Securing the Future of Water: Lessons from Cyber Risk and Resilience Assessments

In recent years, the U.S. water sector has become a growing target for cyber attackers focused on the nation’s critical infrastructure. From ransomware to malware, water and wastewater utilities are on the front lines of a rapidly evolving threat landscape. These challenges are compounded by widespread reliance on legacy operational technology (OT) systems—many of which were never designed with cybersecurity in mind.

At Jacobs, we’ve supported more than 35 cybersecurity-focused risk and resilience assessments (RRAs) under the America’s Water Infrastructure Act (AWIA) during the current certification cycle—and more are underway. Now that the dust is settling on this latest round of assessments, clear trends are emerging. The cyber threat landscape is shifting, but these insights can help utilities improve defenses and build long-term operational resilience.

The cybersecurity gap in water infrastructure

AWIA’s 2018 mandate requires that covered utilities complete RRAs and develop Emergency Response Plans (ERPs) every five years. These assessments address physical, operational, and cybersecurity risks—but across dozens of engagements, one trend stands out: cybersecurity remains the most underdeveloped area in many utilities’ risk management strategies.

Outdated supervisory control and data acquisition (SCADA) systems, limited visibility and minimal network segmentation give cyber attackers opportunities to disrupt operations. One striking data point: more than one-third of organizations reported six or more cyber intrusions in the past year, with water facilities accounting for a large share.

A smarter, more holistic assessment approach

While many organizations approached the cyber portion of their RRAs with a narrow set of generic controls, Jacobs took a broader and more customized approach. Our methodology builds on trusted frameworks—including the National Institute of Standards and Technology (NIST), International Electrotechnical Commission (IEC) 62443, and Center for Internet Security (CIS) Controls—and expands upon the 100 baseline controls recommended by the American Water Works Association (AWWA).

This results in a maturity-based model that translates global cybersecurity standards into practical, utility-specific insights. It helps utilities understand their current posture and identify concrete actions for improvement.

Recurring challenges we’re seeing

Despite differences in size, region and complexity, many utilities face similar cybersecurity hurdles. Common gaps across our assessments include:

• Incident response deficiencies: Many lack OT-specific incident response and business continuity plans, increasing the risk of prolonged disruptions during a cyber event.
• IT/OT silos: Unclear cybersecurity responsibilities between IT and OT teams hinder monitoring, response and risk management.
• Insecure remote access: Shared credentials, limited logging, and persistent third-party connections remain common vulnerabilities. A 2023 incident involving the Municipal Water Authority of Aliquippa highlighted the dangers of weak access controls.
• Lack of asset visibility: Without a full inventory of control system assets, utilities struggle to apply security controls, detect anomalies, or manage patches effectively.
• Minimal network defense: Flat networks, underused firewalls and absent intrusion detection systems expose infrastructure to lateral movement by attackers.
• Governance gaps: Many utilities operate without OT-specific cybersecurity governance, with outdated or missing policies limiting progress.

The path forward: Building a resilient cybersecurity strategy

Based on our fieldwork, we recommend utilities focus on six key areas to improve their cyber resilience:

1. Develop OT-specific incident response plans
   Include procedures for isolating compromised systems while maintaining operations. Regularly test these plans through simulations and tabletop exercises.
2. Strengthen access controls
   Enforce multi-factor authentication (MFA), eliminate shared credentials and design remote access to limit exposure to SCADA systems.
3. Unify IT and OT cybersecurity efforts
   Form cross-functional teams, clarify roles and provide training to boost cybersecurity literacy across departments.
4. Enhance network architecture
   Segment networks, deploy intrusion detection systems (IDS) and follow hardening guidelines such as CIS Controls.
5. Create a living asset inventory
   Maintain a real-time inventory of all OT assets, including firmware versions and known vulnerabilities.
6. Formalize cyber governance and change management
   Develop OT-specific policies and implement structured change management to reduce configuration errors and security lapses.

Cybersecurity at Jacobs

Jacobs integrates cybersecurity into the core of water infrastructure planning and delivery. Our multidisciplinary teams bring deep knowledge of OT system design, regulatory compliance, and cyber risk management. We understand the distinct challenges utilities face and translate complex standards into practical, achievable solutions.

Whether your organization is preparing for a risk and resilience assessment, responding to a recent cyber incident, or proactively strengthening its security posture, Jacobs provides the support needed to move forward with confidence. Our approach goes beyond meeting regulatory requirements—we focus on building resilient systems that safeguard essential services and the communities that depend on them.

Together, we can design infrastructure that is resiliently engineered and secure by design.