Keeping Your Head Above Water: Cyber Security and Water

Water is the essence of life, but in today’s digital world, it’s also an increasingly attractive target for cyber criminals. Water treatment plants and distribution systems rely on digital controls, which, if compromised, can lead to disastrous consequences, including contamination, service disruptions, and threats to public health.​

A 2024 assessment by the U.S. Environmental Protection Agency (EPA) found that 97 drinking water systems, serving approximately 26.6 million people, had critical or high-risk cyber security vulnerabilities.

​According to Check Point Research, thus far in 2025, the energy & utilities (including water) industry has suffered on average 1872 weekly attack attempts per organization, an increase of 53% comparing to the same timeframe last year. North America has seen the highest year-on-year change with an astonishing 89% increase in attacks compared to the same time period last year, followed by Europe (82%) and Africa (45%).

With critical infrastructure like water utilities under constant threat, it is only a matter of time before a cyber attack succeeds in impacting hundreds of thousands, if not millions of lives.

On this upcoming World Water Day on March 22nd, we explore the economic impacts of cyber vulnerabilities in water systems and provide insights into key security measures to ensure that water utilities and this precious resource remains safe to drink and dripping from our taps.

The Economics of a Water Attack

Beyond public health, cyber attacks on water infrastructure have massive economic repercussions. Water and wastewater providers are prime targets for cyber criminals due to the essential role they play in sustaining local communities and daily operations. However, the risks extend beyond operational disruptions. A compromised system could result in contaminated drinking water, posing serious threats to public health and safety.

Beyond households, numerous industries depend on a steady and secure water supply, including manufacturing plants and data centers, which rely on water for cooling systems. A cyber attack on these utilities could lead to widespread disruptions with severe consequences. Disruptions in water supply can halt industrial operations, impact agriculture, and destabilize local economies.​

For example, a one-day disruption in water service across the U.S. could jeopardize $43.5 billion in economic activity according to the US Water Alliance. A simulated example of a cyber attack on Charlotte Water in North Carolina projected daily losses of at least $132 million in lost revenue, with replacement costs exceeding $5 billion, results from a review of the agency’s cyber security initiatives by the Environmental Protection Agency’s Office of Inspector General.

In Italy, Alto Calore Servizi SpA, an Italian company that provides drinking water to 125 municipalities Avellino and Benevento — two provinces in southern Italy experienced a ransomware attack in 2023. The government-run company also manages sewage and purification services for both provinces. While the cyber attack did not disrupt water distribution, the company’s database was compromised, and it rendered all of their IT systems unusable.

Water systems, in particular, are highly vulnerable, as outdated infrastructure is suddenly exposed to internet-based threats, and the potential for disruption makes these facilities prime targets, especially for nation-state actors. In reality, a compromised water facility goes beyond just being a cyber incident as it impacts the entire country, making headlines and, more critically, poses a direct threat to public safety.

The economic toll of a successful cyber attack on water utilities is simply too great to ignore. Resilience must be prioritized, and investments in cyber security should be viewed as investments in economic stability.​

Strengthening Cyber Defenses: What Needs to Be Done

Water utilities must take a proactive approach to cyber security. According to the U.S. Environmental Protection Agency (EPA), 98% of cyberattacks could be prevented or minimized with basic cyber hygiene. Some critical steps to enhance security includes:

• Invest in Endpoint and Network Security: Water utilities should deploy AI-powered threat detection systems to monitor network activity and prevent intrusions.​
• Regulatory Gaps Leave Utilities Exposed: Cyber regulations for water utilities are not as stringent as those for the power or financial sectors, with the call for more to be done in this area.
• Mandate Cyber Security Training: The Water Information Sharing and Analysis Center (WaterISAC) has identified training as a top priority for improving cyber readiness as there is a severe lack of cyber security training amongst water operators with many facilities lacking dedicated cyber security personnel.​
• Enforce Multi-Factor Authentication (MFA): Prevent unauthorized access to operational technology (OT) systems as unsecured remote access is often a major vulnerability, with attackers often exploiting weak remote access protocols.​
• Develop Incident Response Plans: Water providers must have response protocols in place to minimize damage from potential attacks.​

As cyber threats to water infrastructure increase, the need for proactive security measures has never been greater. Governments, water utilities, and cyber security experts must collaborate to protect these vital systems before more attacks severely impact this vital industry.