By Rotem Ben-Eliyahu
Cyber intrusions are now a mainstream business risk for water utilities.
A 2025 cross-Atlantic survey from Semperis found that nearly two-thirds of operators experienced at least one cyber-attack in the previous year, and more than half of those incidents caused lasting damage to data or control equipment. When an attack lands, the financial hit is tangible: Southern Water in the United Kingdom spent about $5.7 million (USD) cleaning up a February 2024 ransomware breach, according to reports.
With roughly 50 000 community water systems operating independently across the United States, exposure varies widely, and many cyber budgets remain tilted toward IT perimeter tools rather than operational safeguards. But the physical core of service (pumps, valves, and chemical dosing) often runs without an independent safety check.
This article explores a complementary, process-oriented approach to cyber defense.
Why is this relevant from a finance perspective?
By validating real-time physical signals such as flow, pressure and electrical load against expected ranges, process-layer monitoring can identify malicious commands before equipment is damaged, or water quality is compromised. The method does not eliminate cyber risk; rather, it mitigates a highly variable exposure and turns it into a threat that can be measured, managed and budgeted. An outcome that puts cybersecurity on a similar footing as other quantifiable operational risks.
Escalating Cyber Threats Outpacing Utility Defenses
The threat profile keeps expanding.
Nation-state groups now account for nearly 60% of documented attacks against water and electric utilities, often using “living-off-the-land” tactics that hijack valid accounts and blend into routine traffic.
At the same time, U.S. Environmental Protection Agency (EPA) inspectors reported that more than 70% of systems reviewed in 2024 failed basic cybersecurity benchmarks, citing weak passwords, outdated software and ad-hoc incident response. Most plants still rely on decades-old PLCs and remote-terminal units never designed for internet exposure, and a GAO assessment warns that such aging infrastructure amplifies risk across the distribution chain. Many utilities operate with only one or two IT generalists, leaving budgets and staff capacity stretched thin against rapidly evolving techniques and regulatory expectations. The result is a widening gap: attackers backed by professional resources and intelligence services versus operators juggling legacy equipment, limited personnel and fragmentary guidance – conditions that make the next costly breach less a matter of if than when.
Financial Exposure: Revenue Interruption, Compliance Penalties, Insurance Pressure
Operational disruptions translate directly into unbudgeted costs. During American Water’s October 2024 incident, the company took its customer portal offline for a week, paused payment collection and hired outside forensic specialists — expenditures booked entirely to operating expense.
Compliance risk adds another layer of liability. An EPA enforcement alert issued in May 2025 found that more than 70% of inspected community water systems were out of compliance with the Safe Drinking Water Act’s cybersecurity provisions and noted that civil penalties can reach nearly $70,000 per day, per violation.
Insurance still plays a role, though its coverage is only one layer in a broader risk framework. EPA’s 2024 guidance to water utilities notes that premiums are based on factors including demonstrable controls such as multi-factor authentication and independent Operational Technology safeguards. Gaps can lead to higher deductibles or exclusions.
Unplanned remediation, potential fines, rising insurance costs and interrupted cash flow together define a financial exposure with implications on both annual budgets and long-term capital plans.
Process-Layer Monitoring…and Why it Matters Today
True cyber resilience begins not with better firewalls or smarter interfaces, but with visibility into the physical layer where real consequences unfold.
And here is the core cyber vulnerability: most cybersecurity tools focus on the control stack (networks, PLC logic, operator screens) but never look at the one place where real harm occurs: the process layer: pumps, valves and chemical-dosing skids, along with the raw signals (voltage, current, flow) that drive them.
Because most water facilities lack insights into what’s happening at this level, a malicious command can run a pump dry or overdose chlorine while the screen still shows “normal.” At a recent cyber-attack at a Norwegian dam, valve sat fully open for hours before anyone noticed, because no sensor outside the control system confirmed actual flow.
Attackers can exploit this blind spot in three ways:
- Direct command abuse: Send a new set-point and let the operator interface display the old one.
- False-data injection: Manipulate sensor values so everything looks normal while the process drifts out of bounds.
- Ransomware spill-over: Lock the control servers and leave pumps or valves in unknown states, with no feedback to show where the danger is.
Out-of-band sensors (current, flow, pressure) creates an independent “second opinion” on what the hardware is really doing. When live physics disagrees with commanded values, these anomalies can be given to operators as verifiable evidence to act on.
Conclusion
Including the process layer in cyber defenses does not replace firewall rules or access controls; it complements them with a reality check. Detecting abnormal equipment behavior early limits damage, curbs recovery costs and reduces regulatory exposure, turning potential crises into manageable operational events.
For management, this provides a new opportunity: turning cyber incidents from open-ended crises into more manageable operational events.
Rotem Ben-Eliyahu is the integration and services manager at SIGA Security, an OT cybersecurity company that provides a process-oriented OT cybersecurity solution with real-time decision- making capabilities for managing critical incident response (IR) phases of an OT cyberattack.
Leave a Reply