Behind The Scenes Of The Water Sector’s Cybersecurity Crisis—And What You Need To Know

Cybersecurity threats facing the water sector aren’t some far-off concern—they’re here, they’re persistent, and they’re only getting smarter. Domain name system (DNS) vulnerabilities, phishing attempts, lateral movement inside your network—these aren’t just buzzwords; they’re the daily reality that the water sector can no longer afford to ignore. Ransomware, for example, can bring operations to a screeching halt. But the more sophisticated attacks? Those are the ones that keep people up at night.
In this blog, we’re going to dig into the trends and incidents that are happening at our client water utilities across the country. We’re here to shine a light on what’s going on behind the scenes and why every utility—no matter the size—needs to take cybersecurity seriously before it’s too late.
Key Cybersecurity Concerns Found By Cyberzcape™
Our Security Operations Center (SOC) has had a front-row seat to the evolving threats facing water utilities across the country. While every system is different, we’ve identified several key vulnerabilities and recurring issues that have popped up time and time again in the water sector over the last few months. Spoiler: the hackers aren’t playing around.
OpenDNS DNSCrypt Communications
One of the more common—and concerning—findings is not inherently malicious but can be used by attackers to obfuscate DNS traffic and bypass detection mechanisms. In one instance, our SOC team detected suspicious OpenDNS DNSCrypt communications at a water utility. DNS, often referred to as the “phonebook of the internet,” is a crucial part of how all systems communicate. When attackers manipulate or hijack DNS, they can intercept or redirect network traffic, putting the integrity of the entire system at risk. It’s like someone secretly rerouting your mail to an entirely different address—only, in this case, the stakes involve essential water services.
Lateral Movement Is The New Break-In Playbook
Another red flag we’ve seen involves WinRM/WMI traffic, which can signal not only lateral movement but also enable remote code execution, data exfiltration, and system compromise. This is the digital equivalent of a burglar creeping from room to room, looking for anything valuable. If not detected early, lateral movement allows attackers to dig deeper into the network, gaining access to critical systems and data. Beyond just network exploration, the use of WinRM/WMI can lead to executing commands that control the entire system and extract sensitive data. At one client site, we saw signs of this very behavior, suggesting that attackers could have been probing for weaknesses to exploit. In the water sector, such weaknesses could lead to major disruptions, from altered chemical levels to halted operations.
Passwords In Plain Sight, Yet Again…
Let’s not forget about cleartext credentials—those old-school, unencrypted usernames and passwords floating around on the network like it’s 1995. Exposed credentials remain a significant vulnerability that requires immediate attention to avoid unauthorized access. Our team recently flagged this issue at another utility, where cleartext credentials were detected in the network traffic. Leaving credentials exposed is like handing an intruder your house keys, and yet, it’s still something we encounter in environments that should know better, and we encounter it A LOT.
Convenience With Risks Using Remote Access
Remote access is another common weak point. We’ve identified Citrix/GoToMyPC activity at a number of facilities. While remote desktop software can be convenient, it’s also a glaring vulnerability if not properly secured. In critical infrastructure environments like water utilities, access through remote tools can lead to operational control by malicious actors. This type of vulnerability came to light in 2021 with the Oldsmar, Florida incident, where a hacker used TeamViewer to try and poison the water supply. If attackers gain access, they could control everything from water flow to chemical treatments, making it a critical area for vigilance.
Phishing For Trouble
While network vulnerabilities can bring attackers inside, we’re also seeing more traditional attack vectors like phishing continue to evolve. Cyberzcape™, our real-time threat detection and response platform, is seeing more instances of phishing attempts and malicious DNS queries, targeting everything from email accounts to network servers. It’s not just the IT systems at risk; the operational technology (OT) networks—the ones that control the actual water treatment processes—are also being probed. As the lines between IT and OT blur, these threats make it more challenging to defend infrastructure comprehensively. This means utilities need stronger, integrated defenses that span both environments.
Preparing For What’s Next In Water
The cybersecurity threats we’ve outlined—whether DNS vulnerabilities, lateral movement, or phishing—are just the beginning. The truth is, the water sector can’t afford to wait. As these threats evolve and become more sophisticated, utilities of all sizes need to strengthen their defenses. Ignoring the risks will only lead to more incidents, greater disruptions, and potentially devastating consequences.
But here’s the good news: we are here to help. We’re not just flagging vulnerabilities—we’re giving water utilities the tools they need to proactively protect their systems. Cyberzcape™ monitors, detects, and stops threats in real-time to keep water facilities secure 24/7, ensuring you’re never caught off guard. And for those looking to stay ahead of the curve, our Cybersecurity Playbook for the Water Sector offers a comprehensive guide to building stronger, more resilient defenses—step by step.
The risks are here, but so are the solutions. Take action now, secure your infrastructure, and ensure the safety and reliability of your water systems for years to come. At Parsons, we’re not just your partner in cybersecurity—we’re your partner in safeguarding the future.
For our free eBook “The Ultimate Water Sector Cybersecurity Playbook: 33 Essential Steps to Safeguard Your Operations” click here!