Water utilities across the United States and Europe are increasingly vulnerable to cyberattacks due to inadequate security measures. Threat actors, including nation-state groups, are exploiting internet-exposed programmable logic controllers (PLCs) and weak authentication practices to infiltrate critical water and wastewater infrastructure.
Between 2024 and 2026, cyber intrusions targeting water systems have escalated from isolated incidents to strategic operations. Countries such as Iran, Russia, and China have been implicated in these activities, utilizing access to water infrastructure as a means to exert geopolitical pressure and prepare for potential future conflicts.
Analysts have observed a consistent pattern: adversaries target civilian utilities to create fear, test emergency response capabilities, and position themselves for future disruptions. These attacks often exploit basic security lapses, including default passwords, shared operator accounts, insufficient network segmentation between IT and operational technology (OT) environments, and exposed remote access tools. Such vulnerabilities allow attackers to gain control without deploying sophisticated malware.
Recent Incidents Highlighting Vulnerabilities
In December 2024, Iranian-affiliated group CyberAv3ngers targeted Unitronics Vision Series PLCs commonly used in U.S. water and wastewater systems. The attackers leveraged default factory credentials to gain unauthorized access. By April 2026, U.S. federal agencies confirmed that Iranian-linked actors continued to exploit internet-exposed PLCs across water, energy, and government facilities, utilizing tools like Dropbear SSH for remote access.
Russian-linked groups have also been active. In January 2024, attackers accessed a remote industrial interface at a facility in Muleshoe, Texas, causing a municipal water tank to overflow for approximately 30 to 45 minutes. The Cyber Army of Russia Reborn claimed responsibility, with ties to the Russian military-associated cyber unit Sandworm. In April 2025, attackers seized control of a dam in Bremanger, Norway, opening a floodgate and releasing water for about four hours.
Mitigation Strategies and Recommendations
To address these threats, U.S. federal agencies, including CISA, FBI, NSA, and EPA, have issued warnings about the vulnerabilities in the water sector. With approximately 170,000 systems nationwide, many operating with limited budgets and outdated technology, the sector faces significant challenges in implementing robust security measures.
Recommended actions for water utilities include:
- Changing default passwords and implementing strong, unique credentials for all systems.
- Ensuring proper network segmentation between IT and OT environments to limit potential attack vectors.
- Regularly updating and patching systems to address known vulnerabilities.
- Conducting comprehensive security assessments to identify and mitigate potential risks.
- Providing ongoing cybersecurity training for staff to recognize and respond to threats effectively.
As cyber threats targeting critical infrastructure continue to evolve, it is imperative for water utilities to prioritize cybersecurity measures. Proactive steps can significantly reduce the risk of unauthorized access and potential disruptions to essential services.
Given the increasing sophistication and frequency of these attacks, water utilities must adopt a proactive and comprehensive approach to cybersecurity. This includes not only technical measures but also fostering a culture of security awareness among staff. Collaboration with federal agencies and industry partners can provide valuable resources and support in enhancing the resilience of water infrastructure against cyber threats.
