Securing the Flow: Building Cyber Resilience into Water’s Digital Future

Authored by Jacobs' SVP of Operational Technology Cybersecurity John Karabias and Director of Operational Technology Cybersecurity Ben Stirling

Why are water utilities becoming a focal point of concern?

Water utilities are targets for cyberattacks for two reasons: their systemic vulnerabilities and the potentially widespread impact of a successful breach on large sections of the population. There’s also a deeper, societal dimension at play — water is universal and essential. Every successful defense or proactive investment in cybersecurity reinforces a simple but powerful promise: that the operating systems delivering safe, reliable water will function, no matter the threat.

The risk is real. Water utilities face threats from hostile states and terrorist organizations to criminal gangs and disgruntled insiders. The motives vary. Some want financial gain while others use cyber techniques to destabilize and promote military, political or social causes.

For example, the widely reported Volt Typhoon incursion saw a hostile state-sponsored group attempt to access U.S. water infrastructure now to impact the population during a potential future military conflict. What unites these malicious actors is their focus on control systems, confidential information and the critical digital infrastructure central to utility operations.

Digital progress triggers a cyber reaction

These incursions are taking place as digital tools are reshaping operations, with Supervisory Control and Data Acquisition (SCADA) upgrades, remote flood monitoring and cloud-connected assets making water utilities more efficient. Cyber resilience must move in lockstep with these system upgrades.

Engineers wouldn’t design a treatment plant without redundancy or resilience, yet cybersecurity is often an afterthought for water utilities. Making systems secure by design requires a rethink, one where engineering phases and cybersecurity requirements advance together. The integration of engineering and cyber thinking is at the heart of how teams need to approach digital transformation across all utilities and critical infrastructure. 

Building resilience from day one

In the same way that facility design needs to embed cyber requirements, resilience must be built into the fabric of digital water infrastructure — but technology alone does not deliver resilience. It’s achieved by integrating cybersecurity thinking into how systems are engineered, operated and governed, aligning human, physical and digital systems to anticipate risk and disruption.

Best practice in delivering resilience from design through delivery centers on a collaborative approach, such as Jacobs’ partnership with PA Consulting, that blends deep operational technology knowledge with advanced cybersecurity, digital strategy and innovation capabilities.

An embedded approach to cyber defense

Among the risks facing water utilities are operating systems that are connected without formal inventories or visibility, and legacy components operating without modern safeguards.

Jacobs’ assessment of 35+ utilities identified other fundamental gaps such as a lack of operational technology (OT) incident response and business continuity plans, which increases the risk of prolonged disruptions. The study also shows a lack of asset visibility as problematic, and without a full inventory, utilities can struggle to apply security controls, detect anomalies or manage patches effectively.

The assessment also found silos between IT and OT, with unclear responsibilities and governance hindering monitoring, response and risk management. Flat networks — where most systems are connected without internal separation — underused firewalls and absent intrusion detection systems further exacerbated the risk, exposing critical infrastructure to lateral movement by malicious actors. The study shows that for many utilities, a shift towards a strategic and proactive cybersecurity approach is overdue.

Bringing IT and OT teams together

Many operators don’t have a clear view of what’s running, what’s connected or what’s critical. If a risk isn’t visible, it remains abstract until a breach makes it real. The convergence of IT and OT presents a considerable opportunity for progress — helping utilities move from reactive defenses to integrated, operational resilience. Security should align with utility priorities: resilience, regulation and customer trust.

Planning for risk how we plan for water

When it comes to operational excellence, best practice involves preventative, proactive maintenance — planning and testing for failure and maintaining infrastructure with care. 

Water utility operators need to treat cybersecurity with the same discipline. It’s about identifying what matters most, isolating critical systems and building security measures into project delivery. The alignment between physical and digital resilience has become a defining feature of modern critical infrastructure planning — ensuring that reliability, safety and security evolve together.

The thinking behind the Consequence-driven, Cyber-informed Engineering (CCE) approach developed by Idaho National Labs flips the conventional cyber-resilience playbook. Instead of focusing on tools, it starts with priorities and asks: what can’t afford to fail?

The process unfolds in four phases. First, utilities identify the most critical operations that, if disrupted, would cause the most harm. Then in phase two, they map the digital and physical interdependence surrounding those assets. Phase three analyzes how a malicious actor could reach those targets, and what information they would need to succeed. Only in phase four do mitigations come in: not generic defenses, but targeted actions that disrupt the attacker’s most likely path. It’s a shift from broad-based defense to consequence-driven design.