WATER & WASTEWATER
OT Security for Water Utilities
Discover internet-exposed SCADA and PLC systems across water treatment, distribution, and wastewater facilities.
Threat Landscape
Water utilities are under active attack. The Cyber Av3ngers (Iranian-affiliated) campaign targeted multiple U.S. water utilities in 2023-2024, exploiting internet-exposed PLCs to manipulate water treatment processes. CISA has issued repeated advisories warning water utilities about exposed OT systems.
Many water utilities operate with lean IT/OT teams and aging infrastructure. PLCs and RTUs connected through cellular gateways, vendor VPN tunnels, and legacy modems often create internet exposure paths that bypass air-gap assumptions. Internal monitoring tools cannot see these external paths.
ShiftSix identifies every internet-exposed water OT asset from the outside in—the same perspective an attacker uses to find them.
Relevant OT Protocols
Modbus/TCP
The most common protocol in water SCADA systems. Exposed Modbus PLCs allow direct read/write access to process control registers—including chemical dosing, pump control, and valve positions.
DNP3
Used in larger water utility SCADA networks for communication between master stations and remote terminal units (RTUs) at pump stations and treatment plants.
Compliance Requirements
Water utilities face increasing regulatory pressure to address OT cybersecurity:
- EPA Cybersecurity Assessments — Required under the Safe Drinking Water Act, now including OT system security evaluations
- CISA Water Sector Advisories — Specific guidance on securing internet-exposed PLCs and SCADA systems
- State Regulations — Growing number of states requiring cybersecurity plans for water utilities
- America’s Water Infrastructure Act (AWIA) — Risk and resilience assessments for systems serving 3,300+ people
Customer Story
Regional Water Utility
Challenge
A mid-sized water utility serving 500,000+ residents believed their SCADA systems were fully air-gapped from the internet.
Discovery
ShiftSix identified 7 internet-exposed PLCs and 3 DNP3 endpoints reachable via a misconfigured cellular gateway. Two devices had known CISA KEV vulnerabilities.
Results
The utility’s air-gap assumption was proven false. Exposed assets matched Cyber Av3ngers targeting patterns.
Outcome
Cellular gateway hardened within 48 hours. Continuous external monitoring established.
See Your OT Exposure
See What Attackers See
Get a free external exposure assessment of your organization’s OT attack surface.
See What Attackers See
Get a free external exposure assessment of your organization’s OT attack surface.