Cybersecurity Students: The Water Sector Needs You

Why Cybersecurity Students Should Care About Water Security

(~ 10 minute read)

Cyberattacks on U.S. public water systems are on the rise—fueled by global conflicts, internet-connected infrastructure, and growing vulnerabilities. As these threats escalate, so does the need for skilled defenders who understand both IT and OT systems.

A June 23 InfraGard webinar, “Security on Tap: Protecting America's Water Sector,” explored today’s threat landscape and the vital role cybersecurity professionals will play in safeguarding public utilities.

Key takeaways:

• Lessons from recent attacks
• Top threats facing water systems
• Actionable guidance for securing infrastructure
• What cybersecurity skills are needed in the next wave of workers in public infrastructure

This article breaks down what you need to know—and why it matters for the next generation of cyber defenders.

Water Systems: A Critical and Vulnerable Infrastructure 

InfraGard is a partnership between the Federal Bureau of Investigation (FBI) and members of the private sector for the protection of U.S. Critical Infrastructure. Instructors of cybersecurity are encouraged to join.

The president of InfraGard, Tom Markert, stated: 

Eighty percent of Americans rely on approximately 152,000 public water systems and 15,000 treatment plants, making the sector uniquely critical and, thus, a prime target. Last year, 2024, saw an all-time high in ransomware attacks. Estimated losses were 16.6 billion dollars in the U.S. critical infrastructure sector. 

Utilities have traditionally maintained separate networks with an "air gap” between IT and OT. In recent years, however, connectivity between these networks and to the internet has increased as remote access is desirable for convenience and efficiency. However this opens the attack surface wider unless strict controls and modern tools are utilized. 

Overall Threat Landscape

FBI Intelligence Analyst, Rebecca Merciez, listed:

• Nation-state adversaries and profit-driven cybercriminals remain top concerns.
• Nation-state actors are advancing skill sets faster than defenders.
• Living off The Land (LoTL) techniques are increasing. They establish a persistent, unseen presence, awaiting a prime moment for attack.
• Increase in low-skill attackers using open-source tools like Shodan to probe for vulnerable ICS networks.
• Propaganda videos are on the rise. Attackers release videos showing Human Machine Interfaces (HMIs) being compromised and manipulated. The goal is to cause fear, promote their capabilities, and increase their “street cred” among crooks. Many videos are only simulated attacks.

Attacker Objectives

• Loss of visibility into or control over critical systems and measurements.
• Manipulation of views, controls, and sensors.
• Physical changes that can cause unsafe conditions and human harm.

The FBI warns that, as political tensions escalate, revenge attacks are likely. Critical infrastructure should be on high alert and implement strict controls. Air gaps and other physical controls are highly recommended. 

Merciez referenced an example of the 2023 IRGC-affiliated attack campaign where the cyber-criminal group “CyberAv3ngers” targeted Israeli-made Unitronics Vision Series programmable logic controllers (PLCs). The group left a defacement message to gain attention for the Israel-Gaza war. The message was seen by multiple U.S. victims at critical infrastructure sites, but no physical damage was done. 

InfraGard provided an information sheet that lists multiple attacks on US infrastructure last year and overviews best practices for defense. Click for the PDF. 

Recommendations 

Instructors and students of cybersecurity will benefit from studying these FBI recommendations:

• Know your equipment! Replace and upgrade. Maintain inventory. Patch software/firmware.
• Install independent cyber-physical safety systems.
• Disconnect the internet from all HMIs used for monitoring and making changes to PLCs.
• Be password smart! Strong passwords, no defaults, never shared, and changed regularly.
• Enforce multi-factor authentication and user access controls.
• Conduct regular assessments and cyber training.

The Panel: Frontline Voices on Emerging Threats 

1. Small Utilities at Big Risk 

Kevin Morley from the American Water Works Association (AWWA) and Chase Snow from WaterISAC emphasized that small and rural utilities often lack the resources to implement basic cybersecurity controls like multi-factor authentication or regular patching.  

Some small utilities mistakenly reason that their small size makes them less visible to attackers. Unfortunately, they are often the most vulnerable due to outdated equipment and weak security practices that linger because budgets are slim. 

“We must help them prepare with table-top exercises, security frameworks, and clear procedures,” said Morley. 

 

Both Morley and Snow called for stronger support systems and incentives to help underfunded agencies improve cyber resilience. 

2. Insider Threats 

Operators such as Don Schumacher (Lead Superintendent of Operations at Connecticut Water) and Hassan Hadjimiry (Utilities Director for City of Delray Beach, FL) raised concerns about insider threats and emphasized the need for: 

• Strict access controls, zero trust architecture, and security training
• Physical safeguards that require a person on-site to make changes that could affect human safety
• Deep background checks for personnel and vendors
• Quick termination of access rights when employees leave or switch roles
• Automated time-outs for remote access sessions
• Strict password policies, with enforcement and MFA
• Air-gapped SCADA systems
• Secure radio communications
• Change logs showing who changed what and when

“Anyone with access—repair staff or contractors—can alter alarms or chemical dosages,” warned Hadjimiry, “So vett them carefully.”

3. Physical Security 

Fail-safes must be implemented on the physical controls. A 2017 example was cited when Russian-based cybercriminals injected malware into an energy facility. The malware’s full functionality was stopped because automated fail-safe controls triggered equipment shutdowns to prevent damage. 

Water utilities must have a well-rehearsed disaster preparedness plan that includes a supply of fuel to keep generators running. Storing large amounts of fuel on-site is prohibited by law and makes the utility more vulnerable to attack, so a trucking solution must be planned before a disaster occurs. The plan should involve vendors that will bring fuel to the site and utilize law enforcement for an escort. 

4. Communication, Assessments, and Collaboration 

Secure communication systems should be in place with backup communication methods in case of grid failure — particularly in hurricane-prone or drought-sensitive regions. Dark fiber is an expensive plan. A more accessible option is the SHAred RESources (SHARES) High Frequency (HF) Radio Program - a tool to become familiar with before a disaster. 

Get to know your local FBI and CISA security advisors. Get assessments done. Invite the EPA for tabletop exercises and penetration testing. This is low-hanging fruit that fortifies utilities against the majority of attacks. 

“It is shocking what operators are doing on our networks, for example, charging phones on network-connected computers, checking personal email, and playing internet games. It happens every day.”  - a criminal law enforcement agent at the Environmental Protection Agency (EPA).

Training and testing employees can help prevent the unintentional spread of malware and spyware, for example, Pegasus that infects without any clicks from the victim.  

New Threat Vectors: Autonomous Drones from Air or Water 

Dr. Stockton highlighted the rising concern over unmanned aerial systems (UAS) and autonomous underwater drones. Panelists admitted that most utilities lack the authority or tools to defend against them, urging closer coordination with local law enforcement and advocacy for new FAA policies. 

They recommended building local working groups. Talk with law enforcement to help coordinate a neighborhood watch effort among utilities and critical infrastructure in your area. Collaboratively develop a response plan.  

Cybersecurity students: bring new skills into the utilities sector by learning about drones - not only how they're used by attackers, but also how they’re used for defensive surveillance and monitoring.   

Toward a More Secure Future: Standards and Planning 

Despite growing awareness, voluntary standards remain underutilized, noted Morley. The panel called for a national push toward mandatory cybersecurity compliance, backed by updated NIST frameworks, regulatory alignment, and financial support for small utilities. 

Several speakers emphasized the need for incident response planning—not just technical fixes, but clear communication protocols to counter disinformation and public panic during major events. Examples like Winter Storm Yuri and the Elk River chemical spill were discussed as examples of what could occur during a coordinated cyber-attack. 

Call to Action 

CISA offers free vulnerability scanning services, and the EPA provides confidential assessments via third-party contractors. Yet, too many small utilities have not engaged these resources.  

Teachers and students in cybersecurity – prepare the workforce pipeline with individuals who understand how to secure both OT and IT. More workers are needed with a security-first mindset. Cybersecurity is not only the job of specialists – it's everyone’s responsibility. 

Closing Remarks 

InfraGard’s members include people from the private and public sector – all with an interest in protecting public safety. Cybersecurity teachers are encouraged to become members. Participate and share what you learn with students and the community. 

To learn more or join InfraGard, visit: https://www.infragard.org 

Students and teachers may enjoy studying the Water Management Security Risk Guidance from the American Water Works Association:  https://www.awwa.org/resource/cybersecurity-guidance/