Water Treatment Facility Repairs to IT Infrastructure

Protecting Our Most Vital Resource: The Critical Need for Cybersecurity and IT Upgrades in Water Treatment Facilities

Water is life. For local municipalities and authorities tasked with supplying clean, safe water to communities, safeguarding that resource is a solemn responsibility. Yet, as the world grows increasingly digital, water authorities and treatment facilities face a rapidly evolving set of threats—ones that cannot be mitigated with fences or locks alone. Today, the greatest risks to our water supplies may come not from physical intrusion, but from hackers, ransomware, and cyberattacks.

Prioritizing Water Treatment Facility Repairs to IT Infrastructure and the Security and Modernization of Water Systems

As an IT provider working closely with local governments, Jennifer Yeagley of Eagle Secure Solutions has witnessed the growing urgency for robust cybersecurity and modern IT infrastructure within the water sector. This article explores why water authorities need to prioritize cybersecurity and IT upgrades, the real-world consequences of neglecting these areas, and actionable steps for securing these vital systems. We will also examine notable cyber incidents, including those affecting water treatment facilities, to illustrate the stakes of inaction.

The Rising Threat: Why Water Systems Are Under Attack

In the past, water treatment facilities relied on mechanical processes and manual oversight. Today, supervisory control and data acquisition (SCADA) systems, programmable logic controllers (PLCs), and advanced sensors streamline operations, improve efficiency, and reduce costs. However, this increased reliance on digital infrastructure also opens the door to cyber risks.

• Critical Infrastructure, Critical Target: Water authorities provide an essential service, making them attractive targets for bad actors seeking to cause widespread disruption, demand ransom, or even engage in acts of terrorism. An attack on a water facility can have immediate and severe public health consequences.
• Legacy Systems and Limited Investment: Many water treatment plants operate with outdated IT systems, unpatched software, and unsupported hardware. Budget constraints and the perception that “it won’t happen here” often mean these systems are not prioritized for upgrades or security improvements.
• Lack of Cybersecurity Expertise: Smaller municipalities may lack dedicated IT staff or cybersecurity professionals, leaving them especially vulnerable to phishing, malware, and more sophisticated attacks.

“In the hands of the wrong person, access to water infrastructure can spell disaster. Cyber attackers may manipulate chemical dosing, disable pumps, or shut down entire plants. The result: contaminated water, service interruptions, or even threats to life,” says Yeagley.

The Impact of Inadequate Protection

Physical water treatment facility repairs, like plant and equipment upgrades, are just as important as the ones you can’t see. Neglecting cybersecurity for water systems is not just a technical issue—it’s a matter of public safety and trust. The consequences of failing to protect these systems can be far-reaching:

• Public Health Risks: Attackers can alter chemical levels, such as increasing chlorine or lye, causing the water supply to become unsafe for consumption or use.  What’s worse, is that these chemical levels may be adjusted while a hacker may program the testing software to relay normal test results.
• Service Disruptions: Malware or ransomware attacks may force facilities offline, leading to boil-water advisories, outages, or reduced water pressure.
• Financial Loss: Responding to cyber incidents can cost municipalities hundreds of thousands, if not millions, in remediation, legal fees, and lost revenue. According to the UC Berkley article linked here, “The US Water Alliance estimates(opens in a new tab) that a single day of downtime in US water service could result in $43.5 billion in lost economic activity and a $22.5 billion decline in GDP.”
• Reputational Damage: Public confidence in local agencies is shaken when residents fear for the safety of their water or witness prolonged service interruptions.
• Regulatory and Legal Consequences: Increasing federal and state regulations require utilities to assess and mitigate cyber risks. Failing to comply can result in fines or additional oversight.

Do you need a fast & easy way to keep your residents updated during an emergency?
SavvyCitizen might be just what you’re looking for.

Real-World Examples: Cyber Attacks on Water Treatment Facilities

No region is immune to these threats.  Aliquippa Water Authority in Beaver County, Pennsylvania experienced cyberattack in November of 2023 that could have threatened residents, farms and food supply. The Aliquippa Water Authority fell victim to a cyberattack by a group known as “Cyber Av3ngers.” The group targeted the facility’s industrial control equipment, specifically a programmable logic controller (PLC) made by Unitronics. The attackers left a message on the operator’s screen, displaying anti-Israeli rhetoric, but, fortunately, no changes were made to chemical processes and water delivery was not interrupted. However, this breach highlighted the vulnerabilities of legacy PLCs, as well as the international reach and motivations of cyber threat actors.

While not always widely publicized, several water systems have received warnings or alerts about attempted intrusions, phishing campaigns targeting staff, or vulnerabilities in remote access tools. In 2021, the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) issued joint advisories to water authorities across the country, warning of ongoing targeting by both state-sponsored and criminal actors.

These events serve as urgent reminders: no system is too small, too remote, or too inconspicuous to escape the attention of cybercriminals.

How to Secure and Upgrade Water System IT Infrastructure

Recognizing the threat is the first step. Water treatment facility repairs and upgrades to IT systems for water authorities to ensure cybersecurity is an ongoing and cyclical process, but it can be approached methodically:

1. Conduct a Comprehensive Risk Assessment

Yeagley recommends that you “Begin by inventorying all digital assets, from SCADA systems to laptops used by field staff. Identify outdated hardware, unsupported software, and remote access points.” Consider scheduling a penetration test or other vulnerability assessment that allows a 3^rd party to identify network risks. Assess potential vulnerabilities and prioritize those that pose the greatest risk to operations or public health. 

2. Develop and Enforce Cybersecurity Policies

Establish clear policies for password management, software updates, remote access, and data backup. Consider investing in password management software that can keep passwords safe and track passwords found in data breaches. Be proactive about ensuring all policies are being followed rather than waiting for the possibility of attack to find out. 

3. Train, Train, and Retrain Employees

Ensure all staff—administrative, operational, and technical—receive cybersecurity awareness training.  “Once a year is not enough when it comes to cyber safety,” advises Yeagley.  Develop a regular training program that is ongoing and periodically tests employees ability to identify and respond to cyber threats.

4. Upgrade Legacy Systems

Replace unsupported hardware and software, especially those that are exposed to the internet. Modern PLCs, firewalls, and intrusion detection systems should be prioritized. Where upgrades are not immediately feasible, implement compensating controls such as network segmentation and strict access controls. 

5. Implement Multi-Factor Authentication (MFA)

Require MFA for all remote and administrative access to critical systems. This simple step can block a significant portion of unauthorized access attempts.

6. Network Segmentation and Monitoring

Separate operational technology (OT) networks from business IT networks. Deploy intrusion detection and prevention systems to monitor for unusual activity. Regularly review logs for signs of compromise.

7. Stay Current

Always check for and install appropriate updates and patches for systems and software.  Firmware updates and license renewals may be critical for your network equipment to continue providing the security you think you have.  When thinking about water treatment facility repairs, it may be a little tricky to stay current with software updates and patches.  The Eagle staff commented, “We have seen many SCADA systems get disrupted by system updates.  It is important to work with your software provider to ensure that updates can be installed without disruption.”

8. Establish Incident Response Plans

Prepare for the worst by developing, documenting, and rehearsing incident response plans. Know who to contact—including local law enforcement, state agencies, and cybersecurity experts—if an attack is detected.

9. Collaborate and Stay Informed

Participate in information-sharing initiatives, such as the Water Information Sharing and Analysis Center (WaterISAC). Engage with regional and national agencies to stay current on emerging threats and best practices.

Conclusion: Securing the Future of Our Water Systems

The task of protecting our water treatment facilities is more urgent than ever. Cyberattacks are not hypothetical—they are happening now, and they threaten the health, safety, and economic well-being of every community.

Municipalities must recognize their water systems as critical infrastructure deserving of robust cybersecurity protections and regular IT upgrades. With thoughtful planning, targeted investment, and a culture of vigilance, local authorities can safeguard the public’s trust and ensure that clean, safe water continues to flow—no matter what challenges the digital world may bring.

Upgrading IT infrastructure and embedding cyber resilience is not a luxury. It is, quite simply, a necessity for every water authority and treatment facility committed to serving its community now and in the future.

This article was written in partnership with Eagle Secure Solutions.

Eagle Secure Solutions is an IT service provider specializing in cybersecurity, organizational resiliency and recovery, training, procurement, and ongoing technical support.  Every aspect of support we give to an organization is designed to provide a safe, secure, and efficient networking environment that uniquely addresses the IT needs.  We often partner with IT departments to complete projects or provide additional support as needed and can act as the IT department for businesses that don’t have one.  We have proudly partnered with CourseVector to help supply their clients with secure and branded emails through Microsoft 365 plans. With this collaborative approach, Eagle Secure Solutions ensures each client receives tailored, dependable protection to confidently navigate the evolving digital landscape.