Access to clean, safe water is a foundation of public health, economic stability, and national security. Yet, the very systems that manage this vital resource—our water and wastewater infrastructure—are increasingly vulnerable to cyber threats. Many utilities operate with outdated automation systems, legacy networks, and insufficient security policies, making them easy targets for threat actors.
While technical solutions play a role, true cyber resilience requires more than just deploying tools. It requires a cultural shift.
Cybersecurity as a Safety Imperative
For water utilities, cybersecurity is not just an IT issue—it’s a safety issue. Industrial control systems (ICS) and operational technology (OT) environments must be protected with the same rigor as physical infrastructure. However, many utilities still struggle to take meaningful action. This hesitation often stems from a lack of internal expertise, limited budgets, or the fear that added security will hinder operational efficiency.
A 2022 Gartner report projected global spending on security products and services would rise 11.3% in 2023, reaching $188.3 billion. Yet, spending alone doesn’t equate to security. Without proper integration and cultural alignment, even the best tools can introduce new vulnerabilities.
When Tools Create Risk
Security tools can fail—especially when misconfigured, underutilized, or deployed without buy-in from users. In operational environments, tools can even become attack vectors if not regularly updated and maintained.
We’ve seen this play out with devastating consequences:
- In 2013, a Georgia water plant cyberattack resulted in over 400 customers losing access to drinking water after chemical levels were maliciously altered.
- More recent ransomware attacks have crippled water facilities in Maine, California, and Nevada—targeting the SCADA systems that control treatment operations.
- In Florida, hackers remotely accessed a utility’s control system and attempted to increase the levels of sodium hydroxide in the water supply to dangerous levels.
These incidents highlight a consistent theme: the failure to align cybersecurity with operational culture and processes.
Why Human Factors Matter Most
Verizon’s 2022 Data Breach Investigations Report found that 82% of breaches involved the human element. Even the most robust security tools can’t protect against user workarounds or negligence born of poor training and implementation.
In many water utilities, cybersecurity is recognized as important but treated as a checkbox exercise—bolted on, rather than built in. When controls are viewed as barriers rather than enablers, they’re circumvented, weakening overall security.
Creating a Culture of Cyber Readiness
To build lasting cyber resilience, utilities must embed cybersecurity into their organizational DNA. This starts with leadership and extends to every employee, contractor, and stakeholder.
Four strategic shifts to support cultural transformation:
- Integrate Cybersecurity into Business Strategy
Treat cybersecurity as a core pillar of organizational risk management, not a separate compliance function. - Secure Leadership Buy-In
Executive and board-level advocacy is essential. Leaders must champion security initiatives and make them a consistent part of decision-making and communication. - Invest in Ongoing Awareness Training
Training shouldn’t be a one-time event. Build engaging, role-specific training programs that evolve with the threat landscape. - Prioritize Usability in Tool Selection
Security controls must be effective without hindering operational workflows. Choose tools that empower—not obstruct—your teams.
Empowering People, Not Just Technology
Cybersecurity adoption hinges on user engagement. When end users don’t understand a tool’s value—or when it’s burdensome—they’ll find ways around it. Worse, organizations often lack the staff or expertise to fully configure or maintain their tools, leaving them underutilized or misused.
Instead, align security initiatives with the way people actually work. Involve users early in the selection and implementation process. Demonstrate how security supports—not limits—their success.
Looking Ahead: Resilience Through Partnership
The Biden administration has prioritized securing U.S. water infrastructure against cyber threats, calling for increased information sharing and new technology adoption across utilities.
But technology alone won’t solve the problem. Sustainable security requires a mindset shift—one that sees people as the first line of defense, not the weakest link.
Building a culture of cyber readiness is a long-term investment. It involves leadership, transparency, training, and, above all, trust. With the right culture in place, water utilities can not only withstand today’s threats but emerge stronger, safer, and more resilient.