Your Water Plant Is Already on Someone's Target List

The threats are real, the fixes are simpler than you think, and the wrong help can make things worse.

In late 2023, a hacking group tied to Iran's Islamic Revolutionary Guard Corps (IRGC) attacked water and wastewater plants across the United States. They were not targeting the biggest plants or the most famous cities. They were scanning the Internet for a specific brand of Israeli-made industrial equipment that had been left exposed with no protection — and walking right in.

While that attack was unfolding, our team was already on-site at another local government responding to a ransomware incident. When we heard what was happening, we drove to several neighboring water plants and asked operators a simple question: do you have any Israeli-made control system equipment on your network?

Not one operator could answer. Most had no idea what equipment was on their network at all.

That is not a criticism of those operators. They were doing their jobs well. The problem is that nobody had ever sat down with them and helped them understand what they owned, what it was connected to, and why any of it mattered from a security standpoint.

That gap is the real vulnerability — and it is everywhere.

The Uncomfortable Truth About Water Sector Cybersecurity

The Environmental Protection Agency (EPA) inspected water systems across the country in 2024 and found that nearly 70 percent were in violation of basic cybersecurity standards. Not sophisticated security controls. Basic ones. Things like changing default passwords. Things like not having equipment directly reachable from the public Internet.

Nation-state hackers from Iran, Russia, and China are not looking for plants that are big or important. They are looking for plants that are easy. A small, unmonitored plant is not an unattractive target — it is an ideal one. These adversaries want persistent access inside critical infrastructure so that if geopolitical tensions escalate, they can act. Your plant is a piece of that puzzle whether you realize it or not.

At the same time, ransomware gangs have discovered that water and wastewater utilities face enormous pressure to get back online fast. A community that cannot treat its drinking water or manage wastewater cannot wait. That urgency creates leverage, and attackers know it.

The good news: the vulnerabilities being exploited most often are not exotic. They are basic. And basic vulnerabilities have basic fixes.

The Six Things That Matter Most Right Now

We work with water and wastewater operators regularly, and we have seen what happens when a plant gets hit. The incidents that cause the most damage almost always trace back to the same handful of problems. Fix these first. Everything else can wait.

1. Know what you actually have. You cannot protect what you do not know exists. Walk your plant. Call your vendors. Build a simple list of every piece of equipment connected to any network — your PLCs, your SCADA system, your HMIs, your remote access setup. A spreadsheet is fine. The goal is to be able to answer the question: what do we own, what is it connected to, and who supports it?

2. Get your control systems off the open Internet. This is the single most important technical step you can take. Your SCADA system, your HMIs, and anything that physically controls your plant should never be directly reachable from the public Internet. If a vendor or operator needs remote access, that access should go through a VPN — a locked private tunnel — not a permanently open door. In January 2024, hackers posted videos of themselves adjusting settings inside Texas water plant control systems that were exposed directly to the Internet. A water tank overflowed. This is preventable.

3. Change every default password. Equipment ships from factories with preset passwords. Things like "admin" or "1234." Those passwords are published in manufacturer manuals and collected in hacker databases. The EPA has found this to be one of the most common failure points at water plants. Contact every vendor whose equipment you use and ask whether default passwords were ever changed. Then change them — and make sure former employees' access is removed when they leave.

4. Separate your plant network from your office network. If your admin computers and your chemical dosing controls are on the same network, a phishing email opened by one staff member can become a path to your treatment systems. These networks should be separate. Ask whoever manages your network: are our plant controls and our office computers on the same network? If the answer is yes, that is a conversation to have immediately.

5. Know whether anyone is watching. Most small plants have no monitoring at all. Attackers know this. The Volt Typhoon group linked to China was found to have been sitting inside U.S. critical infrastructure networks for years before anyone noticed — specifically because there was nothing in place to detect them. At a minimum, your control systems should be logging who accesses them and when. Someone should be reviewing those logs.

6. Have a written plan for when something goes wrong. Not if. When. A one-page document that answers these questions is better than nothing: Who do we call first? Can we switch to manual operations if our control systems go down? Where are our backup procedures, and are they on paper as well as digital? Who are our contacts at CISA and EPA? This document should exist, and your operators should know where it is.

A Warning About IT Companies and MSPs

Many plant operators have turned to their existing IT company or managed service provider (MSP) for cybersecurity help. This makes surface-level sense. You have a relationship, they do tech stuff, you have a problem with tech stuff.

But there is a serious mismatch between what most IT companies are trained to do and what protecting a water plant actually requires.

Information Technology (IT) security and Operational Technology (OT) security are different disciplines. IT security protects your email server and your business data. OT security protects the industrial control systems that physically operate your plant. The stakes are different. The tools are different. The protocols are different. And critically, the consequences of getting it wrong are different.

A competent IT professional who has never worked in a plant environment may not know that running a standard network scan on an OT network can crash control systems. They may not recognize the protocols your PLCs use. They may recommend a security control that looks fine from an IT standpoint but creates a new operational problem.

We have been called in after exactly these situations. A plant thought it was being secured. Instead, an IT firm applied standard IT practices to an OT environment, caused disruptions, and left behind a configuration that created new vulnerabilities while trying to solve the old ones.

This is not a criticism of IT companies. Many of them are excellent. The issue is fit. Hiring a general IT firm to secure your plant's control systems is like hiring an electrician to do your plumbing. Both work on infrastructure. The knowledge required is completely different.

What to Do Next

Start with the Big Rocks above. Then get a professional OT assessment from a firm that actually knows this environment.

SecureCyber has a practice dedicated to OT, specifically, the Water and Wastewater industry. We have years of experience assessing water plants and advising on risk in this specialized function. 

Our Aqua Guardian program is specifically designed for this industry and is a perfect fit for water and wastewater organizations wanting to take the first step. 

SecureCyber provides specialized cybersecurity services for critical infrastructure, including water and wastewater utilities, local government, and financial services. Our Security Operations Center operates 24/7 (937-388-4405), and our team has direct experience in OT environments. Questions about your plant's security posture? https://securecyberdefense.com/contact-us/ or email sales@secdef.com