Water Utilities Run Decades-Old Control Systems That Cannot Be Secured Against Modern Cyber Threats

Water utilities and other critical infrastructure operators depend on operational technology (OT) systems — SCADA controllers, programmable logic controllers, remote terminal units — that were designed decades ago for isolated networks with no internet connectivity. These systems now increasingly interface with IT networks for remote monitoring and management, but they lack basic security features: no authentication, no encryption, no logging, and no ability to be patched without shutting down operations. In October 2024, a cyberattack targeted the largest water utility in the United States, disrupting operations and exposing how vulnerable these systems are. The WEF reports that control system manipulation risks in water infrastructure increased 46% in a single year, while remote access points remain the primary attack vector.

Water systems serve every person in a community; a successful attack can contaminate drinking water, disrupt treatment processes, or cause physical damage to infrastructure. The WEF Global Cybersecurity Outlook 2025 found that 38% of public-sector organizations report insufficient cyber resilience, and the cybersecurity workforce gap has reached 2.8–4.8 million professionals globally. Most water utilities are small — the U.S. has over 50,000 community water systems, the majority serving fewer than 10,000 people — and they lack both the budget and expertise for cybersecurity programs. State-sponsored attacks on critical infrastructure OT systems have increased 72%, and 54% of large organizations identify supply chain and third-party vulnerabilities as their biggest barrier to resilience.

IT security tools (firewalls, endpoint detection, SIEM systems) don't work well in OT environments because they can disrupt real-time control processes, create unacceptable latency, or crash legacy controllers that can't handle network scanning traffic. Network segmentation — the standard recommendation — requires understanding every communication pathway in the OT network, which is undocumented in most legacy installations. CISA has published advisories and frameworks, but small utilities lack the personnel to interpret and implement them. Vulnerability assessments designed for IT systems produce false positives when applied to OT protocols (Modbus, DNP3, BACnet) that behave fundamentally differently from TCP/IP traffic. Replacing legacy OT systems wholesale is prohibitively expensive (a SCADA upgrade for a mid-size utility costs $5–20M) and operationally risky — these systems can't be taken offline for migration without disrupting service.

A low-cost, passive OT network monitoring tool designed specifically for small and mid-size water utilities could dramatically improve visibility into OT security posture without disrupting operations. This would require protocol-aware packet inspection for common OT protocols (Modbus TCP, DNP3, EtherNet/IP), anomaly detection baselined against normal operational patterns, and output designed for operators who are water engineers, not cybersecurity specialists. A "security assessment in a box" approach — hardware that passively monitors OT network traffic and generates actionable reports without requiring deep cybersecurity expertise — would address the workforce gap. Open-source approaches would enable adoption at utilities that can't afford commercial OT security platforms.

A student team could build a passive OT network monitor using a Raspberry Pi or similar device that sniffs Modbus TCP traffic (the most common water utility protocol), identifies connected devices, maps communication patterns, and flags anomalies against a learned baseline. Publicly available Modbus traffic datasets exist for testing, and open-source tools like Zeek (formerly Bro) have OT protocol parsers. The team would test their tool against simulated attack scenarios in a lab environment. This is a feasible prototype project for students with networking and embedded systems skills. A complementary approach would be designing a cybersecurity assessment workflow specifically tailored for small water utility operators with no IT staff.