Water and wastewater organizations have long been considered part of the nation's critical infrastructure, but recent developments highlight how the threat landscape is evolving faster than many public-sector entities can adapt.
New findings from both the U.S. Government Accountability Office (GAO) and industrial cybersecurity firm Dragos underscore a common message: water utilities must strengthen cybersecurity programs, improve visibility across operational technology (OT) environments, and prepare for increasingly sophisticated attacks.
For utility leaders, these reports offer valuable insight into both systemic cybersecurity challenges and emerging threats that could impact essential services.
In recent congressional testimony, the GAO warned that water and wastewater systems continue to face significant cybersecurity risks. According to the agency, several factors are contributing to a growing attack surface:
While the testimony was not tied to a single cybersecurity incident, it reinforces concerns that many water utilities are managing complex operational environments with limited resources. As digital transformation initiatives continue, organizations must balance modernization efforts with cybersecurity resilience.
For public-sector and utility leaders, the message is clear: cybersecurity can no longer be viewed solely as an IT concern. Protecting operational systems that support water treatment, distribution, and monitoring has become an essential component of business continuity and public safety.
A separate report from industrial cybersecurity firm Dragos provides one of the first publicly documented examples of an adversary using commercial artificial intelligence tools to support activities against a municipal water utility.
According to Dragos, investigators analyzed an intrusion involving a municipal water and drainage utility where attackers attempted to move from a compromised enterprise IT environment toward operational technology systems.
The significance of the incident is not that attackers successfully compromised operational systems—Dragos reported no evidence that OT systems were breached—but rather that AI tools were used to accelerate intrusion planning, environment mapping, reconnaissance, and identification of OT-adjacent assets.
Their findings demonstrate how commercially available AI technologies can help threat actors:
According to Dragos, the incident illustrates how AI can make OT environments more visible to adversaries already operating within an organization's IT network.
Historically, specialized knowledge created a barrier between traditional cybercriminal activity and operational technology environments. Emerging AI capabilities may lower that barrier by helping attackers identify industrial systems and understand potential pathways between IT and OT networks.
As a result, water utilities should evaluate whether existing cybersecurity programs adequately address both enterprise IT systems and operational environments.
Areas that warrant attention include:
Many of these practices are reflected in water-sector cybersecurity guidance and templates used to support utility cybersecurity programs. For example, water system cybersecurity frameworks emphasize secure remote access, monitoring network activity, maintaining asset inventories, managing OT access privileges, and regularly reviewing cybersecurity controls.
While AI-assisted attacks are still emerging, the broader lesson is not necessarily about artificial intelligence itself—it's about preparedness.
Threat actors continue to evolve their methods, and public-sector organizations must evolve their defenses accordingly. Strong cybersecurity fundamentals remain critical: visibility, access controls, network segmentation, monitoring, governance, and incident response planning continue to form the foundation of an effective security program.
Water utilities that proactively address these areas will be better positioned to reduce risk, meet regulatory obligations, and maintain the reliability of the essential services their communities depend on.
Sourcepass GOV works with water districts, municipalities, and other public-sector organizations to strengthen cybersecurity programs through risk assessments, security advisory services, governance support, incident response planning, tabletop exercises, compliance oversight, and dedicated vCISO services.
These services are designed to help organizations identify vulnerabilities, improve resilience, and build a practical roadmap for managing cyber risk.
To read the full Dragos analysis, visit: AI in the Breach: How an Adversary Leveraged AI to Target a Water Utility
Sources: Dragos, https://www.gao.gov/