The U.S. water and wastewater sector is a lifeline service, essential for public health, economic continuity, and emergency response. In  2025, the threat environment continued to intensify. According to the Q1 2025 WaterISAC–EPA National Security Information-Sharing Bulletin, cyber actors are showing heightened interest in operational technology (OT) and industrial control systems (ICS), while physical threats, from drone-borne payloads to insider sabotage, are converging with cyber risks.

Foreign state-sponsored APT groups, such as Salt Typhoon, have demonstrated that sophisticated attack playbooks can be adapted across target sectors. Meanwhile, insecure vendor remote access, exposed ICS interfaces, and under-integrated cyber-physical defenses leave utilities vulnerable.

This article highlights the key trends from WaterISAC’s Q1 2025 bulletin to identify important operational and economic insights and how security challenges impact them.

A Sector Under Siege

The water sector’s unique combination of public trust duties and high-availability needs makes it a prime target. Attackers are often driven by potential ransom rewards and also use persistent, targeted disruption for ideological and geopolitical gains.

Today’s utilities are deeply interconnected. OT and IT systems are linked to streamline monitoring, maintenance, and data analytics. This integration improves efficiency but at the cost of broadening the attack surface. A single point of compromise can cascade into operational downtime, safety hazards, or environmental harm.

Physical risks in the water sector compound these challenges. As WaterISAC notes, threat actors, whether state-sponsored, criminal, or extremist, understand the societal ripple effects of success. Even a short outage can erode public confidence and trigger costly emergency responses.

Remote Access — The Hidden Door Attackers Love

One of the most under-secured pathways into facilities is third-party remote access. Vendors and integrators routinely connect to OT networks for monitoring, maintenance, and upgrades. This means an exposure risk due to:

• Shared or weak credentials.
• Persistent VPN tunnels.
• Inconsistent alignment with the utility’s mandated security protocols.

Once inside, an adversary can encrypt critical systems for ransom, move laterally to other assets, or manipulate operational production controls.

Operational Guidance:

• Contractual safeguards — Implement multi-factor authentication (MFA), network segmentation, and ensure that all contracted agencies or individuals are aligned with internal policies in all vendor agreements.
• Continuous and intent-based verification — Treat remote access as a session-by-session risk, not a one-time login event. Verify operator identity and device trustworthiness before and during every session.
• Vendor security audits — Audit frequently as you check internal controls, and ensure that 3rd party individuals and teams are also running security audits for their staff and infrastructure.

For readers in the ICP community, such as CIOs and OT directors, this is a governance issue. If a session cannot be verified as coming from an authorized user at a trusted workstation, it should be denied, regardless of whose credentials are being used. This principle addresses the "lateral movement" opportunity that attackers exploit after initially breaching the environment. 

Exposed ICS and HMI Risks

In December 2024, CISA and EPA jointly warned about the dangers of internet-exposed human–machine interfaces (HMIs). 

ICS and HMIs are purposefully designed for local operational control, not open internet access. Exposure to outside networks for OT systems could allows attackers to:

• Alter chemical dosing or testing processes.
• Disrupt pumping schedules which can lead to contamination risks and water quality degradation.
• Force unsafe equipment states, leading to system and operator risks.

Mitigation Priorities for ICS teams and systems:

1. Inventory every internet-facing ICS/HMI.
2. Disconnect or segment from public networks.
3. Enforce strong, unique credentials.
4. Apply MFA across the entire OT network, not just HMIs.

For technical managers, this needs to be treated with zero-tolerance. Even with seemingly strong passwords, adversaries can brute-force or phish for access.

Lessons from Salt Typhoon: State-Sponsored Attack Spillover

This breach stands as a reminder. Even when attacks target an industry, the techniques and tools used lead to risks for other critical infrastructure sectors. Adversaries adapt proven methods to new targets, and sectors like water and wastewater cannot assume immunity simply because they haven’t yet been named in a campaign.

While the victims were in telecom, the tactics are sector-agnostic:

• Long-term, stealthy persistence.
• Targeting of metadata (network use patterns, vendor access logs).
• Exploitation of unpatched systems.

Why This Matters to Facilities:

• Pre-positioning for disruption — Similar campaigns could be activated during geopolitical crises.
• Metadata as intelligence — Even if process control data is secure, adversaries can infer shift schedules, vendor dependencies, or maintenance windows from network metadata.
• Shared infrastructure risk — If your vendor is breached, you inherit their compromise.

Defensive Actions:

• Segment IT, OT, and vendor networks.
• Prioritize patching of both in-house and vendor-supplied systems.
• Use encrypted channels for sensitive operational coordination.

Insider Threats — Beyond Employees

Insiders are not limited to payroll staff. Contractors, service providers, auditors, and even janitorial staff may have access to buildings or systems. Risks include:

• Witting insiders acting maliciously.
• Unwitting insiders with poor security habits.

Common gaps: unlocked access points, open network ports, or unsecured control interfaces.

Practical Measures:

• Review and audit vendor security practices before contracting.
• Supervise vendor work, especially in OT zones.
• Require MFA, session logging, and least-privilege access.
• Enforce continuous, intent-based authentication
• Foster a “see something, say something” culture.

Keystrike-aligned best practice: treat all access,  employee, or vendor as “conditionally trusted” until verified in real time.

Drone Threats and Cyber-Physical Convergence

Drone threats have evolved from nuisance to lethal capability. 

Risks to the water sector:

• Payload delivery against physical assets.
• Surveillance of plant layouts and security gaps.
• Wireless signal interception or interference.

Drones could also facilitate cyber attacks, e.g., dropping wireless sniffers or rogue access points near facilities.

Defensive Priorities:

• Monitor and log drone activity near perimeters.
• Coordinate with law enforcement on the response.
• Track emerging counter-drone technologies, even if civilian deployment is limited.

National Counterintelligence Strategy — Goal 7 in Focus

The National Counterintelligence Strategy’s Goal 7 emphasizes defending water utilities from foreign intelligence entities. Adversaries now blend:

• Cyber intrusions.
• Physical infiltration.
• Supply chain compromise.
• Insider recruitment.

They use advanced tools, AI, drones, and commercial spyware to gather intelligence and disrupt operations.

Implication for Utilities: Counterintelligence is no longer an intelligence agency silo; it’s a utility boardroom topic. Embedding awareness into daily operations, sharing intelligence with WaterISAC, and hardening trust boundaries are now baseline practices.

Resilience Recommendations

Drawing from WaterISAC guidance and sector best practices, utilities should:

1. Zero Trust for Remote Access
   
   • Verify every session.
   • Authenticate the operator’s identity and workstation integrity before and during access.
2. Secure-by-Design Vendor Contracts
   
   • Mandate MFA, segmentation, and continuous logging.
   • Reserve the right to audit security controls.
3. Active Threat Intelligence Integration
   
   • Consume WaterISAC advisories daily.
   • Feed alerts into operational playbooks.
4. Cyber–Physical Fusion
   
   • Link drone monitoring and perimeter security with OT intrusion detection.
5. Incident Reporting Discipline
   
   • Report promptly to WaterISAC; sector resilience depends on collective visibility.

Conclusion 

The Q1 2025 WaterISAC–EPA Bulletin highlights that facilities are facing a threat landscape where the lines between cyber and physical attacks are increasingly blurring. Consequently, trusted relationships with vendors, contractors, and remote sessions have emerged as new high-risk areas.

Protecting this infrastructure demands a mindset shift:

• Zero-Trust Principles - Every connection is suspect until verified.
• Intent-based Authentication - Every session must prove it originates from a trusted human on a trusted device.
• Transparency and Collaboration - Every incident, no matter how small, must feed the sector’s shared defense.

WaterISAC is among the community’s most valuable assets in the battle against escalating cybersecurity risks. We are proud to be involved with the WaterISAC community, which serves as a trusted hub for intelligence, collaboration, and rapid response coordination. The sector’s collective security depends on not just reading their bulletins, but operationalizing them.

The next incident will test readiness. The time to close the remote access integrity gap and lock down critical systems is now.