With cyber attackers growing ever more sophisticated, the need for cybersecurity — along with the right technology and best practices — grows, too. With the acceleration of AI and investment in digitalization, water operations are becoming more connected and exposed. As utilities make progress, so do cyber adversaries, creating a need for ever-improving security.
The Black & Veatch 2025 Water Report — based on a survey of 680 U.S. water sector stakeholders — identifies and discusses the key cybersecurity trends, top priorities and emerging challenges facing the water industry.
When respondents were asked how their utilities prioritize their investment in operational technology (OT) cybersecurity, the number one response was safety and public welfare. The water industry is acutely aware of the real-world (also called cyber-physical) effects of a cyberattack on public, physical and environmental safety. Recent attacks on water systems underscore the importance of safety.
While safety and public welfare were the most highly prioritized, the other responses — things like access control, compliance, data protection and protection against attacks — all directly or indirectly support the goals of safety/public welfare and operational continuity (Figure 27).
Cybersecurity often breaks down into visibility and control — when you can see what is happening in your environment, you can do something about it. Assessments are often the first step in obtaining that visibility and control.
An initial cybersecurity assessment serves as an entry point, helping organizations understand their vulnerabilities and establish a baseline for improvements. There are an ample number of frameworks available to support OT cybersecurity assessments. For example, the U.S. Environmental Protection Agency’s (EPA) water cybersecurity assessment tool, the American Water Works Association’s (AWWA) cybersecurity risk management tool, NIST SP800-53/82, ISA/IEC 62443 and more.
The challenge with assessments is finding the expertise to effectively perform them. To conduct an effective assessment, at least one cybersecurity expert should facilitate it and clearly explain the objectives, as well as the importance and the benefits to the organization. Another important success factor is the participation of the subject matter experts (SMEs) in supervisory control and data acquisition (SCADA) IT, operations, maintenance and engineering.
Cybersecurity is an expansive and complex topic, making this a tall order for those whose day job isn’t OT cybersecurity. Assessments typically include a significant educational component.
When respondents were asked which areas of cybersecurity their organizations prefer to outsource, 30% said they did not know (Figure 28). Since many respondents are unsure, they can assess their program in-house to identify areas to outsource. If not an assessment, then a workshop with a third-party vendor can help identify high-level gaps. Ideally, having a third opinion is the right move.
Many vulnerabilities begin with people. Respondents took this to heart. When they were asked what would most help their organization improve its cyber posture, two-fifths (40%) answered training, followed closely by budget or funding (32%), cyber expertise (31%) and resources (27%). One in five (21%) did not know, all of which ties back to training in some way (Figure 29).
Cybersecurity training is more than technical instruction; it’s a structured, ongoing effort to raise awareness and behavioral change across the organization. A successful training program is based on the utility’s current cybersecurity culture and built upon business objectives, showing employees the impact even a small mistake can have on operational safety and business continuity.
Incorporating real-world examples of cyber incidents and their consequences to make it relevant, the training program should include tailored modules based on the roles and responsibilities the different groups will have when an incident occurs. Tabletop exercises are a great tool to build awareness and support personnel readiness.
When asked if they preferred cybersecurity to be managed by internal staff or an external supplier, roughly two-thirds (65%) of respondents noted they preferred internal management. Notably, all responses indicated a desire for some level of internal involvement.
Budget realities and desire to have internal visibility and control over cybersecurity are driving cyber programs to have key internal involvement. However, the lack of expertise, experience and capabilities create the need to seek help from experts (Figure 30).
Budgets significantly influence the type of cybersecurity organization a utility can build. An ideal approach combines internal resources for day-to-day activities with external cybersecurity experts for developing, implementing and helping operate robust programs. This mixed strategy helps ensure comprehensive coverage and leverages specialized expertise. Adopting a multi-year plan can enhance program continuity and provide budget flexibility, allowing the utility to adapt to evolving cybersecurity needs while managing financial constraints effectively.
In the most recent American Water Infrastructure Act (AWIA) assessment, when asked what progress respondents have made remediating cybersecurity risk, only 31% of respondents said theirs is 76 to 100% complete, while another one-third noted that they don’t know. Combined with the expressed need for assessment (the first step in a cyber program), there seems to be confusion about the maturity of OT cyber programs. This is not surprising considering the ever-changing nature of the threat environment and the increasing risk to safety. Companies need guidance and support to protect their most sensitive operations.
Immediate investment in a robust program is crucial. This program should prioritize safety, ensure operational continuity, cultivate a strong cybersecurity training culture and refine processes to equip teams for potential cyberattacks. Respondents have highlighted safety and welfare as being at the top of their priority list, while training and education remain a major barrier to feeling secure in their practices. With companies such as Black & Veatch offering integrated cybersecurity services and solutions to the utility, the benefits of shared knowledge and best practice adoption are positively impacting the water industry.
Knowing that respondents are looking for more training and have a desire for their internal teams to be well-equipped to handle cybersecurity practices, Black & Veatch offers a multi-pronged approach as a solution.
Note that all or some of these actions can be performed in parallel, depending on each utility’s unique situation and future goals.
Enlist the help of an external cybersecurity subject matter expert to support short- to mid-term needs, including assessments, planning, governance, policy and implementation.
Identify training goals, plans and milestones for utility staff.
Take advantage of free training from Cybersecurity and Infrastructure Security Agency (CISA) and Idaho National Labs (INL).
Download free water sector cybersecurity guidance documents from the U.S. Environmental Protection Agency (EPA), CISA, Water ISAC, American Water Works Association (AWWA), National Security Agency (NSA) and Federal Bureau of Investigation (FBI).
Incentivize and reward cybersecurity certifications starting with CompTIA Security+, SANS Global Industrial Cyber Security Professional (GICSP) or similar entry- to mid-level certification.
