Menu
Close

The critical imperative of foundational cyber hygiene in water utilities

Icon for Andrew Fedson, Manager (<a href=Email)">
Author:

Andrew Fedson, Manager (Email)

The water sector, a linchpin of public health and economic stability, faces escalating cyber threats. A disproportionately high number of successful cyberattacks on water utilities stem not from sophisticated zero-day exploits, but from the exploitation of basic, preventable vulnerabilities such as default credentials, unpatched software, and weak access controls.

At a Glance

Most successful cyberattacks against utilities exploit basic, preventable weaknesses—such as default passwords and unpatched software—rather than sophisticated, zero-day vulnerabilities

To address this threat, utilities must make stringent cyber hygiene their foundational defense, recognizing it as the most cost-effective way to protect public health and economic stability

A robust cyber hygiene framework focuses on institutionalizing four core practices: regular IT/OT security assessments, mandated Multi-Factor Authentication (MFA), disciplined and prioritized patching, and recurrent, comprehensive employee training

This is why water utilities need a renewed and stringent emphasis on cyber hygiene as the foundational and most cost-effective defense, with a framework for robust cyber hygiene practices focusing on regular assessments, stringent password management, disciplined patching, and comprehensive employee training.  

The vulnerability of critical infrastructure

Water utilities, which encompass both information technology (IT) systems (such as billing and human resources) and operational technology (OT) systems (including SCADA, remote telemetry units (RTUs), and programmable logic controllers (PLCs)), present a uniquely tempting target for malicious actors. Attacks can range from data theft and financial disruption to, more critically, the manipulation of chemical levels, flow rates, and pressure systems, posing a direct threat to public safety.  

While advanced persistent threats (APTs) receive substantial media coverage, evidence suggests that most successful intrusions leverage basic security failures. For example, the use of factory-set default passwords, the continued operation of software with known, unpatched vulnerabilities, and the absence of the principle of least privilege access controls frequently serve as the initial vector for compromise. This issue is often exacerbated in smaller and mid-sized utilities, which typically operate with constrained budgets and limited specialized cybersecurity expertise, resulting in a perpetual gap in their fundamental security posture.  

Exploitation of foundational weaknesses

A significant number of cyber incidents in the water sector can be categorized as a failure of basic security protocols. The challenge is multifaceted:  

Resource asymmetry

Smaller utilities often lack the financial and personnel resources to establish a dedicated security operations center (SOC) or hire full-time cybersecurity professionals. Security responsibilities are frequently assigned as a secondary duty to IT or OT staff whose primary expertise lies elsewhere. This leads to:  

  • Delayed or skipped patching cycles due to concerns about system downtime or compatibility issues.  
  • Reliance on outdated, unsupported hardware and software that cannot be securely configured or updated.  
  • Insufficient budget for implementing commercial-grade security solutions like centralized log management or advanced intrusion detection systems.  

The blurring of IT and OT  

The increasing connectivity between IT and OT networks, driven by a need for efficiency and remote monitoring, introduces new pathways for attack. A successful breach of the enterprise network (IT) can now more easily pivot into the industrial control system (OT), often exploiting unsegmented or flat network architectures. Basic vulnerabilities in the IT environment thus become critical threats to operational continuity.  

Renewed emphasis on cyber hygiene

In response to the pervasive success of attacks exploiting basic flaws, there is a global trend among regulatory bodies and security frameworks to prioritize fundamental cyber hygiene as the essential baseline defense. This approach emphasizes consistency, repeatability, and adherence to established best practices.  

Regular cybersecurity assessments

A robust cyber hygiene program begins with the principle of “knowing your environment.” Regular, structured assessments are essential for both IT and OT environments.  

  • Scope: Assessments must inventory all digital assets, including industrial control systems (ICS) components.  
  • Actionable reporting: They must move beyond simple findings to provide a prioritized roadmap for remediation, focusing on critical vulnerabilities that are both highly exploitable and highly impactful.  
  • Frequency: Annual comprehensive assessments, supplemented by more frequent, automated vulnerability scanning, should be the standard practice.  

Stringent password management and Multi-Factor Authentication (MFA)

The use of default, easily guessed, or reused passwords is one of the most common initial access vectors. Strict controls must be universally enforced:  

  • Password complexity: Enforcing complex, unique passwords for all accounts.  
  • Credential rotation: Mandating regular password changes, especially for privileged accounts.  
  • Multi-Factor Authentication (MFA): Implementing MFA for all remote access to the network (IT and OT), as well as for privileged access, presents a high-impact, low-cost defense against compromised credentials. MFA renders stolen passwords useless without possession of the second authentication factor. 

Disciplined patching and updates

Unpatched vulnerabilities represent exploitable weaknesses for which a solution is already known. A proactive patching strategy is non-negotiable for cyber resilience:  

  • Risk-based prioritization: Not all patches are equal. Utilities must prioritize the application of critical patches that address widely exploited vulnerabilities or those affecting internet-facing devices.  
  • OT considerations: Patching in OT environments requires a rigorous process that involves sandbox testing and coordinated maintenance windows to ensure compatibility and prevent operational disruptions. Automated patch management tools can significantly improve efficiency and consistency.  
  • Inventory management: Maintaining a definitive and current software and hardware inventory is necessary to track version numbers and identify systems that are nearing End-of-Life (EoL) and pose an unpatchable risk.  

 Comprehensive employee training and awareness

Technical controls alone are insufficient. The human element is the primary target of phishing, social engineering, and business email compromise attacks.  

  • Mandatory training: Implementing mandatory, recurrent (e.g., quarterly) cybersecurity awareness training for all employees, from administrative staff to plant operators.  
  • Simulated attacks: Utilizing phishing simulations to test employee readiness and provide targeted training corrections.  
  • OT-specific training: Educating OT personnel on the physical and digital security of control systems, including the risks associated with unauthorized USB drives and remote vendor access protocols.  

Recommendations for water utility leadership

The path to a more secure water utility sector is paved not with costly, esoteric technology, but with the consistent, disciplined application of fundamental cyber hygiene. The exploitation of basic vulnerabilities poses a systemic risk to public health infrastructure. By institutionalizing the practices of regular assessments, stringent credential management (including ubiquitous MFA), disciplined patching, and comprehensive employee training, water utilities can significantly raise the barrier to entry for malicious actors.  

If you’d like to learn more about how to have better cyber hygiene for your utility, reach out to Andrew Fedson at afedson@raftelis.com.  

Dive Deeper
Insight

How are public utilities actually using AI? We asked leaders from 18 utilities

One hundred percent of utility leaders are using AI. The question is no longer “if” but “how” and “where.” In September and October 2025, we sat down with leaders from 18 utilities, from Tucson to Charlotte, and Denver to Cincinnati, to understand how artificial intelligence is reshaping one of America’s most critical infrastructure sectors.

Insight

From reactive to proactive: technology in the public sector with Stacey Aukamp

Raftelis Vice President Stacey Aukamp breaks down how automation and integration are helping local governments and utilities modernize their operations by eliminating duplicate processes, reducing errors, and freeing up staff to focus on more strategic work. Hear how Kingsport, TN is shifting from outdated systems to intuitive self-service portals, streamlined billing, and integrated data access, making the experience better for staff and residents.
Insight

A guide to best cybersecurity practices for local governments and utilities

In an increasingly digital world, the importance of cybersecurity cannot be overstated. Cyber threats are becoming more sophisticated, and the consequences of a breach can be devastating. We’ve put together a comprehensive guide to the best practices of cybersecurity, helping organizations to protect their digital assets and maintain the trust of their stakeholders.

View All Insights

Get the Latest Insights Delivered