Nation-state attackers from Iran, Russia, and China are actively targeting water and wastewater treatment facilities across the United States and allied nations — and they're getting in through surprisingly basic security failures rather than cutting-edge exploits.
The Uncomfortable Truth: Simple Failures Enable Critical Attacks
A new analysis reveals that the most significant threat to water utility cybersecurity isn't zero-day exploits or advanced persistent threat (APT) malware — it's basic security hygiene failures that leave programmable logic controllers (PLCs) and operational technology (OT) systems exposed to the internet with default or weak credentials.
The three primary attack vectors identified across nation-state water utility intrusions include:
- Weak or default passwords on HMI (Human-Machine Interface) systems and PLCs
- Directly internet-exposed PLCs with no authentication or firewall protection
- Poor network segmentation between IT (corporate) and OT (operational) networks
Once attackers gain access via these simple means, they have the ability to manipulate water treatment parameters — including chemical dosing, filtration cycles, and pump pressure — with potentially dangerous consequences for public health.
Nation-State Threat Actors: Who's Doing What
Iran
Iranian cyber actors, particularly those linked to the Islamic Revolutionary Guard Corps (IRGC), have been the most aggressive in targeting water infrastructure. Iranian groups famously compromised a Unitronics PLC at a Pennsylvania water authority in late 2023, and have continued operations against water facilities in the U.S. and Israel.
Their tactics lean toward disruption and psychological impact — changing chemical settings, defacing HMI screens, and publicly claiming attacks to generate fear — rather than causing catastrophic physical damage.
Russia
Russian GRU and FSB-linked groups have demonstrated interest in water infrastructure as part of broader critical infrastructure targeting operations. In the context of the Ukraine conflict, Russian groups have developed significant expertise in ICS/OT attacks (as demonstrated by the CRASHOVERRIDE/Industroyer malware used against Ukraine's power grid) and have been observed scanning water utility systems in NATO countries.
Russian operations tend to be more patient and stealthy — focused on gaining persistent access that can be weaponized during geopolitical escalation.
China
Chinese state-sponsored actors, particularly those linked to Volt Typhoon and related clusters, have been identified pre-positioning in U.S. critical infrastructure — including water systems — with the apparent goal of establishing persistent access for use in a potential conflict scenario. Chinese operations in this space are characterized by living-off-the-land techniques and very low operational noise.
Why Water Systems Are Vulnerable
Water utilities present a unique cybersecurity challenge:
Resource constraints: Many U.S. water systems are small municipal utilities with limited IT/OT security budgets and no dedicated cybersecurity staff.
Legacy OT systems: PLCs and SCADA systems in water facilities often run legacy software with no patch support and are designed for decades-long operational lifespans.
Operational complexity: The need for 24/7 operations and concerns about disrupting critical services makes security changes (especially network segmentation) operationally challenging to implement.
Internet exposure by design (or accident): Remote access to HMI systems for operational monitoring is often enabled for convenience without adequate security controls.
Attack Patterns Observed
Security researchers tracking these campaigns have observed consistent patterns:
- Shodan/Censys scanning for exposed PLCs and HMI interfaces
- Credential spraying using vendor default passwords (which are often publicly documented in manuals)
- Direct PLC manipulation via legitimate industrial protocols (Modbus, DNP3, EtherNet/IP) without needing to deploy any malware
- HMI defacement as a form of psychological operation and proof-of-access
The absence of malware in many of these attacks makes detection significantly harder — attackers blend in with normal operational traffic.
Recommendations for Water Utilities
The EPA, CISA, and FBI have jointly issued guidance for water sector organizations. Priority actions include:
Immediate (0–30 days)
- Change all default passwords on PLCs, HMIs, RTUs, and network equipment
- Disable internet-facing access to OT systems where not strictly required
- Enable multi-factor authentication on all remote access solutions
Short-term (30–90 days)
- Network segmentation: implement a demilitarized zone (DMZ) between IT and OT networks
- Inventory all internet-exposed OT assets using both internal scanning and external services (Shodan)
- Review and restrict remote access — replace VPN-less internet exposure with jump servers and MFA-protected VPNs
Ongoing
- Monitor OT network traffic for anomalous protocol usage or unauthorized command sequences
- Subscribe to WaterISAC threat intelligence feeds
- Conduct tabletop exercises simulating ICS attacks to build incident response capability
- Apply firmware updates to PLCs and networking equipment on a regular cadence
The Bigger Picture
Water infrastructure attacks represent one of the most consequential potential scenarios in critical infrastructure security. Unlike power outages, which are immediately visible and generate rapid response, contaminated or disrupted water supplies can have delayed, insidious effects that are harder to detect and attribute.
The fact that sophisticated nation-state actors are successfully gaining access through basic security failures — rather than zero-days — is both alarming and empowering: it means many of these attacks are preventable with fundamentals.
The window for action is now, before geopolitical tensions escalate and these pre-positioned footholds are activated.