In a time when cyber threats are becoming increasingly sophisticated, the security of critical infrastructure like water facilities must be a top priority. A recent cyber event at the Arkansas City water plant, serving around 12,000 residents, serves as a stark reminder of the vulnerabilities within the U.S. water infrastructure. While the plant quickly switched to manual operations to prevent disruption, this incident underlines the necessity for a more robust approach to cybersecurity across the sector.

The White House has already expressed concerns about the lack of comprehensive cybersecurity measures within the water industry, especially after reports of multiple cyberattacks originating from foreign adversaries. These growing concerns highlight the importance of cybersecurity maturity models that can guide water facilities through a structured, evolving defense against emerging threats. Enterra’s Cybersecurity Maturity Model is an excellent framework that can be applied to water infrastructure to achieve greater resilience.

The Cybersecurity Maturity Ladder in the Context of Water Infrastructure

Water systems are among the most critical resources that we rely on daily, making them attractive targets for cybercriminals and foreign adversaries. Ensuring their security is not a one-time fix but an ongoing, strategic journey. Enterra’s Cybersecurity Maturity Model provides a roadmap to help organizations in sectors like water utilities assess and improve their security practices. Here's how the maturity ladder can be applied:

• Minimal Stage: Unfortunately, many water facilities still operate at this level, with limited or no formal cybersecurity defenses. This stage leaves organizations exposed to basic cyber threats, such as phishing, malware, or ransomware attacks. For smaller water utilities, this might mean only having basic firewalls and antivirus software in place, as seen in many of the 153,000 drinking water and 16,000 wastewater treatment systems across the U.S.

  
  

• Basic Stage: At this level, water utilities are aware of their vulnerabilities and have started adopting fundamental cybersecurity measures. These include periodic vulnerability assessments, like those requested by the White House and EPA. However, these measures alone may not suffice against more advanced, nation-state-backed cyberattacks, as seen in recent attacks attributed to Russia, Iran, and China.

  
  

• Coordinated Stage: Water utilities at the coordinated stage develop formal cybersecurity programs and begin integrating them with operational technology (OT) systems. For example, facilities would implement measures like Endpoint Detection and Response (EDR) to protect critical infrastructure, while working closely with agencies like the Water Information Sharing and Analysis Center (WaterISAC) to gather threat intelligence.

  
  

• Proactive Stage: Moving into a proactive stage, water utilities employ advanced cybersecurity technologies such as Security Orchestration, Automation, and Response (SOAR). This would enable facilities to automate incident response and ensure that threats are neutralized before they cause disruptions, much like how the Arkansas City plant avoided a shutdown through rapid manual intervention.

  
  

• Adaptive Stage: At the pinnacle of cybersecurity maturity, water utilities would continuously evolve their defenses in response to new and emerging threats. This would include the implementation of Zero Trust Security frameworks, ensuring that every network connection is verified, no matter the source, safeguarding the infrastructure against even the most sophisticated attacks. This stage represents a fully integrated and automated security system that can dynamically respond to any potential compromise.

  
  

Lessons from the Arkansas City Incident

The Arkansas City cyber incident did not disrupt water services, but it highlighted critical areas of concern. Water utilities, especially smaller ones, may not yet understand their exposure to cyber threats or the available resources to counter them. As Jennifer Lyn Walker from WaterISAC noted, many smaller utilities remain unaware of their risk or the support that exists to bolster their defenses.

By aligning their cybersecurity strategies with models like Enterra’s, water facilities can ensure they are not only protecting their operational technologies but also securing their communities' water supply. The key to success lies in advancing through the maturity stages, from minimal defenses to adaptive resilience, where threats are anticipated and mitigated in real-time.

Future of Water Cybersecurity

As the White House and the EPA continue their efforts to mandate cybersecurity regulations for water systems, facilities across the U.S. will need to take a more proactive stance. Enterra is committed to supporting this mission by offering scalable cybersecurity solutions that align with the unique needs of critical infrastructure sectors, including water and wastewater utilities.

Through our Cybersecurity Maturity Model, Enterra helps organizations not just meet compliance standards but build a resilient, future-proof security framework. By adopting a comprehensive, multi-stage approach to cybersecurity, water facilities can ensure their operations remain uninterrupted, safeguarding the water supply for millions of Americans.

Secure your water infrastructure. Secure your future. Together, Enterra and your organization can ensure cybersecurity resilience, no matter the threat.