10 minute read 4 Oct 2021
Water treatment plant at sunrise

Water utilities: Six focus areas to help build cyber resilience

By George Stathos

EY Oceania Water Utility Technology Risk and Cybersecurity Lead

Experienced consulting executive. Assisting water utilities transform their cybersecurity. Focusing on the risks that matter to management.

10 minute read 4 Oct 2021

The benefits of digital transformation are significant. But the emerging cybersecurity risks must be managed to build effective resilience.

In brief
  • Growing investment in digitization and automation has broadened the digital attack surface for would-be attackers.
  • Increased scrutiny of critical national energy and resources assets is putting pressure on water utilities to reassess cybersecurity strategies.
  • Water utilities must take a security-by-design approach that builds cybersecurity resilience into their transformation strategy.

In many countries around the world, water utilities are investing heavily in new technologies to improve the efficiency and reliability of key processes, including water purification, bulk transfer, desalination and storage. But the benefits of increased digitization and connectivity, including greater flexibility and data-driven decision-making, bring new risks too. The swift adoption of the industrial internet of things (IIoT), coupled with the convergence of IT and operational technology (OT) systems, has increased both the surface for, and risk of, attack. Legacy systems, particularly vulnerable to breaches, remain present at many water utilities. New IIoT systems have a variety of vulnerabilities that can be difficult to manage effectively, given the depth and breadth of IIoT systems deployment at a modern water utility. At the same time, the frequency and sophistication of cyber attacks are increasing, with the impact of the COVID-19 pandemic amplifying risks.

As the digital transformation of water utilities increases and pressure grows on countries’ critical national assets to demonstrate greater resilience, the sector faces an urgent need to strengthen its cybersecurity strategies. Six critical areas of focus can help guide next steps.

1. Do you have a robust cybersecurity strategy with defined priorities and approved resources?

An effective cybersecurity strategy is comprehensive and considers a wide range of both internal and external factors but, at the same time, it must be focused — knowing where to prioritize effort and resources to achieve the most value. Getting the balance right requires the sector to undertake a number of steps.

Understand regulatory requirements

Water utilities should start by identifying their “must do” actions from a legal, regulatory and compliance perspective. Depending on where they operate, water utilities should be aware of legislation that applies to them and comply with all requirements. Examples of relevant legislation include:

  • The US National Defense Authorization Act (NDAA) for Fiscal Year 2021 — the US Senate and House of Representatives issued the report on the NDAA for FY21, including key cybersecurity provisions to improve national cybersecurity and protect US critical infrastructure from cyber attacks.
  • The EU NIS 2 Directive – the European Commission has proposed a new cybersecurity strategy to strengthen the EU’s cyber resilience. The proposed NIS 2 Directive will provide a comprehensive coverage of sectors and services considered to be critical to the European market. In addition to the sectors covered under the current regime (including water), new sectors will be brought into scope (including wastewater management). 

Identify critical assets

A large portion of the water utility sector does not have full visibility of its OT and IIoT assets, which can lead to increased unknown vulnerabilities and tolerating risk outside of risk appetite thresholds on an ongoing basis. Although initially challenging, protecting those critical physical processes that underpin water infrastructure – including water transfer, purification and distribution – should be front and center in a cybersecurity strategy. Water utilities should identify the greatest vulnerabilities within these processes, their likelihood of being exploited (and by whom) and the impact of exploitation, so these can form the basis of a risk-driven security program.

Assess key risks and threats

Water utilities cannot respond to cybersecurity threats without first understanding what they are. Building a threat profile that considers critical assets, the threat actors who may target them and the threat scenarios in which they may do so is an important step. With threat actors varying widely – from nation states to disgruntled former employees and random “lone wolves” – the water utility sector should conduct a comprehensive threat and risk assessment that can help identify those most likely to pose a threat.

Fill control gaps

The rapid evolution of technology transforming critical national energy and resources assets, including those in the water utility sector, has sometimes left regulators struggling to keep up with change. For example, while smart meters are being adopted at pace within the water industry, some countries currently have no security standards specific to industrial control systems (ICSs). Water utilities should therefore act to fill control gaps by considering local and global industry benchmarks, standards and best practice, e.g.:

Ensure you have the ability to execute

Knowing which risks, regulatory drivers and critical assets to focus on is only the start. Water utilities must then be realistic about their ability to execute against a cybersecurity strategy and road map. Are budgets adequate? Do they have the right skills in-house? Do governance mechanisms exist to enable business leaders to make decisions and support the cybersecurity strategy?

For many in the sector, getting these resource and governance structures in place will be critical to ensuring any cybersecurity strategy delivers true resilience. In its simplest form, the operating model defines where and how critical work gets done across an organization. It serves as a crucial link between the cybersecurity strategy and the detailed organization design that is in place to deliver on the strategy.

To make sure that any cybersecurity strategy and road map is realized, water utilities should develop a target operating model. This helps communicate the interplay of governance, resourcing, processes and organizational structure required to facilitate delivery of a cybersecurity road map and its capabilities to service consumers both within and outside the organization. 

An effective cybersecurity strategy is comprehensive and considers a wide range of both internal and external factors but, at the same time, it must be focused — knowing where to prioritize effort and resources to achieve the most value. 

2. Do you have the capability to manage a security incident that could impact critical operations?

Today’s cybersecurity ecosystem is increasing both the complexity and efficacy of attacks on the water utilities – and some are struggling to adapt to the rapidly evolving threat landscape. In February 2021, for example, a water utility in Florida suffered a major cyber incident. Cyber attackers were able to gain access to systems in the water treatment facility and sought to add a dangerous level of additive to the water supply. If successful, this could have impacted the lives of nearly 15,000 residents.

The incident highlights that the sector can no longer approach cybersecurity with the mentality that attacks are unlikely or foreseeable. Instead, utilities must tackle the evolving environment by developing an incident response (IR) plan that includes granular threat-driven playbooks to better analyze, detect and contain threats; involve third parties where necessary; and recover from cybersecurity attacks with limited impact on operational continuity.

3. Are you ready for a converged approach to IT and OT cybersecurity service delivery?

IT, IIoT and OT domains are becoming more integrated, and responsibility for security is becoming more blurred, especially in physical asset-intensive organizations such as water utilities. The business value in ever-increasing connectivity and machine-to-machine interaction creates the growing need for a trusted, resilient and reliable environment to enable robotics, automation and digitized upstream operational services such as smart meters.

A converged IT/OT approach to cybersecurity resilience is not a new concept, but it’s one that water utilities continue to struggle with for several reasons, including the prevalence of technical skills shortages and organizational cultural resistance.

A common starting point for convergence could be the establishment of an IT and OT security operations center. This would provide a common operating platform that helps to monitor and analyze an organization’s IT and OT security posture on an ongoing basis, and facilitates a common set of people, process and technology practices to help detect and respond to cybersecurity incidents.

4. Can you adapt to changing regulation?

As technology transforms and continues to impact water utilities on a global scale, regulations governing the cybersecurity of organizations within the sector continue to adapt to the changing environment.

In addition to the US and EU legislation highlighted above, in December 2020, the Australian Government released the ​Exposure Draft of the Security Legislation Amendment (pdf) (Critical Infrastructure) Bill 2020 (the Bill). The Bill seeks to amend the Security of Critical Infrastructure Act 2018 to implement an enhanced framework to uplift the security and resilience of Australia’s critical infrastructure. In its current state, the Bill includes a number of obligations for water utilities, e.g.: (i) to have, and comply with, a critical infrastructure risk management program; (ii) mandatory reporting of certain types of cybersecurity incidents to a relevant Commonwealth body; and (iii) for assets of national significance, to work with Australian Signals Directorate (ASD) to conduct cybersecurity exercises.

The challenge for water utilities will be the need to find mechanisms to comply with all of these regulations cost-effectively and efficiently. According to the EY Global Information Security Survey (GISS) 2021, 55% of power and utility respondents agree that in the next few years, regulations will become more fragmented and time-consuming to manage.

5. How have you responded to increased third-party risk and remote working since COVID-19?

Water utilities have long worked with multiple third parties, outsourcing operational work to external contractors, sometimes with confusion around which supplier is working on a particular piece of infrastructure. This use of third parties is increasing as the sector forms collaborations to pool knowledge and skills to better serve customers and accelerate innovation. And while this brings huge benefits, it also amplifies risks, particularly as remote working has become more commonplace due to the COVID-19 pandemic.

For many organizations, including water utilities, third-party risk management (TPRM) processes have not kept pace with increased threat levels. A recent EY survey (pdf) found that, while 64% of companies said that recent data breaches or losses were caused by third parties, only 34% have reassessed the inherent risk profile of their third parties. And 40% are still using manual processes to validate third parties’ risk profiles.

The innovation that the sector requires to stay competitive relies on partnering with a diverse group of suppliers, so the answer is not to avoid working with third parties. Instead, organizations should enhance TPRM capabilities and ask suppliers for independent assurance, including through service organization controls reporting, as to the soundness of their controls.

6. Do you have a security-by-design approach to adopting disruptive technologies?

Advancing technologies, including the IoT, smart meters, analytics and artificial intelligence, allow the sector to enhance performance while improving efficiencies and saving costs, but they also present an exponential vulnerability to prominent cybersecurity threats.

While some companies in the sector have been quick to adopt disruptive technologies, many have neglected to consider the adverse cybersecurity consequences that come with them. This exposes them to new risks, including hacking that results in data breaches, privacy intrusion through eavesdropping, and even the risk of technology failures putting water quality at risk or shutting down operations altogether.

As the sector moves to adopt technological innovation, security should be front of mind rather than an afterthought. A security-first approach that builds cybersecurity resilience into the design and architecture of all new system implementations, then thoroughly tests it before going live, helps companies to mitigate the risks that disruptive technologies may bring into the operating environment.

Strengthening today to make the most of tomorrow’s opportunities

With a number of regulators around the world likely to set tougher requirements around cybersecurity, the sector must act now to ensure it is ready to fend off attacks and demonstrate resilience. A strong cybersecurity strategy should set priorities that consider all critical IT and OT assets, allocate adequate resources to manage them, and build the agility for effective incident response. It should also be ready to adapt to changing regulation, and ensure that TPRM is keeping up with the increased use of third parties and remote working.


As data and technology continue to reshape the sector, water utilities must keep cybersecurity at the forefront of all digital transformation projects. Greater resilience will not only help protect critical water assets but also give companies the capabilities and confidence they need to make the most of new technologies and drive innovation. 

About this article

By George Stathos

EY Oceania Water Utility Technology Risk and Cybersecurity Lead

Experienced consulting executive. Assisting water utilities transform their cybersecurity. Focusing on the risks that matter to management.