Topics / Water security

Water utility cybersecurity

U.S. public water utilities are the most under-defended segment of federally-designated critical infrastructure. Of the 50,000-plus community water systems in the country, 92% serve populations under 10,000 and operate with one or two IT-and-OT staff. The compound is a soft attack surface that foreign-state actors and ransomware operators have demonstrably targeted through the first half of 2026.

The threat surface

Six attack vectors dominate the public-disclosure record against U.S. water utilities: internet-exposed operational technology (HMI, SCADA, chemical-dosing PLCs), compromised administrative credentials, ransomware via the business IT side, vendor remote-access supply chain, phishing leading to wire fraud or data exfiltration, and physical-cyber convergence (insider or contractor).

The cohort baseline exploits the first three categories disproportionately. Default credentials on exposed management interfaces, reused passwords on administrative accounts, and unpatched office endpoints with weak endpoint-detection coverage are the three most-frequently-named entry points across the H1 2026 incident catalog.

Who is doing the attacking

Public attribution in H1 2026 names two foreign-state-affiliated groups consistent with previously-published federal advisories. One has a multi-year pattern of targeting industrial control systems across the U.S. and partner countries; the second focuses specifically on operational disruption rather than data theft. The non-state ransomware ecosystem has migrated toward water and wastewater after federal pressure tightened on healthcare and energy. Multiple regional water authorities have paid ransom or sustained extended outages in the first four months of 2026.

The structural exposure is the same regardless of attacker class. A foreign-state adversary and a ransomware operator both walk through the same six vectors above, using the same off-the-shelf tradecraft. A utility that closes the cohort baseline gap closes it against both.

The defended posture

A small set of utilities and water authorities operate with materially better protection. The structural minimum that reduces expected loss is: OT network isolated from business IT with no direct internet exposure; phishing-resistant authentication on every administrative account with just-in-time elevation; managed endpoint detection on the business-IT side with weekly off-site immutable backup; vendor remote access through a vetted broker with full session recording; DMARC enforced at p=reject with a transaction-verification protocol; physical badge revocation tied to logical access revocation.

None of the above is novel. Each line is implemented widely across enterprise IT and the financial sector. The under-defense of U.S. water utilities is a problem of cost, staff, and procurement, not technical novelty. The Water Hawk managed software suite, adapted from the broader Salian Defense product line, delivers each row of the structural minimum as part of the engagement at a cost structure small and mid-size utilities can absorb.

How Water Hawk works with utilities

The engagement model is scoped, not list-priced. The first call is no-cost and no-obligation; you describe your operating environment and we deliver a written posture assessment against the threat surface above. If you engage Water Hawk for delivery, the suite is modular: utilities can adopt the OT-monitoring layer alone, or the full stack that adds managed endpoint detection, vendor remote-access brokering, mandatory phishing-resistant authentication rollout, and a 24/7 SOC relationship. Indicative engagements range from $4,500 per month at the smallest utilities running the OT-monitoring layer alone to $42,000 per month at the largest regional authorities running the full stack with around-the-clock SOC support.

Onsite work and incident-response retainers are quoted separately above the monthly recurring fee. For utilities operating in a P3 vehicle, the suite is structured to attach without disrupting the underlying utility operation.