Are our Municipal Water Systems Becoming a Prime Target for Critical Infrastructure OT Cyber Attacks?

Here's something that should keep every water utility manager awake at night: security researchers at Censys just uncovered nearly 400 water treatment facilities with their control systems completely exposed to the internet. Even worse? Forty of these systems let anyone with a web browser take complete control over pumps, valves, and chemical feeds—no password required.

This isn't just another cybersecurity headline. It's a wake-up call that highlights how vulnerable our water infrastructure has become as utilities rush to digitize without properly securing their operational technology.

How We Got Here: The Double-Edged Sword of Digital Water Systems

Water utilities have embraced digital transformation over the past decade, and for good reason. Remote monitoring and control systems have revolutionized how operators manage everything from chemical dosing to pump operations. The efficiency gains are undeniable.

But here's the problem: the water industry was never built with internet connectivity in mind. These systems were designed for isolated, air-gapped environments where the biggest security concern was a locked gate and maybe a security guard.

The Censys researchers discovered this vulnerability almost by accident during a routine scan in October 2024. They noticed TLS certificates labeled "SCADA" across multiple water facilities, all using identical web server layouts from the same HMI software platform. It was like finding a master key that unlocked hundreds of doors.

The researchers found three types of exposures:

• Authenticated systems (the good news—these require login credentials)

• Read-only systems (concerning, but at least you can't break anything)

• Completely open systems (the nightmare scenario—full control, no questions asked)

  
  

The Growing Threat: Why Water Systems Are in the Crosshairs

We track OT cyber attacks daily here at RubyComm, and the trends are unmistakable. Water infrastructure has become a favorite target for cybercriminals and nation-state actors alike. The reasons are simple: high impact potential, limited defenses, and outdated security practices.

Pro-Russian hacktivist groups have been particularly aggressive, launching attacks that push water pumps and blowers beyond safe operating limits. In documented cases, attackers have maxed out system settings, disabled alarms, and changed admin passwords to lock out legitimate operators. While most incidents have resulted in minor disruptions like tank overflows, they demonstrate how easily bad actors can cause serious damage.

The statistics paint a sobering picture. According to EPA assessments, 97 drinking water systems serving over 26 million Americans currently face critical or high-risk cybersecurity vulnerabilities. Fortinet's research shows that 33% of water utilities experienced at least one cyberattack in the past year—a significant jump from 21% in 2021.

The Unique Challenge of Securing Water Infrastructure

Protecting water systems isn't like securing a typical IT network. These environments present unique challenges that conventional cybersecurity solutions simply can't address effectively.

Most water treatment facilities run on decades-old operational technology with minimal security features. Default passwords are still common, network segmentation between IT and OT systems is often nonexistent, and many critical systems were never designed to be internet-connected in the first place.

This is where specialized OT security becomes essential. At RubyComm, we've learned that you can't just bolt on traditional cybersecurity solutions and call it a day. Water treatment facilities need security architectures that understand the operational requirements and safety constraints of these critical environments.

Our Rubyk™ OT product line was developed specifically for these challenges. We focus on protecting industrial assets and connected operational technology while ensuring that security measures don't interfere with the critical work of keeping water safe and flowing.

There's Hope: Rapid Response Shows What's Possible

The good news from the Censys discovery is how quickly the industry responded once the problem was identified. After researchers disclosed their findings to the EPA and the affected HMI vendor, significant progress was made in securing the exposed systems.

This success story proves that coordinated industry response works. But it also highlights a critical point: we can't keep playing defense. Reactive security isn't enough when the stakes are this high.

Water utilities need to invest in proactive OT security solutions that address fundamental architectural weaknesses before they're discovered by researchers—or worse, exploited by attackers.

Moving Forward: Building Resilient Water Infrastructure

As water systems become increasingly vital to community resilience and public health, the industry must prioritize comprehensive OT security. This means moving beyond basic network security to implement solutions that can scale with evolving threats while preserving operational integrity.

The path forward requires recognizing that OT security isn't a product you can simply purchase and install. It's a strategic partnership that requires a deep understanding of both cybersecurity principles and water treatment operations.

Every day that critical water infrastructure remains vulnerable is another day that millions of Americans are at risk. The Censys discovery should serve as both a warning and motivation for the coordinated industry action needed to secure these essential systems.

About RubyComm: RubyComm delivers tailored operational technology (OT) cybersecurity solutions for industrial environments where standard products fall short. Based in Israel with a U.S. presence, we secure critical systems for industrial manufacturers, infrastructure operators, medical equipment providers, energy producers, and smart building managers. Our competitive advantage lies in creating customized security architectures that address the specific challenges conventional solutions cannot: functionality limitations in specialized settings, complex operational environments requiring precision approaches, prohibitive pricing structures, and technical expertise gaps within client organizations. Unlike one-size-fits-all offerings, RubyComm's solutions maintain operational efficiency while providing comprehensive protection, transforming security from a product purchase into a strategic partnership. Our team of specialists is strategically positioned to scale our proven methodology, meeting the rapidly growing demand for sophisticated OT security across vital sectors worldwide.