Vulnerable Systems and Initial Access Methods
Water utilities across the United States and Europe are facing escalating cyber threats as attackers exploit basic security failures in industrial control systems. Nation-state actors and affiliated groups have been systematically targeting internet-facing programmable logic controllers (PLCs) and weak login credentials to breach water and wastewater infrastructure. These intrusions rely on common weaknesses such as default passwords, shared operator accounts, poor network segmentation between IT and OT environments, and exposed remote access tools. According to a report from DomainTools shared with cybersecurity researchers, these gaps require no sophisticated malware, only persistence and an unsecured entry point.
Strategic Targeting and Real World Incidents
From 2024 to 2026, attacks on water systems have evolved from opportunistic incidents into deliberate instruments of state level competition. Iranian affiliated actors, including the group CyberAv3ngers tied to Iran’s IRGC, exploited default factory credentials on Unitronics Vision Series PLCs in December 2024. By April 2026, a joint advisory from CISA, FBI, NSA, and EPA confirmed continued exploitation of internet exposed PLCs across water, energy, and government facilities. Russia linked groups caused a municipal water tank to overflow in Muleshoe, Texas in January 2024, and seized control of a dam in Bremanger, Norway in April 2025, opening a floodgate for hours. Poland reported breaches at five water treatment plants in 2025 where attackers gained ability to alter chemical dosing parameters. Meanwhile, China’s Volt Typhoon group took a quieter approach, embedding themselves in water utility IT environments across multiple U.S. sectors for long term strategic positioning.
Recommended Defenses and Mitigation
Security agencies recommend that water utilities immediately take steps to reduce exposure. These measures include removing PLCs and human machine interfaces from direct internet access, replacing default and shared passwords, enforcing multi factor authentication, improving OT monitoring, and separating IT from operational control networks. Reporting incidents to CISA and coordinating with federal partners for cybersecurity support is also strongly encouraged. Indicators of compromise include specific IP addresses linked to Iranian actors, network ports associated with industrial protocols such as EtherNet/IP and Modbus, and tools like Dropbear SSH and native Windows utilities abused for lateral movement.
Source: Cyber Security News
