Â鶹´«Ã½

Throughout my more than 20 years in cybersecurity and information risk, I¡¯ve worked with clients from industries like technology, higher education, finance, banking, and government. And I¡¯ve seen a lot of unplanned security events¡ªaka suspected security breaches. Fortunately, there are concrete steps that utilities can take to strengthen their cybersecurity defenses and better protect themselves.

Attacks on the rise

Let¡¯s examine a few relevant statistics. Then we will look at our cybersecurity defense solutions.

1. Utilities are the most targeted industry for ransomware attacks. More than 62 percent of computers are impacted, according to the State of Ransomware 2024 report by cybersecurity firm Sophos. In the report, the utilities category also included energy and oil/gas.
2. Attacks are still on the rise at a rate of 140 percent increase year over year. And attacks are expected to impact more than 15,000 industrial sites in 2027, according to a 2023 piece on the cybersecurity blog Security Intelligence.
3. More than US$1 billion was spent cleaning up ransomware attacks in 2023 alone, according to a 2025 article on the technology website VentureBeat.

Responding to ransomware attacks cause disruption, stress, and extra work for an organization. This can lead to bad press, questions from the public, and worried, overworked employees.

Clearly there is work to be done to improve the cybersecurity defenses in water and wastewater utilities. But it¡¯s not all doom and gloom. Let¡¯s look at some solutions.

Cybersecurity defenses: Three impactful actions

There are ways for water and wastewater utilities to improve their cybersecurity defenses. It starts with adopting a proactive, multilayered strategy and approach. Here are three meaningful actions that organizations can take to toughen their cybersecurity defenses.

1.?Apply network segmentation and isolation: It¡¯s important to segregate OT systems¡ªlike those managing ICS or supervisory control and data acquisition (SCADA) equipment¡ªfrom the broader corporate IT network. This can limit the spread of an infection and contain the damage. A strategy like this means that even if one network segment is compromised, critical treatment and distribution systems remain protected. We often do this in the initial design of the OT network environment. Butut it can be designed into existing systems, too.

A client of mine in the finance sector recently noticed an uptick in firewall traffic that is often associated with surveillance attempts by bad actors. Concerned that these bad actors might break into their network and get access to valuable information, the client used a new network segmentation scheme that included several fake servers in a honeypot configuration. Honeypots are tools that cybersecurity practitioners can use to entice bad actors to poke around. Then, you can gather information about them without tipping them off and without risking the company¡¯s IT assets in doing so.

My client also regularly changed the IP addresses and builds of these servers. This had the effect of requiring the bad actors to invest much more time into figuring out why these servers were changing so often. After a few weeks, the bad actors left their network alone. Presumably, they moved on to easier targets.

2.?Establish regular, secure backups and test disaster-recovery plans: Utilities must maintain and test frequent backups and restorations for their OT systems. These should be stored offline or on isolated networks. In the event of a ransomware attack, backups can help get systems and data quickly restored. If these backups are coupled with a well-documented disaster-recovery plan that is regularly tested through drills and simulations, utilities can limit downtime and keep service running. For organizations using virtual environments, this can usually be done quickly and without major loss of data or services.

A forward-thinking and well-prepared client of mine recently migrated their key application servers from on-premises to the cloud. As they were designing their future state network, they gave real thought to how they might take advantage of cloud features to aid in recovering from any kind of problem. And this includes a cybersecurity event. They were able to create a server image that would be replaced every night at midnight on all their critical servers as a standard operating procedure.

Right after putting this in place one of their key servers, the one that handled overnight payment transfers, was suddenly locked. It was the victim of a ransomware attempt. Their tested disaster-recovery plan was straightforward¡ªsimply replace the server image and restart the server. Their total outage was less than one hour. Why? Because they had carefully planned, tested, documented, and trained their staff on how to handle this situation.

3.?Create a plan and provide training: Cyber threats often begin with phishing and social engineering attempts. A workplace with regular, targeted cybersecurity defense training helps employees spot and avoid these threats. Training that includes an ongoing cycle of testing and training is more effective than what we often see¡ªsecurity training that happens once a year.

Have a detailed, rehearsed incident response plan that involves IT, operations, legal, communications, and management teams. This can reduce the impact of an attack on a utility¡¯s OT systems. The plan will establish a coordinated and swift response if an incident happens. The time to plan a proper response to a major security event is not during the event itself.

A client in the hospitality industry asked me to run their first-ever social engineering simulation. The client had recently offered security awareness training on phishing. They wanted to see if it had raised their employees¡¯ abilities to detect common phishing techniques in email.

So, I put together a (fake) congratulatory email for the more than 300 customer service reps with a note of thanks. My email also included a document purporting to contain a gift card from a major online retailer. I sent it out from an outside email account on a Tuesday morning at 9:00 AM. By 10:30 that morning it had been opened and forwarded to more than 1,000 people. And when many of those employees couldn¡¯t use their fake gift card to make any purchases, they marched down to HR to get a copy. In fact, more than 85 people went down to HR to get their fake gift card (after falling for the fake congratulatory email). It¡¯s a great reminder to us that cybersecurity defense training has to be constantly reinforced.

Just a start: Yes, there is more we can do. But these three actions are a great place to start. Adopting these measures can strengthen an organization¡¯s cybersecurity defenses and prepare a utility to act quickly and effectively during an incident. This improves the organization¡¯s overall chances of surviving¡ªand recovering from¡ªa ransomware attack.

Water and wastewater cybersecurity protections are essential for safety

Ransomware attacks can do real damage. And, as we mentioned earlier, water and wastewater utilities are the top targeted industry. That means we must take tangible steps to proactively protect these critical organizations. Not sure where to begin with your cybersecurity defenses? Don¡¯t worry, you¡¯re not alone.

Start by engaging a trusted partner to conduct a short tabletop exercise. This exercise can figure out whether your incident response team can navigate through a ransomware event without major obstacles or delays. These insights can be the difference between paying a huge ransom to regain control of your IT and OT systems or just watching your IT team expertly recover from such an attempt with minimal fuss.

If you still have concerns afterward, or if you already know you don¡¯t have the competence to do this well, engage a trusted partner to conduct a broader and formal cybersecurity assessment against your IT and OT environments. Have them compare your current security posture to a known relevant standard. See where the gaps are. Prioritize their importance by impact if exploited. And then build a plan to start strengthening your IT and OT environments. This can give you valuable support in gaining the necessary budget to make real improvements for the future and boost your cybersecurity defenses.

It¡¯s critical to treat water and wastewater cybersecurity protections as another key component of safety in our utilities. We know the risks are only continuing to increase. The time to act is now.