Why Europe must finally secure its water sectors from cyber threats

More than thirty publicly documented cyberattacks have hit drinking- and wastewater utilities since 2020, and the tempo is accelerating. Meanwhile, water utilities’ operational ecosystems are uniquely fragile – thousands of small municipal plants are connected to a few regional giants through ageing industrial-control systems riddled with undocumented remote links. 

These utilities embody a familiar cybersecurity problem: they are target rich but resource poor. In the European Union Agency for Cybersecurity’s (ENISA) NIS Investments 2024 survey, both water sectors sit in the bottom maturity band, shoulder-to-shoulder with space services and financial-market infrastructure. They score significantly lower on risk management and network security than, for example, banking and energy. Median staffing tells the same story: most utilities fund no more than two full-time security specialists, yet the pumps, valves, and chlorine sensors they operate remain attractive to ransomware groups and state-backed hackers. Despite that exposure, cybersecurity discussions in Europe still focus on electricity grids, healthcare, semiconductors, and AI safety. The networks that keep the taps running rarely make the agenda.

That neglect is risky. ‘Under Pressure: Securing Europe’s Resource-Constrained Critical Infrastructure’ – a study we released this month – aims to change it. Policy action is urgently needed to create a layered pathway to resilience.

One label, two sectors, shared weaknesses

We often fold drinking water and wastewater into a single ‘water sector’, but the two sub-sectors live different technical and institutional lives. Drinking-water services are typically small and decentralised, judged above all on purity and steady pressure at the tap. Wastewater systems sprawl across wide catchments, depend on energy-hungry lift stations, and answer to stringent environmental-discharge rules.

But both face the same basic cybersecurity shortfalls. Poor cyber hygiene, thin staffing, ageing infrastructure, and scant threat-intelligence sharing leave them highly exposed. Remote-access log-ins protected by factory passwords, legacy controllers designed without hostile networks in mind, and a near-absence of 24/7 monitoring give attackers ample room to manoeuvre.

Dragos Inc, an industrial cybersecurity firm, reported that in 2021-2022, 83% of water and wastewater organisations they assessed had undocumented or uncontrolled external connections (from corporate networks or even direct internet linked to equipment) into operational environments. In many cases, these connections exist for legitimate reasons – such as remote support by vendors or inter-site connectivity – but are not properly secured or monitored. The Dragos analysis furthermore noted that no assessed water utilities had operational technology network monitoring in place up through 2022.

The attacks we can count

Ransomware currently dominates the threat landscape for the water sector. Sometimes, the sector is an accidental victim. For example, in April 2022, Lockbit ransomware struck German IT service provider Reitzner AG, subsequently disrupting electricity, water, and sewage services in multiple municipalities that depended on its systems. In other cases, the targeting is more direct. In early 2024, the United Kingdom’s Southern Water disclosed that Black Basta ransomware had breached their networks and leaked important data, including IDs and personal details. Water services were not impacted, but digital systems were compromised, leading to major response efforts.

Hacktivists compound the danger. In April 2020, an operation that Israeli and US intelligence linked to Iran’s Islamic Revolutionary Guard Corps (IRGC) attempted to boost chlorine levels at several Israeli pumping stations – an act that, had operators not caught it in time, could have rendered the water undrinkable. Three years later, in November 2023, CyberAv3ngers – also widely considered an arm of the IRGC – scanned the internet for Israeli-made Unitronics controllers still protected by factory passwords, logged into multiple US water-utility Programmable Logic Controllers (PLCs) used to control machines and processes. They briefly disabled a pressure pump and defaced control screens with ‘Down with Israel’ slogans before posting the screenshots online. A US government advisory warned that hundreds of similar devices remain exposed worldwide.

From diagnosis to policy action

We propose a stepwise model – basic hygiene first, then asset visibility, sector-specific safeguards, and, finally, crisis-response planning. Building on that ladder, four headline measures can close the gap before the next ransom note arrives.

First, launch an EU Water-Cyber Hygiene Accelerator. The European Commission should create a grant-based programme – modelled on the US State and Local Cybersecurity Grant Program but tailored to Europe – to finance the bare essentials of operational-technology security: multi-factor authentication of every remote log-in, strict segmentation between information- and operational-technology networks, up-to-date asset inventories, and routine patch-management cycles. Grants must reach the smallest drinking- and wastewater operators first, as ENISA’s data show they possess the fewest resources yet face the same threat landscape as their larger peers. Technical guidance and a cadre of ‘water-cyber coaches’ trained and coordinated by ENISA should accompany the funding to ensure that baseline controls are implemented and verified before final disbursement.

Second, the European Commission should create a European Water-Sector Information-Sharing and Analysis Centre (ISAC).  Other highly critical sectors such as health, energy, and railways already benefit from dedicated ISACs that distribute threat intelligence in real time. Water utilities lack such a forum. A pan-European Water-ISAC, overseen by ENISA in cooperation with DG HOME and national regulators, would connect existing national ISACs, individual utilities, research institutes, and member-state computer security incident response teams (CSIRTs).

Third, mainstream cyber risk into environmental and public-health governance. Drinking-water and wastewater operators already produce water-safety and discharge plans that model chemical contamination, drought, and flood scenarios; few include digital threats. The commission should issue guidance under Articles 8 and 9 of the Drinking Water Directive requiring that every plan incorporate a cyber-triggered disruption scenario. In parallel, ENISA and the European Environment Agency should undertake a joint review of cyber incidents with ecological or health implications, feeding the results into river-basin management plans and national emergency-preparedness strategies. Pilot projects funded under Horizon Europe should develop and test joint cyber-environment response protocols so that digital risk is treated as an integral part of statutory duty of care.

Fourth, employ the EU’s diplomatic toolkit to deter malicious activity. The Cyber Diplomacy Toolbox has yet to be used in response to attacks on water infrastructure. Coordinated sanctions, timely public attribution, and persistent diplomatic pressure would demonstrate that disrupting Europe’s water sector carries real consequences, whether the perpetrators are criminal ransomware groups or state proxies. Repeated targeting of essential services by actors operating from known safe havens should trigger a graduated EU response: collective attribution where feasible, followed by proportionate restrictive measures. Treating pre-positioning in water networks as an unlawful threat of force under the UN Charter would reinforce the message that civilian water systems are off-limits for espionage or coercion.

For water utilities already showing serious cyber gaps, the necessary path forward is focused EU assistance coupled with concrete, verifiable safeguards.