Sourcepass Blog

AI-Powered Cyber Threats and Water Utilities: What Public-Sector Leaders Need to Know

Written by Courtney Noonan | Jul 07, 2026

Water and wastewater organizations have long been considered part of the nation's critical infrastructure, but recent developments highlight how the threat landscape is evolving faster than many public-sector entities can adapt.

New findings from both the U.S. Government Accountability Office (GAO) and industrial cybersecurity firm Dragos underscore a common message: water utilities must strengthen cybersecurity programs, improve visibility across operational technology (OT) environments, and prepare for increasingly sophisticated attacks.

For utility leaders, these reports offer valuable insight into both systemic cybersecurity challenges and emerging threats that could impact essential services.

 

GAO Highlights Ongoing Cybersecurity Challenges for Water Systems

In recent congressional testimony, the GAO warned that water and wastewater systems continue to face significant cybersecurity risks. According to the agency, several factors are contributing to a growing attack surface:

  • Operational technology (OT) systems are becoming increasingly connected to enterprise networks and the internet.
  • Aging infrastructure often lacks modern security controls.
  • Workforce shortages make it difficult to maintain and secure critical systems.
  • Cyber threats targeting critical infrastructure continue to increase in sophistication. 

While the testimony was not tied to a single cybersecurity incident, it reinforces concerns that many water utilities are managing complex operational environments with limited resources. As digital transformation initiatives continue, organizations must balance modernization efforts with cybersecurity resilience.

For public-sector and utility leaders, the message is clear: cybersecurity can no longer be viewed solely as an IT concern. Protecting operational systems that support water treatment, distribution, and monitoring has become an essential component of business continuity and public safety.

 

The First Public Example of AI-Assisted Targeting of Water Infrastructure

A separate report from industrial cybersecurity firm Dragos provides one of the first publicly documented examples of an adversary using commercial artificial intelligence tools to support activities against a municipal water utility.

According to Dragos, investigators analyzed an intrusion involving a municipal water and drainage utility where attackers attempted to move from a compromised enterprise IT environment toward operational technology systems. 

The significance of the incident is not that attackers successfully compromised operational systems—Dragos reported no evidence that OT systems were breached—but rather that AI tools were used to accelerate intrusion planning, environment mapping, reconnaissance, and identification of OT-adjacent assets.

Their findings demonstrate how commercially available AI technologies can help threat actors:

  • Analyze complex environments more quickly.
  • Identify high-value infrastructure assets.
  • Generate and refine attack pathways.
  • Scale common offensive techniques with greater speed. 

According to Dragos, the incident illustrates how AI can make OT environments more visible to adversaries already operating within an organization's IT network. 

 

Why This Matters for Water Utilities

Historically, specialized knowledge created a barrier between traditional cybercriminal activity and operational technology environments. Emerging AI capabilities may lower that barrier by helping attackers identify industrial systems and understand potential pathways between IT and OT networks. 

As a result, water utilities should evaluate whether existing cybersecurity programs adequately address both enterprise IT systems and operational environments.

Areas that warrant attention include:

  • IT and OT network segmentation
  • Identity and access management controls
  • Multi-factor authentication
  • Remote access security
  • Continuous monitoring and logging
  • Incident response planning
  • Asset inventory and visibility across critical systems

Many of these practices are reflected in water-sector cybersecurity guidance and templates used to support utility cybersecurity programs. For example, water system cybersecurity frameworks emphasize secure remote access, monitoring network activity, maintaining asset inventories, managing OT access privileges, and regularly reviewing cybersecurity controls.

 

Building Cyber Resilience in Critical Infrastructure

While AI-assisted attacks are still emerging, the broader lesson is not necessarily about artificial intelligence itself—it's about preparedness.

Threat actors continue to evolve their methods, and public-sector organizations must evolve their defenses accordingly. Strong cybersecurity fundamentals remain critical: visibility, access controls, network segmentation, monitoring, governance, and incident response planning continue to form the foundation of an effective security program. 

Water utilities that proactively address these areas will be better positioned to reduce risk, meet regulatory obligations, and maintain the reliability of the essential services their communities depend on.

 

How Sourcepass GOV Helps

Sourcepass GOV works with water districts, municipalities, and other public-sector organizations to strengthen cybersecurity programs through risk assessments, security advisory services, governance support, incident response planning, tabletop exercises, compliance oversight, and dedicated vCISO services.

These services are designed to help organizations identify vulnerabilities, improve resilience, and build a practical roadmap for managing cyber risk. 

 

Learn More

To read the full Dragos analysis, visit: AI in the Breach: How an Adversary Leveraged AI to Target a Water Utility

 

Sources: Dragos, https://www.gao.gov/