Cybersecurity and Water System Risk: What City Leaders Should Know
By Bill Kloster
Turning on the tap feels simple; however, today’s water systems are anything but. Once mostly mechanical, they now rely on connected software, sensors, and control networks. That shift improves efficiency and visibility, but it also opens the door to cyber risk.
Cybersecurity is no longer just a background IT concern. It directly impacts reliability, public health, and community trust. For utility leaders, recognizing and addressing these vulnerabilities is essential to keeping water systems safe, resilient, and dependable.
Cybersecurity in water systems: What it actually means
Modern water infrastructure relies on computer-based technology, often called Supervisory Control and Data Acquisition (SCADA) and Operational Technology (OT) systems. These platforms direct how water is treated, monitored, and distributed.
In simple terms, they support day-today operations by managing treatment processes, chemical balancing, pump controls, and distribution. Without this coordination, infrastructure could not function as intended.
Cybersecurity goes beyond traditional IT environments like office networks or email. It also includes protecting the operational technology that controls physical water processes.
As connectivity increases, understanding where risks exist is important for protecting operations and public safety.
Why cybersecurity has become a water sector issue
Water systems are not targeted because they are easy to access, but because they are essential. Disruptions create immediate, visible impacts, making these systems attractive targets for cyber threats.
As digital connectivity expands across treatment, distribution, and monitoring systems, operations become more efficient and visible, but also more exposed. Cyber activity is increasingly targeting metropolitan areas of all sizes, where large-scale systems and data are valuable targets.
In October 2024, American Water, which serves more than 14 million people across 14 states and 18 military installations, experienced a cyberattack that forced billing pauses, disrupted customer service, and required system isolation. The incident showed how quickly digital disruption can affect essential services.
With artificial intelligence (AI) and other emerging technologies, the environment is becoming more complex. While these tools improve monitoring and response, they also introduce new layers of exposure that must be managed. Together, connectivity, evolving technology, and critical service demands are pushing cybersecurity from a background concern to a core operational priority.
Key warning signs and exposure points
Many utilities operate with legacy infrastructure that was not designed for modern cybersecurity risks, creating gaps that can be difficult to secure. In some cases, cyber threats operate quietly, with little or no warning. That is why it is critical to manage vulnerabilities, categorize risk levels, and maintain a clear remediation plan.
Early-stage activity rarely begins with system failure, which is why recognizing warning signs early can make a significant difference.
Early warning signs include:
- Unusual login activity from unfamiliar users or devices.
- Unexpected changes in operational settings, such as chemical dosing or pressure levels.
- Equipment or process disruptions, including pump or valve irregularities.
- Increased phishing attempts or suspicious communications.
These signals may seem minor, but they can indicate intrusion and help prevent wider disruption if recognized in time.
What utility leaders should be doing now
Cyberattacks against community water systems are increasing nationwide. In May 2024, the Environmental Protection Agency (EPA) reported that more than 70% of inspected systems were not meeting cybersecurity requirements under Section 1433 of the Safe Drinking Water Act.
These findings highlight a gap between regulatory expectations and real-world implementation. A good first step is bringing together public works, administration, IT, emergency management, and key vendors to understand how systems are connected, who has access, and what response plans are in place.
Maintaining strong cybersecurity hygiene supports efforts to prevent, detect, respond to, and recover from cyber incidents. While risk cannot be eliminated, utilities can take practical steps to strengthen resilience.
Key actions include:
- Maintaining strong cybersecurity hygiene, including secure passwords and access controls.
- Conducting OT and SCADA-focused assessments.
- Training staff to recognize threats and follow secure practices.
- Using frameworks such as guidance from the National Institute of Standards and Technology, the Cybersecurity and Infrastructure Security Agency, the EPA, and other water-sector best practices.
These steps reduce exposure, improve readiness, and strengthen long-term resilience for essential water services.
The takeaway: Building cyber resilience in water systems
Reliable water service depends on more than infrastructure alone. It depends on how well evolving risks are understood and managed before they disrupt operations.
Cyber threats continue to evolve, but utilities do not have to navigate them alone. Collaboration across departments, peers, government, and industry partners can help utilities identify gaps early and strengthen resilience over time.
Bill Kloster, PMP, serves as chief information officer and principal at SEH (sehinc.com). SEH is a member of the League’s Business Leadership Council (lmc.org/sponsors).

