By Steven Taylor
Information technology (IT) and operational technology (OT) systems are intertwined, yet they often work in silos. A recent survey of cybersecurity professionals in critical infrastructure sectors revealed IT compromises as the top attack method (45%) into OT and industrial systems in 2024. The report also found that half of reported ransomware attacks directly impacted OT systems.
This means high risks for systems in critical infrastructure, like water/wastewater facilities, that affect the lives and health of millions of people.
Recent high-profile incidents in Pennsylvania and Kansas have highlighted the need for stronger cybersecurity frameworks, as many facilities still rely on outdated systems with limited security measures. In fact, a major water company also faced recent incidents, in which threat actors gained access to critical computer networks and systems. Luckily, water and wastewater facilities were not directly affected, but these examples underscore the increasing risks in the industry, as well as the need to protect OT systems from IT vulnerabilities. Data protection is an important element of OT cybersecurity strategies to improve cyber “hygiene” in the water sector.
Plugging the Holes: Strengthening Data Privacy in OT Systems
Critical infrastructure systems often still rely on outdated technology with limited security measures. As a result, implementation gaps remain a challenge, despite efforts by agencies like the Environmental Protection Agency (EPA) and the Cybersecurity and Infrastructure Security Agency (CISA) to enforce stricter cybersecurity guidelines. For example, the EPA has developed a Cybersecurity Checklist derived from CISA’s Cybersecurity Performance Goals (CPGs), aiming to help water and wastewater utilities identify and address vulnerabilities. Additionally, the Cyber Incident Reporting for Critical Infrastructure Act mandates that organizations report cyber incidents and ransomware payments to CISA, enhancing threat detection and response capabilities. Despite these initiatives, many water treatment facilities continue to face significant cybersecurity challenges and implementation gaps.
Critical infrastructure operators also face challenges in integrating systems, accessibility to challenging network architectures, and strains on cost and resources. Distributed, multi-vendor control systems lead to integration challenges, inconsistent and disconnected security protocols, and communication difficulties across the network. Water utilities often require access for a range of personnel, including operators, engineers, contractors and vendors, each with unique security requirements. Limited budgets and staffing add further pressure, making it difficult for cybersecurity teams to implement and sustain. Utilities must constantly balance operational needs with security priorities, often forcing difficult trade-offs that impact resilience and reliability.
Cleaning Up Cyber Practices: The Key to Robust OT Security
Like washing their hands to minimize sickness from germs, companies must practice regular IT hygiene to secure OT infrastructure against vulnerability risks. This principle must go beyond simple patching and updates — it should be rooted in a multi-layered security strategy that integrates network segmentation, access controls, and incident response planning. However, even the best technical plans can fall short without a strong cybersecurity awareness across the workforce. Employees, operators and third-party vendors must be trained to recognize risks such as phishing attempts, weak passwords, and unauthorized access attempts. Here are key regulatory tips OT operators can implement to bolster their cybersecurity posture:
Cross-functional Collaboration Among IT and OT Teams
In critical infrastructure sectors like water and wastewater management, collaboration between IT and OT teams is crucial for maintaining both security and operational continuity. IT teams safeguard data integrity, enforce cybersecurity protocols, and verify compliance with evolving regulations. Their focus on digital protection is vital for managing the growing risks critical infrastructure faces.
Meanwhile, OT teams oversee the reliability and efficiency of physical systems — such as water treatment facilities — managing real-time processes that demand high uptime.
The increasing convergence of IT and OT environments also introduces new vulnerabilities. For example, the shift to hybrid work has expanded the OT attack surface. Something as simple as an employee connecting their work laptop to an unsecured public Wi-Fi network can create significant security risks for OT systems.
Without a collaborative approach between teams, the expanded attack vectors can leave critical infrastructure vulnerable to cyber threats.
Ongoing Education and Upskilling
Ongoing education and staff training are essential for establishing effective communication between teams and external vendors. Regular training confirms that all stakeholders are up to date on evolving cybersecurity protocols, operational procedures, and system integration best practices.
The accelerating pace of evolving technology is also making upskilling more urgent than ever. As organizations adopt advanced automation, cloud platforms, and AI-driven security solutions, teams must quickly develop new technical competencies to manage these innovations effectively. Without regular upskilling, even experienced professionals risk falling behind, creating potential security gaps and operational inefficiencies.
Regular education not only helps bridge the gaps between IT and OT teams but also fosters a shared understanding of each group’s objectives. By prioritizing continuous learning, organizations can enhance overall resilience and reduce operational vulnerabilities.
Continuous Threat Detection and Response
Implementing continuous threat detection and rapid response is essential for safeguarding OT environments from increasingly sophisticated cyber threats. By combining real-time network monitoring with regular security audits, penetration testing and vulnerability assessments, organizations can identify and close security gaps before they’re exploited.
Continuous network monitoring provides real-time visibility into potential threats, allowing cybersecurity teams to detect anomalies and respond swiftly before incidents escalate. Security audits help maintain compliance with industry regulations and best practices, while penetration testing simulates real-world cyberattacks to uncover weaknesses that malicious actors could exploit. Complementing these efforts, vulnerability assessments systematically scan for outdated software, misconfigurations, and other security risks — enabling teams to prioritize remediation effects effectively.
Closing the Gaps: Smarter Cyber Practices for Resilient OT
Protecting critical OT environments from growing cyber threats demands more than technical implementation — it requires a unified, collaborative, and proactive approach. By integrating regular IT cyber hygiene practices, such as cross-functional collaboration, regular training, and continuous monitoring and response, organizations can strengthen their cybersecurity posture and enhance operational resilience.
As incidents against critical infrastructure continue to rise, organizations must take action to create a layered strategy that prioritizes both technical safeguards and workforce readiness. Implementing robust network segmentation, access controls, and rapid incident response plans is essential. Equally important is fostering a security-first culture where employees, operators and third-party vendors are trained to recognize and mitigate threats. By taking a comprehensive, integrated approach, organizations can protect vital infrastructure, safeguard public health, and maintain the reliable delivery of essential services.
Steven Taylor currently serves as the Senior Global Product Manager at Rockwell Automation, a digital transformation and industrial automation solutions provider. Taylor has several years of experience in product development, market strategy, service development and program management.
Leave a Reply