Free Quarterly Report / Water Security
Q2 2026 / Published May 11, 2026
Free edition / Threat surface and defended posture
Water Security Quarterly: threat surface, recent incidents, defended posture
U.S. public water utilities are the soft underbelly of critical infrastructure. The Q2 2026 quarterly walks the threat surface, the foreign-state and non-state actor activity that publicly surfaced in the period, the structural reasons most utilities are under-defended, and the layered defense posture that materially reduces exposure. Water Hawk operates a managed software suite adapted from the broader Salian Defense product line specifically for water-utility deployment; the engagement is scoped per utility.
Audience: General managers, IT directors, and operational technology leads at public water utilities; state primacy agencies; insurers underwriting cyber exposure on water assets; P3 partners considering operational responsibility.
Executive summary
U.S. public water utilities are the most under-defended segment of federally-designated critical infrastructure. Of the roughly 50,000 community water systems in the country, the overwhelming majority serve populations under 10,000, operate with one or two IT-and-OT staff, and run a mix of legacy supervisory control and data acquisition (SCADA) equipment alongside modern internet-connected sensors and chemical-dosing controllers. The compound is a soft attack surface that has been clearly identified as a target by both foreign-state actors and non-state ransomware operators. Public reporting through the first half of 2026 (CISA and federal-partner joint advisories, state primacy-agency notifications, and operator-network field intelligence) confirms sustained interest from foreign-state-affiliated threat groups and an opportunistic ransomware ecosystem that has migrated toward water and wastewater after federal pressure tightened on healthcare and energy.
The defended posture is not theoretical. A small set of utilities and water authorities operate with materially better protection than the cohort baseline: layered network segmentation between business IT and OT, vendor-managed monitoring on the OT side, hardened remote-access posture, mandatory phishing-resistant authentication on every administrative account, and a 24/7 monitoring relationship with an outside SOC. The Water Hawk managed software suite, adapted from the Salian Defense product line, brings that posture to small and mid-size utilities at a cost structure they can absorb. The engagement is scoped per utility on assets-under-protection, integration depth, and 24/7 SOC support. The free edition of this quarterly is the public threat-surface picture; the scoped engagement is where the protection actually gets installed.
Headline stats
Community water systems
50,000+
U.S. cohort
Systems serving under 10K
92%
cohort share by count
Cyber incidents H1 2026 (operator-tracked)
20+
public disclosures, federal notifications, and operator-network field intelligence
Foreign-state-attributed
multiple
attribution consistent with CISA/FBI/NSA joint advisories
Ransomware-attributed
majority
water and wastewater targeting accelerated H1 2026
Typical utility IT-and-OT staff
1 to 2
cohort baseline at systems under 10K population
Threat surface: what gets attacked and how
| # | Attack vector | Frequency | Typical posture exploited | Defended posture |
|---|---|---|---|---|
| 1 | Internet-exposed OT (HMI, SCADA, chemical-dosing PLC) | High | Default credentials, exposed management interfaces, no segmentation | OT network isolated from business IT, no direct internet exposure, vendor-managed remote access only |
| 2 | Compromised admin credentials | High | Reused passwords, no MFA, shared service accounts | Phishing-resistant authentication on every admin account, just-in-time elevation |
| 3 | Ransomware via business IT | High | Unpatched office endpoints, weak EDR, no off-site backup | Managed EDR, weekly off-site immutable backup, tested ransomware-recovery runbook |
| 4 | Vendor remote-access supply chain | Medium | Permanent vendor VPN with shared credentials, no audit trail | Just-in-time vendor access through a vetted broker with full session recording |
| 5 | Phishing leading to wire fraud or data exfiltration | Medium | No anti-phishing training, no DMARC enforcement, no transaction-verification controls | Mandatory phishing-resistant authentication, DMARC enforced at p=reject, transaction-verification protocol |
| 6 | Physical-cyber convergence (insider, contractor) | Low | No badge-system integration with logical access | Badge revocation tied to logical-access revocation, contractor scoping limited to assigned assets |
Foreign-state and non-state threat context
Public attribution against U.S. water utilities through H1 2026 names foreign-state-affiliated groups consistent with previously-published CISA, FBI, and NSA joint advisories: at least one with a multi-year pattern of targeting industrial control systems across the U.S. and partner countries, and at least one focused specifically on operational disruption rather than data theft. The ransomware ecosystem has migrated toward water and wastewater after federal pressure squeezed healthcare and energy targets; multiple regional water authorities have paid ransom or sustained extended outages through H1 2026. The cohort baseline does not catch any of this on the OT side. The Water Hawk managed software suite is specifically designed to detect and contain the attack patterns documented in the public threat literature, with monitoring tuned to water-utility OT signatures.
The Water Hawk managed software suite
The Water Hawk managed software suite is adapted from the broader Salian Defense product line for the specific operational profile of a small or mid-size U.S. public water utility. The suite is modular: utilities can adopt the network-segmentation and OT-monitoring layer alone, or the full stack that adds managed endpoint detection, vendor remote-access brokering, mandatory phishing-resistant authentication rollout, and a 24/7 SOC relationship. The deployment is hands-on; the operator has a named engagement lead and a 90-day onboarding window during which the baseline posture is established.
Pricing is custom per utility. The drivers are assets under protection (number of OT segments, number of PLC and HMI endpoints, count of administrative accounts), integration depth (does the utility have existing SCADA historian, GIS, billing-system, and laboratory information systems that we read from), and 24/7 SOC support (the SOC relationship is the most material cost lever). Indicative bands run from the low five figures per month at smaller utilities adopting a single layer to the mid-five figures per month at the largest regional authorities running the full stack with around-the-clock SOC support. We do not publish a list price because the work doesn't scale that way; we scope, then quote, then deliver. The scoping call is no cost and no obligation.
What to do with this report
- If you operate or oversee a community water system: schedule a no-cost scoping call. The output is a written assessment of your current posture against the threat surface above, with a recommended set of adoption steps regardless of whether you engage Water Hawk for delivery.
- If you sit on a board or commission: ask your operating utility about its IT-and-OT staff count, its OT-monitoring posture, and its tested ransomware-recovery runbook. The cohort baseline answers are very weak; a small upgrade returns large value.
- If you underwrite cyber exposure on water assets: the threat surface above is the right baseline. Insureds operating at the defended posture column genuinely have lower expected loss, and the difference is large.
- If you are a P3 partner taking operational responsibility on a water asset: cyber posture is not optional; the structural under-defense is one of the larger silent liabilities you inherit. The Water Hawk managed suite is structured to attach to a P3 vehicle without disrupting the underlying utility operation.
Subscribers continue
Scope a Water Security engagement
The managed software suite is custom-scoped per utility. The first call is no-cost, no-obligation: tell us what you operate, we tell you what your posture looks like against the threat surface, and we quote only if you ask us to. Email [email protected] to schedule the scoping call.
Locked / Subscribers only
Named incident detail: H1 2026 attack catalog
For every publicly-disclosed H1 2026 incident, the full report walks the named utility (where public), the attack vector, the operational impact, the recovery path, and the lessons-learned applicable to the broader cohort.
- Per-incident attack vector with named threat group where attributed
- Operational impact and recovery timeline
- Lessons-learned for the broader cohort
- Post-incident posture changes reported by the affected utility
Locked / Subscribers only
Per-utility water-security posture score
A composite security-posture score for every U.S. community water system, combining publicly-observable indicators (DNS, certificate posture, exposed services) with cohort-aggregated contributor data. Updated quarterly.
- Composite posture score per utility
- Component breakdown across the six attack vectors
- Cohort-relative position by population band
- Trend movement quarter-to-quarter
Locked / Subscribers only
Managed software suite scoping and engagement
The Water Hawk managed software suite is sold via scoped engagement, not list-price subscription. After a no-cost scoping call, the engagement scope is documented and quoted. Indicative bands run from the low five figures per month at smaller utilities to the mid-five figures per month at the largest regional authorities. Onsite work is quoted separately above the monthly recurring fee.
- No-cost scoping call with a named engagement lead
- Written posture assessment after scoping
- 90-day onboarding window with hands-on deployment
- Modular adoption: start with OT-monitoring layer, expand to full stack
Methodology and disclaimers
Incident counts are aggregated from public disclosure, federal-agency notifications, state primacy-agency reporting, and operator-network field intelligence. Headline figures are reported as ranges or qualitative magnitudes ("multiple," "majority") rather than precise counts because the underlying disclosure base is incomplete and asymmetric across sources. Attribution is reported only where publicly attributed; we do not surface attribution that is not already public. The threat-surface table reflects the most-frequent attack vectors against U.S. water utilities through H1 2026; named utility detail and named threat-group operational specifics are reserved for the paid engagement and the bespoke quarterly. The defended posture column is the structural minimum to materially reduce expected loss; the Water Hawk managed suite delivers each row of that column as part of the engagement, scoped per environment.
Free quarterly reports are opinion-based analysis of imperfect public data and aggregated contributor data subject to the safeguards described at Data Disclaimers. Not investment, legal, financial, or engineering advice. Aggregated outputs respect a minimum cohort size, single-contributor cap, and 90-day forward-looking delay so the publication never functions as a real-time price-signaling channel.