RESEARCH COMPLETE
$ cat /intel/critical-infrastructure/wws-security.log
[BLUF] Bottom Line Up Front
The United States Water and Wastewater Systems (WWS) sector faces escalating cyber threats from nation-state actors seeking to pre-position for wartime disruption or conduct opportunistic attacks. With 70% of utilities violating basic cybersecurity requirements and 90% serving populations under 10,000 with minimal IT resources, the sector represents a critical vulnerability in national infrastructure.
50,000+ systems at risk | 324M Americans dependent | $43.5B daily economic exposure
[SECTOR] Critical Infrastructure Profile
50,000+
Total WWS Systems
Community water & wastewater
324M
Americans Served
97% of US population
$43.5B
Daily Economic Impact
If disrupted nationwide
70%
Non-Compliant Systems
Violate basic cyber requirements
90%
Small Systems
Serve <10,000 people
0-1
IT Staff (Small Utilities)
Limited dedicated security
[THREAT] Nation-State Actors Targeting WWS
🇨🇳
Volt Typhoon China
TYPE: State-Sponsored APT
OBJECTIVE: Pre-positioning for wartime disruption
TTPs: Living-off-the-land, long-term persistence
🇷🇺
APT44 / Sandworm Russia
TYPE: GRU Unit 74455
OBJECTIVE: Sabotage and psychological operations
TTPs: Destructive malware, ICS targeting
🇮🇷
CyberAv3ngers Iran
TYPE: IRGC-Affiliated
OBJECTIVE: Opportunistic disruption
TTPs: Unitronics PLC exploitation, defacement
[INCIDENTS] Notable WWS Cyber Attacks
[2021.02] Oldsmar, Florida
>> DESCRIPTION: Attacker accessed HMI via TeamViewer, attempted to increase sodium hydroxide (lye) to 11,100 ppm—111x normal levels.
>> OUTCOME: Operator detected and reversed changes in real-time. No public harm.
>> VECTOR: Remote access (TeamViewer)
[2023.11] Aliquippa, Pennsylvania
>> DESCRIPTION: CyberAv3ngers compromised Unitronics Vision PLC at Municipal Water Authority booster station.
>> OUTCOME: Operators switched to manual control. CISA issued ICS advisory.
>> VECTOR: Default credentials on Unitronics PLC
[2024.01] Muleshoe, Texas
>> DESCRIPTION: Russian-linked actors caused water tank overflow by manipulating SCADA systems.
>> OUTCOME: Physical overflow occurred. Demonstrated real-world impact capability.
>> VECTOR: Exposed HMI/SCADA interface
[VULNS] Common Security Gaps
Authentication 70%+ of utilities
- • Default credentials
- • Shared passwords
- • No MFA on remote access
Network Security Widespread
- • Flat networks (no segmentation)
- • OT systems internet-exposed
- • No firewalls between IT/OT
System Maintenance Common in small utilities
- • Unpatched PLCs and HMIs
- • End-of-life operating systems
- • Legacy protocols (Modbus, DNP3)
Monitoring Majority of systems
- • No logging on OT networks
- • No intrusion detection
- • Lack of asset inventory
[REGULATORY] Oversight Framework
REGULATION AUTHORITY REQUIREMENT
Safe Drinking Water Act (SDWA) Risk & Resilience Assessments for systems serving >3,300
America's Water Infrastructure Act (AWIA) Cybersecurity in RRAs, emergency response plans
NSM-22 (2024) EPA designated as Sector Risk Management Agency
CISA Advisories ICS-CERT alerts, mitigation guidance, free assessments
[MITIGATIONS] Priority Actions
Critical Immediate
Change default credentials on all PLCs, HMIs, and network devices
Critical Immediate
Implement MFA on all remote access points
High 30 days
Segment OT networks from IT and internet
High Immediate
Disable unnecessary remote access (TeamViewer, VNC)
Medium 60 days
Implement logging and monitoring on OT networks
Medium 90 days
Conduct asset inventory of all ICS components
[ASSESSMENT] Key Findings
â–¸ Pre-positioning confirmed: Volt Typhoon maintains persistent access to WWS infrastructure
for potential wartime activation, not immediate exploitation.
â–¸ Low barrier to entry: Most successful attacks exploited default credentials and
internet-exposed HMI systems—no sophisticated exploits required.
â–¸ Resource disparity: Small utilities lack budget and personnel for basic security hygiene,
yet serve millions cumulatively.
â–¸ Cascading impact: Water disruption affects hospitals, manufacturing, firefighting,
and public health simultaneously.
[DOCUMENT] Full Research Paper
// Original research document with complete analysis
Securing US Water & Wastewater Utilities
Download PDF
1 / --
Loading PDF...
Unable to load PDF. Click here to download.