- Water utilities now top ransomware attack targets.
- Cyber incidents increased 140% year-over-year.
- Cybersecurity expert recommends proactive defenses.
- Segmented networks and backups essential.
- Regular training critical to preventing attacks.
Tuesday, April 15, 2025 — Cyberattacks against water and wastewater utilities have surged dramatically, placing critical infrastructure at risk. According to cybersecurity expert Frederick Johnson, writing in a guest column for WaterOnline on April 14
, utilities are now prime targets for ransomware incidents, experiencing an alarming 140% increase in cyberattacks each year.
Johnson, who leads cybersecurity practices at Stantec and has over 20 years of experience across finance, technology, and government sectors, emphasized that the perception of utilities being low-risk targets is outdated. Historically, water utilities used IT primarily to monitor operations. Johnson explained that previously, disruptions were manageable inconveniences rather than critical failures. However, with the increasing adoption of advanced technologies—including artificial intelligence (AI), cloud-based solutions, and wireless tools—the vulnerability of these systems has dramatically grown. As Johnson noted, the modern integration of automation offers efficiency but also “presents opportunities for ransomware attacks by bad actors.”
Cyberattacks on Utilities Escalating.
Johnson highlighted several statistics to underscore the seriousness of the threat:
- Over 62% of utility-related computer systems experienced ransomware attacks, as reported by cybersecurity firm Sophos in the State of Ransomware 2024.
- The financial toll has been immense, with ransomware recovery efforts exceeding $1 billion in 2023 alone, according to VentureBeat.
- Cybersecurity blog Security Intelligence predicts attacks will impact more than 15,000 industrial sites by 2027.
The consequences extend beyond financial losses, Johnson noted, leading to operational disruptions, stressed employees, and damaging publicity.
Three Steps to Strengthening Cybersecurity Defenses.
Despite the bleak outlook, Johnson stated that utilities can significantly bolster their defenses by implementing three essential measures:
Network Segmentation and Isolation.
Johnson recommends separating operational technology (OT) and industrial control systems (ICS) from broader corporate IT networks. He illustrated this approach with an example from the finance sector, where a client effectively deterred hackers using segmented networks and “honeypots”—fake servers designed to confuse attackers.
Secure Backups and Tested Disaster-Recovery Plans.
Frequent, isolated backups combined with robust disaster-recovery plans are vital. Johnson described a scenario involving a client whose critical payment-processing server suffered a ransomware attack. Thanks to nightly backup images and thorough planning, the incident resulted in less than an hour of downtime.
Regular Cybersecurity Training and Incident Response Plans.
According to Johnson, continuous training on recognizing threats such as phishing is essential. He recounted a hospitality client’s simulated phishing test, which revealed significant gaps despite recent training, demonstrating the necessity of ongoing cybersecurity education and clearly documented response plans.
A Call for Immediate Action.
Johnson urged utilities to proactively address cybersecurity vulnerabilities, suggesting organizations begin by conducting tabletop exercises to test readiness. If inadequacies are revealed, he recommends formal cybersecurity assessments by trusted external experts to identify weaknesses and prioritize improvements.
Johnson concluded by emphasizing that water and wastewater cybersecurity protections are now critical components of overall operational safety. “The time to act is now,” he stressed.
Read Frederick Johnson’s full column here.
Leave a Reply