS2 Directive explicitly listed water supply and wastewater as essential entity sectors, with enforcement now live.
What the regulatory wave taught the industry: Voluntary best practices did not work. Water utilities that ignored cybersecurity for decades are now facing mandatory requirements — AWIA risk assessments in the US, NIS2 compliance in Europe (with penalties up to 10M EUR or 2% of global turnover), and state-level mandates appearing across the country.
What's at Risk: Water Utility OT Systems
Every one of the incidents above targeted or could have impacted these systems:
| System | Function | Typical Technology | Security Gaps |
|---|---|---|---|
| Chemical dosing controllers | Regulate chlorine, fluoride, and pH adjustment | PLCs (Allen-Bradley, Siemens, Unitronics) | Default credentials, no authentication on Modbus, no firmware updates |
| SCADA servers | Central monitoring and control | Wonderware, FactoryTalk, Ignition | Windows Server 2008/2012, unpatched, shared admin accounts |
| HMI workstations | Operator interface at treatment plants | Windows 10/11 PCs with SCADA client software | Shared logins, internet-connected, TeamViewer/AnyDesk installed |
| RTUs at pump stations | Remote monitoring and control of pumps and valves | Legacy RTUs with serial or Ethernet comms | No encryption, no authentication, physically accessible |
| Flow meters and sensors | Measure flow rate, pressure, turbidity, chemical levels | Industrial sensors with 4-20mA or Modbus | No security capability, data integrity depends on network security |
| Lift station controllers | Manage wastewater pumping | PLCs with cellular or radio connectivity | Cellular modems with default configs, no VPN |
| Historian/data logging | Store operational data for compliance reporting | OSIsoft PI, Wonderware Historian | On same network as SCADA, often exposed to IT network |
| Remote access | Vendor and operator access to SCADA from off-site | TeamViewer, AnyDesk, RDP, VPN | Shared credentials, no MFA, no session logging |
The common thread across every vulnerability column: default credentials, no segmentation, no encryption, no logging. These are not advanced security gaps. They are basic ones — and they persist because water utilities have tiny budgets, minimal IT staff, and distributed infrastructure that makes traditional security approaches impractical.
Applying the Lessons: Network-Level Security for Water Utilities
Each incident points to a specific defensive measure. Zero-trust network appliances deployed at treatment plants and remote sites — the Trout Access Gate is one example — create an encrypted overlay across the entire utility network:
-
Segment treatment from distribution from corporate (lesson from South Staffordshire) — Separate the SCADA server network from the HMI workstations from the historian from corporate IT. An IT ransomware incident stays in IT.
-
Isolate every remote site (lesson from Volt Typhoon) — Each pumping station gets its own encrypted tunnel to the SCADA server. A compromised RTU at one pump station cannot reach any other pump station or the treatment plant control network.
-
Kill shared credentials for remote access (lesson from Oldsmar) — Replace TeamViewer with identity-based, MFA-protected, session-recorded remote access. Every connection to a SCADA system is attributed to a specific person with a specific authorization.
-
Block direct internet exposure of OT devices (lesson from Aliquippa) — No PLC, RTU, or HMI should be reachable from the internet. Overlay networking ensures that OT devices are only accessible through authenticated, encrypted paths.
-
Encrypt cellular and radio links (lesson from distributed infrastructure) — Overlay encryption on WAN connections between remote sites and the treatment plant. Even if an attacker intercepts cellular traffic, the SCADA commands are encrypted and authenticated. If a remote site loses its WAN connection, the local appliance continues to enforce access policy.
What a Secured Water Utility Looks Like
After deploying network-level security, a water utility can demonstrate:
- No default credentials on any network path — Every connection requires authentication
- Full session logging — Every remote access session to every SCADA system is recorded and auditable
- Network segmentation — Treatment, distribution, and corporate networks are isolated
- Encrypted communications — All SCADA traffic between sites travels through encrypted overlays
- Incident detection — Unauthorized connection attempts are detected and alerted
- Compliance documentation — Automated evidence generation for AWIA, NIS2, and state-level requirements
The investment required is a fraction of what a ransomware incident would cost — and incomparably less than a public health incident caused by compromised chemical dosing. Power grid operators face a similar distributed infrastructure challenge; our analysis of substation security and zero trust for distributed energy OT covers how overlay networking solves the same problem at scale. For water utilities, network-level security is not an IT project. It is a public safety measure.
