Protecting Water and Wastewater Systems from Cyber Compromise

In October 2024, American Water—the largest regulated water utility in the United States, serving more than 14 million people—disclosed that it had suffered a significant cyberattack. The company was forced to shut down its customer billing platform and other systems while it addressed the breach. While operational systems and water quality remained unaffected, the incident underscored a reality that security leaders in the water sector already know: adversaries are actively targeting the infrastructure that delivers and treats the water Americans depend on every day.

The American Water breach was not isolated. Throughout 2024, water utilities faced a surge of incidents. Multiple Texas facilities were hit by attacks targeting SCADA systems, with one in Muleshoe experiencing a water tank overflow before operators regained control. The Arkansas City water treatment facility in Kansas switched to manual operations following a cybersecurity incident. According to the EPA, more than 70% of inspected water systems do not fully comply with the Safe Drinking Water Act’s cybersecurity requirements.

Nation-State Prepositioning: The Core Threat

The most consequential threat to water infrastructure is systematic prepositioning by nation-state actors. CISA and partner agencies have confirmed that Volt Typhoon, a PRC state-sponsored group, has compromised the IT environments of water and wastewater systems orgs—embedding persistent access that can be leveraged for disruptive attacks during a geopolitical crisis.

In one documented compromise, Volt Typhoon actors maintained access to a water utility’s network for nine months, moving laterally through IT systems and positioning themselves adjacent to OT assets with potential access to water treatment plants, water wells, and critical control systems. FBI Director Christopher Wray has stated that Volt Typhoon is prepositioning to cause real-world harm to American citizens in the event of conflict.

Water utilities have also faced attacks from Iranian-linked actors exploiting Unitronics programmable logic controllers (PLCs), and Russian-affiliated hacktivist groups targeting SCADA systems. These threats share a common target: the intersection of IT and OT that makes water treatment and distribution possible.

The Security Readiness Gap

These threats expose critical gaps in how water utilities prepare their defenses—gaps that create risk regardless of what security tools have been deployed.

Teams lack realistic training on OT-specific attacks. Defending critical infrastructure, especially water utilities, requires specialized skills in industrial protocols like Modbus and DNP3, and OT systems like SCADA platforms, PLCs, and HMIs. Security personnel need hands-on experience with the specific attack techniques that Volt Typhoon and other threat actors use against water systems—not generic IT security scenarios. Without realistic practice environments, teams cannot develop the skills and reflexes needed to detect and respond to OT-targeted intrusions.

Security tools go untested against real adversary techniques. Utilities invest in SIEM, endpoint protection, network monitoring, and OT-specific security tools—but have limited visibility into how these tools perform against sophisticated adversary tradecraft. Detection logic that works against generic indicators may miss the living-off-the-land techniques that nation-state actors employ. Without validation against realistic attack patterns, coverage gaps remain invisible until an actual incident exposes them.

IT and OT teams don’t practice coordinating. Water utilities often have separate teams responsible for IT security and OT operations, with limited experience working together during incidents. When an attacker moves laterally from IT to OT systems, response effectiveness depends on coordination that hasn’t been rehearsed. Communication gaps and unclear handoff procedures slow containment and recovery.

Detection and response capabilities remain unvalidated. Boards, regulators, and oversight bodies increasingly ask security leaders: Can you detect an intrusion in your OT environment? Can you contain lateral movement? Can you recover if control systems are compromised? These questions cannot be answered with policy documentation or tabletop discussions. They require demonstrated capabilities—measurable evidence that teams can perform under realistic conditions.

The EPA has issued enforcement alerts emphasizing that cyberattacks on vulnerable water systems can disrupt treatment and distribution, damage infrastructure, and alter chemical levels to hazardous amounts. CISA and partner agencies have issued joint advisories conveying an expectation: utilities must demonstrate they can defend against these threats, not merely acknowledge them.

How Cyber Ranges Close the Readiness Gap

A modern cyber range creates a realistic simulation of your operational environment—IT systems, OT networks, SCADA architecture, industrial protocols—in a controlled setting where you can address each of the readiness gaps described above.

Train teams on realistic OT attack scenarios. Teams face attack campaigns similar to those that target water infrastructure, with a focus on the relevant systems—SCADA platforms, PLCs, HMIs, Modbus and DNP3 communications. Personnel develop practical skills against the techniques adversaries actually use.

Validate security tools against real attack patterns. Testing in a range environment reveals whether detection logic fires against sophisticated adversary tradecraft, not just generic indicators. Teams identify coverage gaps, tune alerting to reduce false positives, and confirm that their security stack performs as expected against relevant threats.

Build IT/OT coordination through joint exercises. A cyber range provides a controlled environment for IT security and OT operations teams to practice working together during simulated incidents. These exercises identify communication gaps and handoff issues before a real incident exposes them, building the cross-functional coordination that effective response requires.

Generate measurable evidence of capability. Live-fire exercises produce quantifiable data—detection times, containment effectiveness, recovery duration—that demonstrates actual readiness. Security leaders can show boards and regulators measurable improvement over time, transforming resilience from an assertion into documented capability.

What to Look for in a Cyber Range Platform

Not all ranges support the complexity of water and wastewater OT environments. Prioritize these capabilities:

Support for legacy and specialized systems. Water utilities run equipment on legacy operating systems and specialized OT firmware that standard cloud hypervisors cannot replicate. Your platform must support any operating system—not just public cloud VM catalogs.

Hardware-in-the-loop integration. Some OT environments require actual physical equipment to participate in exercises, particularly for validating PLC behavior under attack conditions.

Full security stack integration. Your SIEM, SOAR, endpoint, and OT security tools should integrate into the range so teams train and test with production tools.

Dynamic adversary emulation. Look for adaptive emulation with realistic background traffic from thousands of simulated users—the operational noise defenders navigate in production.

Operational independence. Your readiness program should not depend on public cloud availability.

SimSpace for Water and Wastewater Security

SimSpace’s platform addresses each of the readiness gaps that leave water utilities vulnerable. The cyber range provides sector-specific emulations for water and wastewater systems—with support for legacy operating systems and hardware-in-the-loop integration. Teams train and test with their complete production security stacks against dynamic adversary emulation, generating measurable data on detection times, response effectiveness, and improvement over time.

Building Validated Resilience

The threats facing water utilities are real and active. Nation-state actors have already established persistent access to water sector networks, positioning themselves to disrupt operations during a future crisis. Security leaders need to ensure their teams can detect these intrusions, their tools can identify adversary techniques, and their organizations can respond effectively when attacks occur.

This requires moving beyond compliance checklists to realistic testing that proves your teams, tools, and processes perform against the specific threats targeting water infrastructure. A realistic, intelligent cyber range is how you get there.

To learn how SimSpace helps water and wastewater utilities train teams, test OT security controls, and validate resilience against critical infrastructure threats, schedule a demo with a critical infrastructure security expert.