Water is the essence of life, but in today’s digital world, it’s also an increasingly attractive target for cyber criminals. Water treatment plants and distribution systems rely on digital controls, which, if compromised, can lead to disastrous consequences, including contamination, service disruptions, and threats to public health.
A 2024 assessment by the US Environmental Protection Agency (EPA) found that 97 drinking water systems, serving approximately 26,6-million people, had critical or high-risk cyber security vulnerabilities.
According to Check Point Research, thus far in 2025, the energy & utilities (including water) industry has suffered on average 1 872 weekly attack attempts per organisation, an increase of 53% compared to the same period in 2024.
North America has seen the highest year-on-year change with an 89% increase in attacks compared to the same time period last year, followed by Europe (82%) and Africa (45%).
With critical infrastructure like water utilities under constant threat, it is only a matter of time before a cyberattack succeeds in impacting hundreds of thousands, if not millions of lives.
With World Water Day taking place on 22 March, Check Point Research explores the economic impacts of cyber vulnerabilities in water systems and provide insights into key security measures to ensure that water utilities and this precious resource remains safe to drink and pouring from our taps.
The Economics of a water attack
Beyond public health, cyberattacks on water infrastructure have massive economic repercussions. Water and wastewater providers are prime targets for cyber criminals due to the essential role they play in sustaining local communities and daily operations.
However, the risks extend beyond operational disruptions. A compromised system could result in contaminated drinking water, posing serious threats to public health and safety.
Beyond households, numerous industries depend on a steady and secure water supply, including manufacturing plants and data centers, which rely on water for cooling systems. A cyberattack on these utilities could lead to widespread disruptions with severe consequences. Disruptions in water supply can halt industrial operations, impact agriculture, and destabilize local economies.
For example, a one-day disruption in water service across the US could jeopardize $43,5-billion in economic activity according to the US Water Alliance. A simulated example of a cyberattack on Charlotte Water in North Carolina projected daily losses of at least $132-million in lost revenue, with replacement costs exceeding $5-billion, results from a review of the agency’s cyber security initiatives by the Environmental Protection Agency’s Office of Inspector General.
In Italy, Alto Calore Servizi SpA, an Italian company that provides drinking water to 125 municipalities Avellino and Benevento — two provinces in southern Italy – experienced a ransomware attack in 2023. The government-run company also manages sewage and purification services for both provinces. While the cyberattack did not disrupt water distribution, the company’s database was compromised, and it rendered all of their IT systems unusable.
The price of outdated infrastructure
Water systems, in particular, are highly vulnerable, as outdated infrastructure is suddenly exposed to internet-based threats, and the potential for disruption makes these facilities prime targets, especially for nation-state actors.
In reality, a compromised water facility goes beyond just being a cyber incident as it impacts the entire country, making headlines and, more critically, poses a direct threat to public safety.
The economic toll of a successful cyberattack on water utilities is simply too great to ignore. Resilience must be prioritised, and investments in cyber security should be viewed as investments in economic stability.
Strengthening cyber defenses: What needs to be done
Water utilities must take a proactive approach to cyber security. According to the US Environmental Protection Agency (EPA), 98% of cyberattacks could be prevented or minimised with basic cyber hygiene. Some critical steps to enhance security includes:
- Invest in Endpoint and Network Security: Water utilities should deploy AI-powered threat detection systems to monitor network activity and prevent intrusions.
- Regulatory Gaps Leave Utilities Exposed: Cyber regulations for water utilities are not as stringent as those for the power or financial sectors, with the call for more to be done in this area.
- Mandate Cyber Security Training: The Water Information Sharing and Analysis Center (WaterISAC) has identified training as a top priority for improving cyber readiness as there is a severe lack of cyber security training amongst water operators with many facilities lacking dedicated cyber security personnel.
- Enforce Multi-Factor Authentication (MFA): Prevent unauthorised access to operational technology (OT) systems as unsecured remote access is often a major vulnerability, with attackers often exploiting weak remote access protocols.
- Develop Incident Response Plans: Water providers must have response protocols in place to minimize damage from potential attacks.
As cyber threats to water infrastructure increase, the need for proactive security measures has never been greater. Governments, water utilities, and cyber security experts must collaborate to protect these vital systems before more attacks severely impact this vital industry.