The water sector is increasingly confronted with real-world cybersecurity threats, making cyber risk an immediate and pressing concern. This year alone, the Cybersecurity and Infrastructure Security Agency (CISA) has issued more than 30 advisories related to threats against water systems. At the same time, utilities are accelerating their digital adoption without proportional security investments.

Having recently completed Andy Greenberg’s Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin’s Most Dangerous Hackers, which details global cyberattacks and the rising arena of infrastructure warfare, I find myself reflecting on the clear gap between the water sector’s vulnerability and its capacity to respond.

Digitizing into Exposure

The reality is simple: the water sector is utilizing digital tools faster than they can secure them. This isn’t a failure of intent—it’s a structural mismatch. Original equipment manufacturers (OEMs) now ship with remote monitoring, interconnectivity, and analytics capabilities embedded in the hardware and equipment —a natural progression in today’s connected world. Essentially, the Internet of Things (IoT) era has arrived for water infrastructure whether operators requested it or not. The result is a sector digitizing into exposure.

According to Bluefield Research, cybersecurity spending is forecast to reach US$3.1 billion by 2033—about 13% of digital water market spend. Most investment will come from the roughly 400 largest utilities serving over 100,000 people, not the 39,000 small systems (serving fewer than 3,300) that are most exposed. Larger utilities have more capabilities to invest in dedicated safeguards, while smaller systems more often rely on federal guidance and free resources to meet minimum expectations. Federal guidance and volunteer information technology (IT) support are insufficient to realistically defend against highly sophisticated, geopolitical adversaries of the U.S. As a result, digital water can’t deliver needed resilience when most systems remain under protected.

The Fragmentation Paradox

Bluefield has long advocated for utility consolidation as a pathway to greater operational efficiencies, improved access to capital, expanded technical capacity, and more reliable service. This applies regardless of buyer type, whether municipal, investor-owned, or cooperative. Yet cybersecurity introduces a paradox: this fragmentation, often seen as a barrier to efficiency, is an unintended defensive barrier to cascading cyber threats from one asset to another.

The U.S. election system offers an analogy. Its own complexity and decentralization make it difficult to attack at scale—there’s no central ballot box, no uniform software platform, and no single attack surface to compromise. Water is similarly fragmented—more than 49,000 drinking water utilities and 23,000 wastewater systems create a seemingly natural moat. For adversaries, this diversity can limit potential for widespread, synchronized disruption.

But fragmentation is not a strategy. The sector cannot rely on structural complexity for protection while simultaneously pursuing modernization, standardization, and interoperability needed for long-term resilience.

A Global Challenge: Eastern Europe Is on the Front Lines

Poland’s recent experience shows where the global water sector is headed. Polish utilities now face roughly 300 cyber intrusion attempts per day. In 2025 alone, multiple drinking water and wastewater facilities were targeted. The national response has been swift: more than US$1 billion committed to cybersecurity, expansion of regulatory oversight from a few hundred utilities to over 10,000, and the creation of Europe’s first civilian-military cybersecurity operations center. Utilities themselves have launched a national information-sharing network to detect and respond to emerging threats more quickly. This is not a regional outlier. It’s an early signal of what increasingly interconnected water systems should expect.

The question is no longer whether to modernize, but rather how to modernize safely and at scale.

Every Strategic Decision Now Carries a Cyber Dimension

The water sector sits at an inflection point. Its most urgent need—modernization—meets its greatest vulnerability: an increasingly interconnected digital infrastructure. The question is no longer whether to modernize, but rather how to modernize securely and at scale. The implications touch every dimension of utility strategy:

• Technology adoption: Digitalization itself isn’t risky—digitalization without security foundations is. The return on investment (ROI) calculation for every new technology must now include cybersecurity infrastructure and ongoing monitoring costs.
• Capital allocation: Cybersecurity can no longer be an afterthought in capital planning. Investments in operational technology must be matched with investments in security architecture. This includes asset inventories, network segmentation, endpoint monitoring, patch management systems, and incident response capabilities.
• Vendor management: Each piece of equipment is a potential entry point. Procurement must require security standards, vulnerability management, and clear accountability for updates.
• Operational models: Shared services and regional cooperation may create efficiencies but also new attack surfaces. These models must distribute risk, not concentrate it.
• Workforce strategy: With operational staffing already constrained, the sector now needs cybersecurity competency as well. Regional security operations centers, managed services, and built-in cyber training will be essential.

In the closing section of Sandworm, one detail stuck with me: during emergency simulations in Long Island, New York, a team of electric utility staff found that a reliance on more traditional analog controls in an emergency isn’t just harder, it’s unfamiliar. Operators in today’s workforce, trained on digital technologies, no longer have experience to fall back on manual solutions. Furthermore, new hardware and equipment aren’t even designed to do so.

As such, we’ve seemed to have digitized past the point of easy retreat. Every connected device, delayed patch, and unchanged default password compounds the challenge. The water sector—vendors, utilities, integrators, and operators—must now act in concert, and quickly enough to outpace the looming threats that are not waiting for utilities to catch up.