In recent years, the water and wastewater industry has seen a significant rise in cyberattacks, with the threat of nation-state attacks reaching unprecedented levels. A report from Armis reveals that 87% of IT leaders are worried about the effects of cyberwarfare on their organizations.
The notorious Volt Typhoon, linked to China, has been actively targeting critical infrastructure, such as the Littleton Electric, Light, and Water Departments, for several months. In 2023, Iranian hackers successfully compromised a water treatment plant in Aliquippa, Pennsylvania. Moreover, in 2024, a ransomware attack on American Water, the largest water utility in the United States, led to a real-world service outage.
According to the Cybersecurity and Infrastructure Security Agency (CISA), threat actors often exploit vulnerabilities in unpatched systems and weak authentication controls to gain access to operational technology (OT) systems. Insufficient network segmentation and exposed remote access points allow them to move laterally between systems.
However, the primary cause of these risks is often a lack of visibility regarding the assets and their behaviors. CISA emphasizes the importance of maintaining an asset inventory and an OT taxonomy of critical systems. This approach enables organizations to prioritize their protective measures and lays the groundwork for an effective continuous threat exposure management (CTEM) program.
Too Many Leaks, Not Enough Fingers
In the tale of "Hans Brinker," a young Dutch boy becomes known as “The Hero of Haarlem” by plugging a leak in a floodwall with his finger overnight. Cybersecurity professionals often find themselves in similar situations, working tirelessly to combat threats that never rest. Yet, many organizations face the challenge of having too many leaks and not enough fingers to address them.
Cybersecurity teams deal with hundreds or even thousands of alerts every day, many of which turn out to be false positives. In 2024 alone, there were 40,000 vulnerabilities disclosed. However, not all vulnerabilities are equally significant. The challenge lies in distinguishing between valuable signals and overwhelming noise, which can diminish the usefulness of alerts.
This issue is compounded by the presence of unmanaged devices, such as rogue or shadow IoT devices, and mission-critical legacy systems that cannot be upgraded due to compatibility issues with modern solutions.
Just as water treatment plants assess water quality using various metrics, security teams can also derive value from data streams, provided they have the right tools to process it effectively.
Waste Not, Want Not
CISA has recently issued guidance to assist OT owners and operators in identifying and protecting mission-critical assets. An asset inventory serves as a catalog of enterprise systems, encompassing both hardware and software. Meanwhile, an OT taxonomy organizes and categorizes critical assets and their interrelationships, allowing organizations to focus on risk remediation and incident response.
The advantages of having an OT taxonomy include improved organization and management, enhanced communication, better decision-making, cost-saving efficiencies, and valuable data analytics insights.
To develop either an asset inventory or an OT taxonomy, organizations should start by identifying their assets and collecting relevant attributes, such as IP addresses, supported communication protocols, and the criticality of each asset.
An OT taxonomy then classifies these assets into function-based groups, including control systems, monitoring tools, and management functions. Within the water and wastewater sector, high-criticality assets include pumps, aeration systems, emergency shutdown systems, SCADA systems, filtering systems, treatment reactors, chemical dosing systems, and spill containment systems.
Be Like Water
In the words of Bruce Lee, “Be water, my friend.” This philosophy encourages adaptability. Just as water flows and takes the shape of its container, effective cybersecurity practices must also be flexible.
Adaptability begins with maintaining an asset inventory and an OT taxonomy, which allows resources to be allocated where they are most needed. Comprehensive visibility is crucial for understanding the complexities that lie beneath the surface.
Cybersecurity can also adapt to its surroundings by integrating security measures across IT, OT, cloud, and virtualized environments. By utilizing contextualization, organizations can better prioritize the protection of mission-critical assets. Mapping threats to frameworks, such as MITRE ATT&CK, can provide deeper insights and awareness.
These frameworks help shape an organization’s cybersecurity strategy. In addition to CISA’s recent guidance, the Environmental Protection Agency (EPA) released cybersecurity guidance in October 2025 to address significant gaps in the water sector, emphasizing the need for improved visibility.
While achieving visibility into risks and threats is essential for CTEM, it is only the starting point. Attack path validation simulates how real-world attacks progress, enabling organizations to pinpoint vulnerable and exposed assets. Implementing network segmentation is a wise strategy to prevent lateral movement, similar to how one-way valves ensure that water flows in the correct direction.
Organizations should also adopt continuous monitoring solutions to detect when new devices connect to the network and when new vulnerabilities arise. Behavioral analytics can help identify suspicious activities that may indicate an attack. AI-enabled solutions are particularly effective in detecting behavioral anomalies and can enhance operational efficiency through automation.
Ultimately, in cybersecurity as in nature, resilience stems from flexibility. Establishing a CTEM program is the cornerstone of this resilience, requiring a collective approach from local governments to the national level across the public sector.
