|

Russia-Linked Attacks in Europe Expose a Gaping Hole in Water Cybersecurity: What Utilities Must Do Now

ByInnoVirtuoso

You wake up to headlines: a dam valve in Norway opened for hours after intruders fiddled with digital controls; in Poland, a major city narrowly avoids having its water cut off by a cyberattack. No one was hurt. Water kept flowing. But the message couldn’t be clearer: the systems that keep water safe and reliable are now squarely in the crosshairs—and many remain far too easy to poke, prod, and potentially break.

If you run or rely on a water utility—and that’s all of us—this isn’t a distant, niche risk. It’s a kitchen-table issue. Here’s why that matters, what these incidents tell us, and the steps utilities can take right now to harden defenses.

What Happened in Norway and Poland—and Why It’s a Warning

Two incidents reported by European leaders in recent weeks put water cybersecurity back in the spotlight.

  • In Norway, saboteurs accessed controls at a dam on Lake Risvatnet in the west and opened a valve, increasing water flow for roughly four hours. Officials said there was no danger to surrounding areas. Norwegian authorities pointed to likely Russian-linked actors. Around the same time, a video on Telegram—typical of a pro-Russian operational technology (OT) collective calling itself the Z-Pentest Alliance—appeared to show intruders fumbling through a human-machine interface (HMI), blasting punk music as they changed set points. It looked unsophisticated, but it was real system access.
  • In Poland, the Deputy Prime Minister said a large city’s water could have been cut off due to a cyberattack that was thwarted. Details are thin, and attribution is even thinner. But here’s the key: someone targeted water. And they got close enough to trigger a national briefing.

Attribution in cyberspace is hard, and public statements often lag the facts. But several patterns are familiar: – Opportunistic actors exploit weak, internet-exposed interfaces. – “Hacktivist” or criminal groups serve as cutouts for more capable state-backed teams. – Simple sabotage today can pave the way for larger, coordinated operations tomorrow.

That last point should make every water utility sit up. Small intrusions that appear clumsy can still lead to loss of view, loss of control, and nasty real-world consequences.

Why Water Utilities Are Such Soft Targets

Water and wastewater systems are among the most essential—and least protected—pieces of critical infrastructure. A few reasons why:

  • They’re fragmented and underfunded. Thousands of small utilities operate on thin budgets. Cyber talent is scarce.
  • OT is different from IT. Legacy programmable logic controllers (PLCs), HMIs, and SCADA systems were built for reliability, not cyber resilience.
  • Remote access is everywhere. Integrators, contractors, and staff connect from the field. VPNs get shared. Passwords get reused.
  • Internet-exposed HMIs exist. A surprising number of control panels and vendor web servers are reachable from the public internet, sometimes with default credentials.

We’ve seen these weaknesses exploited before. In late 2023, U.S. officials warned that IRGC-affiliated actors compromised a water facility via internet-exposed Unitronics PLCs with default settings and passwords. Read the advisory from the Cybersecurity and Infrastructure Security Agency (CISA) here: IRGC-affiliated Cyber Actors Compromise U.S. Water Facility Using Unitronics PLCs.

Put simply: the attack surface is bigger than most utilities admit, and the barrier to entry for attackers is lower than many think.

From Nuisance to National Crisis: How Attacks Escalate

The Norway dam incident had “amateur hour” fingerprints: cranking a set point to 999% and getting blocked by the system. But don’t let that lull you.

Here’s a realistic progression of risk: 1. Drive-by intrusion: Low-skill actors find an open HMI and click around for clout. 2. Configuration tampering: Attackers alter set points, disable alarms, or change pump schedules. 3. Loss of view: Operators can’t trust their screens. Alarms are muted. Telemetry looks normal, but it’s not. 4. Loss of control: Valves open or close unexpectedly. Dosing pumps misoperate. Backup systems fail to kick in. 5. Coordinated events: Multiple facilities see simultaneous outages—during a heat wave, flood, or public holiday.

Water utilities are resilient. Operators are trained to fail safe. But a modest cyber incident can still cause: – Service interruptions and boil-water advisories – Environmental violations and penalties – Erosion of public trust and reputational harm – Costly emergency responses and forensic investigations

The leap from “prank” to “public health incident” can be one weak password and one unlucky day apart.

The Reality of OT Security: HMI, PLC, and Remote Access Risks

If you’re new to OT security, here’s a quick primer in plain English:

  • HMI (Human-Machine Interface): The screens operators use to monitor and control processes. If someone gets to your HMI, they can often change how the plant runs.
  • PLC (Programmable Logic Controller): The rugged computers that actually open valves and spin pumps. Many have web interfaces. Some still ship with default passwords.
  • SCADA (Supervisory Control and Data Acquisition): The system that collects data from remote sites and lets operators supervise operations over distance.
  • Historian: A database of process data. Essential for operations—and often a bridge between IT and OT.
  • Remote access: How vendors and staff connect from the field. Necessary, but risky if unmanaged.

The most common cyber risks in water OT: – Internet-exposed control interfaces – Default or weak credentials – Flat networks with no segmentation – Single-factor VPNs and shared accounts – Outdated Windows HMIs without application allowlisting – Unmonitored vendor access

You don’t need expensive tools to fix the first half of that list. You need discipline, a plan, and a few days of focused work.

The 30-Day Action Plan for Water Utilities

If you run a water or wastewater system, here’s what to do first. These steps are low cost, high impact, and grounded in industry guidance.

1) Remove internet exposure – Search for your assets using tools like Shodan (or ask a partner to help). – Shut down public-facing HMIs, PLC web servers, and remote desktop ports. – If remote access is essential, front it with a VPN, MFA, and strict access lists.

2) Kill default passwords and shared logins – Change default creds on PLCs, HMIs, routers, and vendor software. – Disable shared accounts. Give each user a unique ID. – Turn on MFA anywhere possible—especially VPN, email, and remote support.

3) Lock down vendor and integrator access – Require vendors to use your access path, not theirs. – Use a jump host or bastion with session recording. Expire access when jobs end. – Whitelist vendor IPs and enforce time-bound access windows.

4) Map your crown jewels – Inventory assets: HMIs, PLCs, SCADA servers, radios, and field devices. – Document network paths between IT, DMZ, and OT. – Identify critical processes, fail-safes, and who holds the keys (credentials).

5) Back up what matters – Back up PLC logic, HMI projects, and SCADA configurations offline. – Test restore procedures. Label backups clearly. – Store a copy where a ransomware attack can’t reach it.

6) Turn on the lights (logging and alerting) – Centralize Windows and firewall logs. Keep them for at least 90 days. – Set up basic alerts for failed logins, new admin accounts, VPN anomalies. – Pre-configure who you call if an alert fires after hours.

7) Pre-stage your incident response – Print a one-page call tree: operators, IT/OT contacts, leadership, regulators. – Save hotlines for your national CSIRT and sector partners: – U.S.: CISA 24/7 Operations – UK: NCSC Incident Management – EU: Your national CSIRT (via ENISA) – Decide now when to isolate remote access or switch to manual operations.

For concise, sector-specific guidance, see: – CISA: Securing the Water and Wastewater Systems SectorWaterISAC: 15 Cybersecurity Fundamentals for Water and Wastewater Utilities (PDF)EPA: Cybersecurity for the Water Sector

60–180 Days: Build Defenses That Stick

Once you’ve handled the basics, invest in durable controls that survive staff changes and budget cycles.

  • Segment your network
  • Establish a true OT zone, an IT/OT DMZ, and an IT zone.
  • Use firewalls with strict allow rules and logged rule changes.
  • Consider a one-way diode for historian/telemetry if feasible.
  • Harden HMIs and servers
  • Apply security baselines. Enforce least privilege.
  • Implement application allowlisting on HMIs.
  • Patch with a tested cycle. For legacy systems, use virtual patching at the firewall.
  • Modernize remote access
  • Move to identity-based access with MFA and short-lived credentials.
  • Prefer client-based VPNs or zero-trust access over exposed portals.
  • Record vendor sessions for accountability.
  • Monitor OT traffic
  • Deploy network monitoring for ICS protocols where budget allows.
  • Establish baselines for normal PLC/HMI communications.
  • Alert on configuration changes and unusual commands.
  • Exercise your response
  • Run a tabletop drill with operators, IT, leadership, and comms.
  • Include a scenario for “loss of view” and “loss of control.”
  • Capture lessons learned and update playbooks.
  • Align to proven frameworks
  • NIST SP 800-82 Rev. 3: Guide to ICS Security
  • NIST Cybersecurity Framework 2.0
  • ISA/IEC 62443 Industrial Automation and Control Systems Security
  • UK NCSC ICS Collection

A bonus tip: document everything. Succession risk is real in small utilities. Make it easy for the next operator to maintain what you’ve built.

Europe’s NIS2 and the U.S. Policy Landscape: What to Expect

Regulators know water is vulnerable. Expect more scrutiny and more help.

  • Europe: NIS2 raises the bar
  • The NIS2 Directive expands coverage to more “essential entities,” including many water utilities.
  • It mandates risk management measures, incident reporting, and executive accountability.
  • Member states must transpose NIS2 into national law; enforcement ramps up across 2024–2025.
  • Start here: ENISA’s NIS2 resources.
  • United States: Strong guidance, evolving requirements
  • EPA explored adding cyber controls to sanitary surveys; legal challenges paused that push, but pressure is rising.
  • CISA provides free services (scans, assessments, exercises) and sector-specific guidance for water.
  • Funding can be braided from state revolving funds and resilience grants.
  • Explore: CISA Cyber Hygiene Services and EPA Water Risk Assessment.

Bottom line: compliance can’t be your only goal. But aligning with NIS2, NIST CSF, and sector guidance will make you both more compliant and more secure.

Governance, People, and Partners: The Non-Technical Levers

Technology alone won’t save you. Here’s how to build staying power.

  • Name a single accountable owner
  • Even if cyber is “everyone’s job,” one leader must own the plan and report progress to the board or city council.
  • Establish a risk committee
  • Include operations, IT, legal, communications, and finance.
  • Meet quarterly. Track incidents, patch status, and exercises.
  • Train operators and field staff
  • Teach them to spot phishing, suspicious remote sessions, and abnormal equipment behavior.
  • Run short, practical drills. Reward reporting.
  • Vet your vendors
  • Require secure development and support practices in contracts.
  • Demand named accounts, MFA, and logs for remote work.
  • Ask for SBOMs where software is involved and patch plans for vulnerabilities.
  • Join your community
  • Participate in your ISAC. For water, that’s WaterISAC.
  • Share indicators with peers. Learn from near misses.
  • Track threat reports from groups like Dragos.

Small utilities: if you can’t hire a full-time CISO, designate a “cyber lead” on staff and give them time and authority. Pair them with a trusted consultant or a regional partner utility.

Funding Cybersecurity When Budgets Are Tight

You have more options than you think.

  • Tap public programs and grants
  • U.S. utilities: explore the Drinking Water and Clean Water State Revolving Funds, which may support cyber-related resilience projects. Work with your state’s primacy agency and the EPA (overview).
  • EU utilities: look for national NIS2 implementation funds or resilience programs; your national CSIRT or regulator can advise.
  • Use free or low-cost services
  • CISA’s scanning, phishing assessments, and vulnerability management are free to U.S. public utilities (details).
  • Many vendors offer discounted or community editions for small utilities.
  • Collaborate regionally
  • Share a virtual CISO across neighboring utilities.
  • Pool procurement for monitoring tools or tabletop exercises.
  • Swap incident response retainer hours with your city or county IT.

Invest first in controls that reduce the chance of a bad day: internet exposure removal, MFA, vendor access governance, and backups. Then build toward segmentation and monitoring.

What City Leaders and Boards Should Ask This Quarter

If you oversee a water system, ask these questions now:

1) Do we have any control interfaces reachable from the internet? 2) Is MFA enabled for all remote access, email, and admin accounts? 3) When did we last change default passwords on PLCs and HMIs? 4) Can we run the plant safely if we lose our SCADA screens for a day? 5) Do we have offline backups of PLC logic and HMI projects, and have we tested restores? 6) How do vendors connect, and who approves and monitors access? 7) What is our plan to detect and respond to an intrusion at 2 a.m. on a Sunday? 8) When was our last tabletop exercise, and who participated? 9) Which standard do we follow (NIST 800-82, ISA/IEC 62443), and where are we against it? 10) Who own cyber risk, and what do they need that they don’t have today?

These questions are simple. The answers reveal your true readiness.

Communicating During a Cyber Incident Without Losing Trust

Fear spreads fast when water is at stake. Plan your communications before trouble hits.

  • Be prompt and factual
  • Acknowledge the incident. Say what you know, what you don’t, and what you’re doing next.
  • Share concrete steps customers should take—especially if water quality is impacted.
  • Coordinate with officials
  • Align with public health, emergency management, and law enforcement.
  • Use their channels to reach more people quickly.
  • Keep operators in the loop
  • Your best spokespeople may be the ones running the plant. Train them for media and community questions.
  • Update regularly
  • Even “no update” updates reduce speculation and panic.

Good communication won’t fix a breach. But it will protect public confidence—the currency you need to manage through a crisis.

Why Russia-Linked Probing Is Different This Time

Russia has long used cyber operations as part of a broader playbook—probing, testing, and normalizing interference. In Ukraine, Russian groups have demonstrated sophisticated OT impacts on the electric grid. While water systems haven’t seen widescale physical disruption, the ingredients exist: exposed interfaces, uneven defenses, and geopolitical incentives.

What’s changed now: – Probing is more public. Groups post videos and “proof” on social channels to sow fear and amplify impact. – Tooling is more available. Open-source recon and ICS protocol tools lower the bar. – The regulatory clock is ticking. NIS2 in Europe and rising attention in the U.S. mean leaders will be held to account.

Treat the Norway and Poland events as early-warning indicators. It’s cheaper and easier to fix your exposure now than during a national panic later.

FAQs: Water Cybersecurity, Answered

Q: Are water treatment plants really vulnerable to cyberattacks? A: Yes. Many plants run legacy control systems designed before modern cyber threats. Common issues include internet-exposed HMIs, default passwords on PLCs, and remote access without MFA. The good news: basic hygiene dramatically lowers risk. Start with CISA’s sector guidance and WaterISAC’s fundamentals.

Q: What’s the difference between an HMI and a PLC? A: An HMI is the operator screen; a PLC is the rugged device that controls equipment. If an attacker changes values on the HMI, they may be able to push those changes to the PLC and affect the physical process.

Q: Should any water system controls be accessible from the public internet? A: No. Direct internet access to HMIs or PLC web servers is a top risk. Use a VPN with MFA and strict access control. Turn off vendor web servers on PLCs unless there’s a compelling reason and compensating controls.

Q: We’re a small utility. What can we do on a tight budget? A: Prioritize these: remove internet exposure, enable MFA, change default passwords, control vendor access, and back up configurations offline. Leverage free services like CISA’s cyber hygiene. Align with NIST 800-82.

Q: What is NIS2 and does it apply to water utilities? A: NIS2 is the EU’s updated cybersecurity directive for critical and important entities, including many water providers. It mandates risk management, incident reporting, and governance measures. See ENISA’s NIS2 overview.

Q: How do ransomware attacks differ from OT sabotage? A: Ransomware targets data and IT systems, often causing billing or email outages. OT sabotage aims to affect physical processes—like chemical dosing or valve operations. Both can disrupt service. Bad actors may use IT compromise to pivot into OT networks.

Q: How can we detect malicious changes in our control environment? A: Start with centralized logging for Windows servers, firewalls, and VPNs. Add OT network monitoring to watch PLC/HMI traffic and alert on configuration changes. Establish a baseline of “normal” communications so deviations stand out. Consider resources from UK NCSC’s ICS guidance.

Q: What should residents do if their utility is attacked? A: Follow official guidance. If there’s a boil-water advisory, take it seriously. Don’t panic-buy. Monitor updates from your utility, public health, and emergency management. Most utilities design systems to fail safe and practice incident response regularly.

The Takeaway

The Norway dam incident and the foiled attack in Poland are not isolated stunts. They’re flare warnings. Water systems—especially smaller, underfunded ones—face a rising tide of probing from Russia-aligned and other threat actors. You don’t need to outspend adversaries to make a meaningful difference. Remove internet exposure. Enforce MFA. Control vendor access. Back up configs. Segment networks. Exercise your plan. Then iterate.

If you’re a utility leader, set a 90-day objective right now: reduce your biggest exposures and prove it with metrics. If you’re a policymaker, pair requirements with funding and shared services. And if you’re a resident, ask your utility the ten questions above—you deserve clear answers.

Want more practical breakdowns like this? Subscribe for updates on water cybersecurity, regulatory changes, and step-by-step playbooks you can use on Monday morning.

Discover more at InnoVirtuoso.com

I would love some feedback on my writing so if you have any, please don’t hesitate to leave a comment around here or in any platforms that is convenient for you.

For more on tech and other topics, explore InnoVirtuoso.com anytime. Subscribe to my newsletter and join our growing community—we’ll create something magical together. I promise, it’ll never be boring! 

Stay updated with the latest news—subscribe to our newsletter today!

Thank you all—wishing you an amazing day ahead!

Read more related Articles at InnoVirtuoso

InnoVirtuoso

Hello there! I'm passionate content writer navigating the digital landscape. With a deep love for words and an insatiable curiosity about technology.

With 10 years of experience in IT field, I write mostly about emerging tech, sharing news, informational articles and covering other topics I find interesting.

Let's craft the future of content together – one word at a time!

Browse InnoVirtuoso for more!